@@ -39,8 +39,10 @@ import org.sonar.db.DbClient; | |||
import org.sonar.db.DbSession; | |||
import org.sonar.db.ResultSetIterator; | |||
import org.sonar.server.security.SecurityStandards; | |||
import org.sonar.server.security.SecurityStandards.SQCategory; | |||
import static com.google.common.base.Preconditions.checkArgument; | |||
import static java.util.stream.Collectors.toList; | |||
import static org.sonar.api.utils.DateUtils.longToDate; | |||
import static org.sonar.db.DatabaseUtils.getLong; | |||
import static org.sonar.db.rule.RuleDefinitionDto.deserializeSecurityStandardsString; | |||
@@ -233,7 +235,7 @@ class IssueIteratorForSingleChunk implements IssueIterator { | |||
doc.setOwaspTop10(securityStandards.getOwaspTop10()); | |||
doc.setCwe(securityStandards.getCwe()); | |||
doc.setSansTop25(securityStandards.getSansTop25()); | |||
doc.setSonarSourceSecurityCategories(securityStandards.getSq()); | |||
doc.setSonarSourceSecurityCategories(securityStandards.getSq().stream().map(SQCategory::getKey).collect(toList())); | |||
return doc; | |||
} | |||
@@ -36,7 +36,9 @@ import org.sonar.db.rule.RuleForIndexingDto; | |||
import org.sonar.markdown.Markdown; | |||
import org.sonar.server.es.BaseDoc; | |||
import org.sonar.server.security.SecurityStandards; | |||
import org.sonar.server.security.SecurityStandards.SQCategory; | |||
import static java.util.stream.Collectors.toList; | |||
import static org.sonar.server.rule.index.RuleIndexDefinition.TYPE_RULE; | |||
@@ -280,7 +282,7 @@ public class RuleDoc extends BaseDoc { | |||
.setCwe(securityStandards.getCwe()) | |||
.setOwaspTop10(securityStandards.getOwaspTop10()) | |||
.setSansTop25(securityStandards.getSansTop25()) | |||
.setSonarSourceSecurityCategories(securityStandards.getSq()) | |||
.setSonarSourceSecurityCategories(securityStandards.getSq().stream().map(SQCategory::getKey).collect(toList())) | |||
.setName(dto.getName()) | |||
.setRuleKey(dto.getPluginRuleKey()) | |||
.setSeverity(dto.getSeverityAsString()) |
@@ -19,15 +19,16 @@ | |||
*/ | |||
package org.sonar.server.security; | |||
import com.google.common.collect.ImmutableList; | |||
import com.google.common.collect.ImmutableMap; | |||
import com.google.common.collect.ImmutableSet; | |||
import com.google.common.collect.Ordering; | |||
import java.util.Arrays; | |||
import java.util.Collection; | |||
import java.util.HashSet; | |||
import java.util.Map; | |||
import java.util.Objects; | |||
import java.util.Set; | |||
import java.util.stream.Collectors; | |||
import javax.annotation.concurrent.Immutable; | |||
import org.sonar.core.util.stream.MoreCollectors; | |||
@@ -53,39 +54,69 @@ public final class SecurityStandards { | |||
SANS_TOP_25_RISKY_RESOURCE, RISKY_CWE, | |||
SANS_TOP_25_POROUS_DEFENSES, POROUS_CWE); | |||
public static final Map<String, Set<String>> CWES_BY_SQ_CATEGORY = ImmutableMap.<String, Set<String>>builder() | |||
.put("sql-injection", ImmutableSet.of("89", "564")) | |||
.put("command-injection", ImmutableSet.of("77", "78", "88", "214")) | |||
.put("path-traversal-injection", ImmutableSet.of("22")) | |||
.put("ldap-injection", ImmutableSet.of("90")) | |||
.put("xpath-injection", ImmutableSet.of("643")) | |||
.put("rce", ImmutableSet.of("94", "95")) | |||
.put("dos", ImmutableSet.of("400", "624")) | |||
.put("ssrf", ImmutableSet.of("918")) | |||
.put("csrf", ImmutableSet.of("352")) | |||
.put("xss", ImmutableSet.of("79", "80", "81", "82", "83", "84", "85", "86", "87")) | |||
.put("log-injection", ImmutableSet.of("117")) | |||
.put("http-response-splitting", ImmutableSet.of("113")) | |||
.put("open-redirect", ImmutableSet.of("601")) | |||
.put("xxe", ImmutableSet.of("611", "827")) | |||
.put("object-injection", ImmutableSet.of("134", "470", "502")) | |||
.put("weak-cryptography", ImmutableSet.of("295", "297", "321", "322", "323", "324", "325", "326", "327", "328", "330", "780")) | |||
.put("auth", ImmutableSet.of("798", "640", "620", "549", "522", "521", "263", "262", "261", "259", "284")) | |||
.put("insecure-conf", ImmutableSet.of("102", "215", "311", "315", "346", "614", "489", "942")) | |||
.put("file-manipulation", ImmutableSet.of("97", "73")) | |||
public enum SQCategory { | |||
SQL_INJECTION("sql-injection"), | |||
COMMAND_INJECTION("command-injection"), | |||
PATH_TRAVERSAL_INJECTION("path-traversal-injection"), | |||
LDAP_INJECTION("ldap-injection"), | |||
XPATH_INJECT("xpath-injection"), | |||
RCE("rce"), | |||
DOS("dos"), | |||
SSRF("ssrf"), | |||
CSRF("csrf"), | |||
XSS("xss"), | |||
LOG_INJECTION("log-injection"), | |||
HTTP_RESPONSE_SPLITTING("http-response-splitting"), | |||
OPEN_REDIRECT("open-redirect"), | |||
XXE("xxe"), | |||
OBJECT_INJECTION("object-injection"), | |||
WEAK_CRYPTOGRAPHY("weak-cryptography"), | |||
AUTH("auth"), | |||
INSECURE_CONF("insecure-conf"), | |||
FILE_MANIPULATION("file-manipulation"), | |||
OTHERS("others"); | |||
private final String key; | |||
SQCategory(String key) { | |||
this.key = key; | |||
} | |||
public String getKey() { | |||
return key; | |||
} | |||
} | |||
public static final Map<SQCategory, Set<String>> CWES_BY_SQ_CATEGORY = ImmutableMap.<SQCategory, Set<String>>builder() | |||
.put(SQCategory.SQL_INJECTION, ImmutableSet.of("89", "564")) | |||
.put(SQCategory.COMMAND_INJECTION, ImmutableSet.of("77", "78", "88", "214")) | |||
.put(SQCategory.PATH_TRAVERSAL_INJECTION, ImmutableSet.of("22")) | |||
.put(SQCategory.LDAP_INJECTION, ImmutableSet.of("90")) | |||
.put(SQCategory.XPATH_INJECT, ImmutableSet.of("643")) | |||
.put(SQCategory.RCE, ImmutableSet.of("94", "95")) | |||
.put(SQCategory.DOS, ImmutableSet.of("400", "624")) | |||
.put(SQCategory.SSRF, ImmutableSet.of("918")) | |||
.put(SQCategory.CSRF, ImmutableSet.of("352")) | |||
.put(SQCategory.XSS, ImmutableSet.of("79", "80", "81", "82", "83", "84", "85", "86", "87")) | |||
.put(SQCategory.LOG_INJECTION, ImmutableSet.of("117")) | |||
.put(SQCategory.HTTP_RESPONSE_SPLITTING, ImmutableSet.of("113")) | |||
.put(SQCategory.OPEN_REDIRECT, ImmutableSet.of("601")) | |||
.put(SQCategory.XXE, ImmutableSet.of("611", "827")) | |||
.put(SQCategory.OBJECT_INJECTION, ImmutableSet.of("134", "470", "502")) | |||
.put(SQCategory.WEAK_CRYPTOGRAPHY, ImmutableSet.of("295", "297", "321", "322", "323", "324", "325", "326", "327", "328", "330", "780")) | |||
.put(SQCategory.AUTH, ImmutableSet.of("798", "640", "620", "549", "522", "521", "263", "262", "261", "259", "284")) | |||
.put(SQCategory.INSECURE_CONF, ImmutableSet.of("102", "215", "311", "315", "346", "614", "489", "942")) | |||
.put(SQCategory.FILE_MANIPULATION, ImmutableSet.of("97", "73")) | |||
.build(); | |||
public static final String SQ_OTHER_CATEGORY = "others"; | |||
public static final Set<String> SQ_CATEGORIES = ImmutableSet.<String>builder().addAll(CWES_BY_SQ_CATEGORY.keySet()).add(SQ_OTHER_CATEGORY).build(); | |||
public static final Ordering<String> SQ_CATEGORIES_ORDERING = Ordering.explicit( | |||
ImmutableList.<String>builder().addAll(CWES_BY_SQ_CATEGORY.keySet()).add(SQ_OTHER_CATEGORY).build()); | |||
public static final Ordering<String> SQ_CATEGORY_KEYS_ORDERING = Ordering.explicit(Arrays.stream(SQCategory.values()).map(SQCategory::getKey).collect(Collectors.toList())); | |||
private final Set<String> standards; | |||
private final Set<String> cwe; | |||
private final Set<String> owaspTop10; | |||
private final Set<String> sansTop25; | |||
private final Set<String> sq; | |||
private final Set<SQCategory> sq; | |||
private SecurityStandards(Set<String> standards, Set<String> cwe, Set<String> owaspTop10, Set<String> sansTop25, Set<String> sq) { | |||
private SecurityStandards(Set<String> standards, Set<String> cwe, Set<String> owaspTop10, Set<String> sansTop25, Set<SQCategory> sq) { | |||
this.standards = standards; | |||
this.cwe = cwe; | |||
this.owaspTop10 = owaspTop10; | |||
@@ -109,7 +140,7 @@ public final class SecurityStandards { | |||
return sansTop25; | |||
} | |||
public Set<String> getSq() { | |||
public Set<SQCategory> getSq() { | |||
return sq; | |||
} | |||
@@ -120,7 +151,7 @@ public final class SecurityStandards { | |||
Set<String> owaspTop10 = toOwaspTop10(standards); | |||
Set<String> cwe = toCwe(standards); | |||
Set<String> sansTop25 = toSansTop25(cwe); | |||
Set<String> sq = toSonarSourceSecurityCategories(cwe); | |||
Set<SQCategory> sq = toSQCategories(cwe); | |||
return new SecurityStandards(standards, cwe, owaspTop10, sansTop25, sq); | |||
} | |||
@@ -147,12 +178,12 @@ public final class SecurityStandards { | |||
.collect(MoreCollectors.toSet()); | |||
} | |||
private static Set<String> toSonarSourceSecurityCategories(Collection<String> cwe) { | |||
Set<String> result = CWES_BY_SQ_CATEGORY | |||
private static Set<SQCategory> toSQCategories(Collection<String> cwe) { | |||
Set<SQCategory> result = CWES_BY_SQ_CATEGORY | |||
.keySet() | |||
.stream() | |||
.filter(k -> cwe.stream().anyMatch(CWES_BY_SQ_CATEGORY.get(k)::contains)) | |||
.collect(MoreCollectors.toSet()); | |||
return result.isEmpty() ? singleton(SQ_OTHER_CATEGORY) : result; | |||
return result.isEmpty() ? singleton(SQCategory.OTHERS) : result; | |||
} | |||
} |
@@ -49,6 +49,7 @@ import org.sonar.server.es.ProjectIndexer; | |||
import org.sonar.server.permission.index.AuthorizationScope; | |||
import org.sonar.server.permission.index.IndexPermissions; | |||
import org.sonar.server.security.SecurityStandards; | |||
import org.sonar.server.security.SecurityStandards.SQCategory; | |||
import static java.util.Arrays.asList; | |||
import static java.util.Collections.emptyList; | |||
@@ -138,7 +139,7 @@ public class IssueIndexerTest { | |||
assertThat(doc.getCwe()).containsExactlyInAnyOrder(SecurityStandards.UNKNOWN_STANDARD); | |||
assertThat(doc.getOwaspTop10()).isEmpty(); | |||
assertThat(doc.getSansTop25()).isEmpty(); | |||
assertThat(doc.getSonarSourceSecurityCategories()).containsOnly(SecurityStandards.SQ_OTHER_CATEGORY); | |||
assertThat(doc.getSonarSourceSecurityCategories()).containsOnly(SQCategory.OTHERS.getKey()); | |||
} | |||
@Test |
@@ -22,6 +22,7 @@ package org.sonar.server.issue.index; | |||
import com.google.common.base.Preconditions; | |||
import com.google.common.collect.Maps; | |||
import java.util.ArrayList; | |||
import java.util.Arrays; | |||
import java.util.Collection; | |||
import java.util.Collections; | |||
import java.util.Date; | |||
@@ -83,6 +84,7 @@ import org.sonar.server.issue.index.IssueQuery.PeriodStart; | |||
import org.sonar.server.permission.index.AuthorizationDoc; | |||
import org.sonar.server.permission.index.WebAuthorizationTypeSupport; | |||
import org.sonar.server.security.SecurityStandards; | |||
import org.sonar.server.security.SecurityStandards.SQCategory; | |||
import org.sonar.server.user.UserSession; | |||
import org.sonar.server.view.index.ViewIndexDefinition; | |||
@@ -156,7 +158,6 @@ import static org.sonar.server.issue.index.IssueIndexDefinition.TYPE_ISSUE; | |||
import static org.sonar.server.security.SecurityStandards.SANS_TOP_25_INSECURE_INTERACTION; | |||
import static org.sonar.server.security.SecurityStandards.SANS_TOP_25_POROUS_DEFENSES; | |||
import static org.sonar.server.security.SecurityStandards.SANS_TOP_25_RISKY_RESOURCE; | |||
import static org.sonar.server.security.SecurityStandards.SQ_CATEGORIES; | |||
import static org.sonar.server.view.index.ViewIndexDefinition.TYPE_VIEW; | |||
import static org.sonarqube.ws.client.issue.IssuesWsParameters.DEPRECATED_PARAM_AUTHORS; | |||
import static org.sonarqube.ws.client.issue.IssuesWsParameters.FACET_MODE_EFFORT; | |||
@@ -873,31 +874,35 @@ public class IssueIndex { | |||
public List<SecurityStandardCategoryStatistics> getSansTop25Report(String projectUuid, boolean isViewOrApp, boolean includeCwe) { | |||
SearchRequestBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp); | |||
Stream.of(SANS_TOP_25_INSECURE_INTERACTION, SANS_TOP_25_RISKY_RESOURCE, SANS_TOP_25_POROUS_DEFENSES) | |||
.forEach(sansCategory -> request.addAggregation(createAggregation(FIELD_ISSUE_SANS_TOP_25, sansCategory, includeCwe, Optional.of(SecurityStandards.CWES_BY_SANS_TOP_25)))); | |||
.forEach(sansCategory -> request.addAggregation(newSecurityReportSubAggregations( | |||
AggregationBuilders.filter(sansCategory, boolQuery().filter(termQuery(FIELD_ISSUE_SANS_TOP_25, sansCategory))), | |||
includeCwe, | |||
Optional.ofNullable(SecurityStandards.CWES_BY_SANS_TOP_25.get(sansCategory))))); | |||
return processSecurityReportSearchResults(request, includeCwe); | |||
} | |||
public List<SecurityStandardCategoryStatistics> getSonarSourceReport(String projectUuid, boolean isViewOrApp, boolean includeCwe) { | |||
SearchRequestBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp); | |||
SQ_CATEGORIES.forEach(sonarsourceCategory -> request.addAggregation( | |||
createAggregation(FIELD_ISSUE_SONARSOURCE_SECURITY, sonarsourceCategory, includeCwe, Optional.of(SecurityStandards.CWES_BY_SQ_CATEGORY)))); | |||
Arrays.stream(SQCategory.values()) | |||
.forEach(sonarsourceCategory -> request.addAggregation( | |||
newSecurityReportSubAggregations( | |||
AggregationBuilders.filter(sonarsourceCategory.getKey(), boolQuery().filter(termQuery(FIELD_ISSUE_SONARSOURCE_SECURITY, sonarsourceCategory.getKey()))), | |||
includeCwe, | |||
Optional.ofNullable(SecurityStandards.CWES_BY_SQ_CATEGORY.get(sonarsourceCategory))))); | |||
return processSecurityReportSearchResults(request, includeCwe); | |||
} | |||
public List<SecurityStandardCategoryStatistics> getOwaspTop10Report(String projectUuid, boolean isViewOrApp, boolean includeCwe) { | |||
SearchRequestBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp); | |||
IntStream.rangeClosed(1, 10).mapToObj(i -> "a" + i) | |||
.forEach(owaspCategory -> request.addAggregation(createAggregation(FIELD_ISSUE_OWASP_TOP_10, owaspCategory, includeCwe, Optional.empty()))); | |||
.forEach(owaspCategory -> request.addAggregation( | |||
newSecurityReportSubAggregations( | |||
AggregationBuilders.filter(owaspCategory, boolQuery().filter(termQuery(FIELD_ISSUE_OWASP_TOP_10, owaspCategory))), | |||
includeCwe, | |||
Optional.empty()))); | |||
return processSecurityReportSearchResults(request, includeCwe); | |||
} | |||
private static AggregationBuilder createAggregation(String categoryField, String category, boolean includeCwe, Optional<Map<String, Set<String>>> categoryToCwesMap) { | |||
return addSecurityReportSubAggregations(AggregationBuilders | |||
.filter(category, boolQuery() | |||
.filter(termQuery(categoryField, category))), | |||
includeCwe, categoryToCwesMap.map(m -> m.get(category))); | |||
} | |||
private static List<SecurityStandardCategoryStatistics> processSecurityReportSearchResults(SearchRequestBuilder request, boolean includeCwe) { | |||
SearchResponse response = request.get(); | |||
return response.getAggregations().asList().stream() | |||
@@ -935,7 +940,7 @@ public class IssueIndex { | |||
reviewedSecurityHotspots, children); | |||
} | |||
private static AggregationBuilder addSecurityReportSubAggregations(AggregationBuilder categoriesAggs, boolean includeCwe, Optional<Set<String>> cwesInCategory) { | |||
private static AggregationBuilder newSecurityReportSubAggregations(AggregationBuilder categoriesAggs, boolean includeCwe, Optional<Set<String>> cwesInCategory) { | |||
AggregationBuilder aggregationBuilder = addSecurityReportIssueCountAggregations(categoriesAggs); | |||
if (includeCwe) { | |||
final TermsAggregationBuilder cwesAgg = AggregationBuilders.terms(AGG_CWES) | |||
@@ -945,8 +950,7 @@ public class IssueIndex { | |||
cwesInCategory.ifPresent(set -> { | |||
cwesAgg.includeExclude(new IncludeExclude(set.toArray(new String[0]), new String[0])); | |||
}); | |||
categoriesAggs | |||
.subAggregation(addSecurityReportIssueCountAggregations(cwesAgg)); | |||
categoriesAggs.subAggregation(addSecurityReportIssueCountAggregations(cwesAgg)); | |||
} | |||
return aggregationBuilder; | |||
} |
@@ -29,6 +29,7 @@ import java.util.List; | |||
import java.util.Map; | |||
import java.util.Optional; | |||
import java.util.Set; | |||
import java.util.stream.Collectors; | |||
import javax.annotation.Nullable; | |||
import org.elasticsearch.action.search.SearchResponse; | |||
import org.elasticsearch.search.SearchHit; | |||
@@ -54,7 +55,7 @@ import org.sonar.server.issue.SearchRequest; | |||
import org.sonar.server.issue.index.IssueIndex; | |||
import org.sonar.server.issue.index.IssueQuery; | |||
import org.sonar.server.issue.index.IssueQueryFactory; | |||
import org.sonar.server.security.SecurityStandards; | |||
import org.sonar.server.security.SecurityStandards.SQCategory; | |||
import org.sonar.server.user.UserSession; | |||
import org.sonarqube.ws.Issues.SearchWsResponse; | |||
@@ -88,7 +89,6 @@ import static org.sonar.server.issue.index.IssueQueryFactory.UNKNOWN; | |||
import static org.sonar.server.security.SecurityStandards.SANS_TOP_25_INSECURE_INTERACTION; | |||
import static org.sonar.server.security.SecurityStandards.SANS_TOP_25_POROUS_DEFENSES; | |||
import static org.sonar.server.security.SecurityStandards.SANS_TOP_25_RISKY_RESOURCE; | |||
import static org.sonar.server.security.SecurityStandards.SQ_OTHER_CATEGORY; | |||
import static org.sonar.server.security.SecurityStandards.UNKNOWN_STANDARD; | |||
import static org.sonar.server.ws.KeyExamples.KEY_BRANCH_EXAMPLE_001; | |||
import static org.sonar.server.ws.KeyExamples.KEY_PROJECT_EXAMPLE_001; | |||
@@ -273,10 +273,10 @@ public class SearchAction implements IssuesWsAction, Startable { | |||
.setDescription("Comma-separated list of CWE identifiers. Use '" + UNKNOWN_STANDARD + "' to select issues not associated to any CWE.") | |||
.setExampleValue("12,125," + UNKNOWN_STANDARD); | |||
action.createParam(PARAM_SONARSOURCE_SECURITY) | |||
.setDescription("Comma-separated list of SonarSource security categories. Use '" + SQ_OTHER_CATEGORY + "' to select issues not associated" + | |||
.setDescription("Comma-separated list of SonarSource security categories. Use '" + SQCategory.OTHERS.getKey() + "' to select issues not associated" + | |||
" with any category") | |||
.setSince("7.8") | |||
.setPossibleValues(SecurityStandards.SQ_CATEGORIES); | |||
.setPossibleValues(Arrays.stream(SQCategory.values()).map(SQCategory::getKey).collect(Collectors.toList())); | |||
action.createParam(DEPRECATED_PARAM_AUTHORS) | |||
.setDeprecatedSince("7.7") | |||
.setDescription("This parameter is deprecated, please use '%s' instead", PARAM_AUTHOR) |
@@ -19,11 +19,13 @@ | |||
*/ | |||
package org.sonar.server.rule.ws; | |||
import java.util.Arrays; | |||
import java.util.List; | |||
import java.util.Map; | |||
import java.util.Objects; | |||
import java.util.Optional; | |||
import java.util.Set; | |||
import java.util.stream.Collectors; | |||
import javax.annotation.Nullable; | |||
import org.sonar.api.rule.RuleStatus; | |||
import org.sonar.api.rule.Severity; | |||
@@ -39,6 +41,7 @@ import org.sonar.server.organization.DefaultOrganizationProvider; | |||
import org.sonar.server.qualityprofile.ActiveRuleInheritance; | |||
import org.sonar.server.rule.index.RuleIndexDefinition; | |||
import org.sonar.server.security.SecurityStandards; | |||
import org.sonar.server.security.SecurityStandards.SQCategory; | |||
import org.sonar.server.user.UserSession; | |||
import static org.sonar.api.server.ws.WebService.Param.ASCENDING; | |||
@@ -72,7 +75,6 @@ import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_STATUSES; | |||
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TAGS; | |||
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TEMPLATE_KEY; | |||
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TYPES; | |||
import static org.sonar.server.security.SecurityStandards.SQ_OTHER_CATEGORY; | |||
@ServerSide | |||
public class RuleWsSupport { | |||
@@ -153,10 +155,10 @@ public class RuleWsSupport { | |||
action | |||
.createParam(PARAM_SONARSOURCE_SECURITY) | |||
.setDescription("Comma-separated list of SonarSource security categories. Use '" + SQ_OTHER_CATEGORY + "' to select rules not associated" + | |||
.setDescription("Comma-separated list of SonarSource security categories. Use '" + SQCategory.OTHERS.getKey() + "' to select rules not associated" + | |||
" with any category") | |||
.setSince("7.8") | |||
.setPossibleValues(SecurityStandards.SQ_CATEGORIES) | |||
.setPossibleValues(Arrays.stream(SQCategory.values()).map(SQCategory::getKey).collect(Collectors.toList())) | |||
.setExampleValue("sql-injection,command-injection,others"); | |||
action |