mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
Browse Source

SONAR-12023 Remove "Not OWASP" CWE mapping, and move all unmapped CWEs to "Others" (SonarSource Security)

tags/8.0
Michal Duda 5 years ago
parent
cb7020fd90
commit
87e7d062dd
16 changed files with 49 additions and 915 deletions
Split View Show Diff Stats
  1. 8
    3
      server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandardHelper.java
  2. 3
    1
      server/sonar-server-common/src/test/java/org/sonar/server/issue/index/IssueIndexerTest.java
  3. 5
    5
      server/sonar-server/src/main/java/org/sonar/server/issue/index/IssueIndex.java
  4. 6
    4
      server/sonar-server/src/main/java/org/sonar/server/issue/ws/SearchAction.java
  5. 12
    9
      server/sonar-server/src/main/java/org/sonar/server/rule/ws/RuleWsSupport.java
  6. 1
    2
      server/sonar-server/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
  7. 0
    114
      server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/empty.json
  8. 0
    115
      server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/owaspNoCwe.json
  9. 0
    46
      server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sansWithCwe.json
  10. 0
    205
      server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityNoCwe.json
  11. 0
    174
      server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityOnApplication.json
  12. 0
    216
      server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityWithCwe.json
  13. 10
    7
      server/sonar-web/src/main/js/apps/issues/sidebar/__tests__/StandardFacet-test.tsx
  14. 0
    7
      server/sonar-web/src/main/js/helpers/__tests__/security-standard-test.ts
  15. 4
    4
      server/sonar-web/src/main/js/helpers/security-standard.ts
  16. 0
    3
      server/sonar-web/src/main/js/helpers/standards.json

+ 8
- 3
server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandardHelper.java View File

@@ -20,8 +20,10 @@
package org.sonar.server.security;

import com.google.common.base.Splitter;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Ordering;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
@@ -74,6 +76,9 @@ public class SecurityStandardHelper {
.put("insecure-conf", ImmutableSet.of("102", "489"))
.put("file-manipulation", ImmutableSet.of("97", "73"))
.build();
public static final String SONARSOURCE_OTHER_CWES_CATEGORY = "others";
public static final Ordering<String> SONARSOURCE_CATEGORY_ORDERING = Ordering.explicit(
ImmutableList.<String>builder().addAll(SONARSOURCE_CWE_MAPPING.keySet()).add(SONARSOURCE_OTHER_CWES_CATEGORY).build());

private static final Splitter SECURITY_STANDARDS_SPLITTER = Splitter.on(',').trimResults().omitEmptyStrings();

@@ -94,19 +99,19 @@ public class SecurityStandardHelper {
}

public static List<String> getSonarSourceSecurityCategories(Collection<String> cwe) {
return SONARSOURCE_CWE_MAPPING
List<String> result = SONARSOURCE_CWE_MAPPING
.keySet()
.stream()
.filter(k -> cwe.stream().anyMatch(SONARSOURCE_CWE_MAPPING.get(k)::contains))
.collect(toList());
return result.isEmpty() ? singletonList(SONARSOURCE_OTHER_CWES_CATEGORY) : result;
}

public static List<String> getOwaspTop10(Collection<String> securityStandards) {
List<String> result = securityStandards.stream()
return securityStandards.stream()
.filter(s -> s.startsWith(OWASP_TOP10_PREFIX))
.map(s -> s.substring(OWASP_TOP10_PREFIX.length()))
.collect(toList());
return result.isEmpty() ? singletonList(UNKNOWN_STANDARD) : result;
}

public static List<String> getCwe(Collection<String> securityStandards) {

+ 3
- 1
server/sonar-server-common/src/test/java/org/sonar/server/issue/index/IssueIndexerTest.java View File

@@ -58,6 +58,7 @@ import static org.sonar.db.component.ComponentTesting.newFileDto;
import static org.sonar.server.issue.IssueDocTesting.newDoc;
import static org.sonar.server.issue.index.IssueIndexDefinition.TYPE_ISSUE;
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.permission.index.IndexAuthorizationConstants.TYPE_AUTHORIZATION;

@@ -136,8 +137,9 @@ public class IssueIndexerTest {
// functional date
assertThat(doc.updateDate()).isEqualToIgnoringMillis(new Date(issue.getIssueUpdateTime()));
assertThat(doc.getCwe()).containsExactlyInAnyOrder(UNKNOWN_STANDARD);
assertThat(doc.getOwaspTop10()).containsExactlyInAnyOrder(UNKNOWN_STANDARD);
assertThat(doc.getOwaspTop10()).isEmpty();
assertThat(doc.getSansTop25()).isEmpty();
assertThat(doc.getSonarSourceSecurityCategories()).containsExactlyInAnyOrder(SONARSOURCE_OTHER_CWES_CATEGORY);
}

@Test

+ 5
- 5
server/sonar-server/src/main/java/org/sonar/server/issue/index/IssueIndex.java View File

@@ -157,7 +157,7 @@ import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_INSEC
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
import static org.sonar.server.view.index.ViewIndexDefinition.TYPE_VIEW;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.DEPRECATED_PARAM_AUTHORS;
import static org.sonarqube.ws.client.issue.IssuesWsParameters.FACET_MODE_EFFORT;
@@ -880,15 +880,15 @@ public class IssueIndex {

public List<SecurityStandardCategoryStatistics> getSonarSourceReport(String projectUuid, boolean isViewOrApp, boolean includeCwe) {
SearchRequestBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
SONARSOURCE_CWE_MAPPING.keySet()
.forEach(
sonarsourceCategory -> request.addAggregation(createAggregation(FIELD_ISSUE_SONARSOURCE_SECURITY, sonarsourceCategory, includeCwe, Optional.of(SONARSOURCE_CWE_MAPPING))));
Stream.concat(SONARSOURCE_CWE_MAPPING.keySet().stream(), Stream.of(SONARSOURCE_OTHER_CWES_CATEGORY))
.forEach(sonarsourceCategory -> request.addAggregation(
createAggregation(FIELD_ISSUE_SONARSOURCE_SECURITY, sonarsourceCategory, includeCwe, Optional.of(SONARSOURCE_CWE_MAPPING))));
return processSecurityReportSearchResults(request, includeCwe);
}

public List<SecurityStandardCategoryStatistics> getOwaspTop10Report(String projectUuid, boolean isViewOrApp, boolean includeCwe) {
SearchRequestBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
Stream.concat(IntStream.rangeClosed(1, 10).mapToObj(i -> "a" + i), Stream.of(UNKNOWN_STANDARD))
IntStream.rangeClosed(1, 10).mapToObj(i -> "a" + i)
.forEach(owaspCategory -> request.addAggregation(createAggregation(FIELD_ISSUE_OWASP_TOP_10, owaspCategory, includeCwe, Optional.empty())));
return processSecurityReportSearchResults(request, includeCwe);
}

+ 6
- 4
server/sonar-server/src/main/java/org/sonar/server/issue/ws/SearchAction.java View File

@@ -88,6 +88,7 @@ import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_INSEC
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_POROUS_DEFENSES;
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_RISKY_RESOURCE;
import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.ws.KeyExamples.KEY_BRANCH_EXAMPLE_001;
import static org.sonar.server.ws.KeyExamples.KEY_PROJECT_EXAMPLE_001;
@@ -260,9 +261,9 @@ public class SearchAction implements IssuesWsAction, Startable {
.setPossibleValues((Object[]) RuleType.values())
.setExampleValue(format("%s,%s", RuleType.CODE_SMELL, RuleType.BUG));
action.createParam(PARAM_OWASP_TOP_10)
.setDescription("Comma-separated list of OWASP Top 10 lowercase categories. Use '" + UNKNOWN_STANDARD + "' to select issues not associated to any OWASP Top 10 category.")
.setDescription("Comma-separated list of OWASP Top 10 lowercase categories.")
.setSince("7.3")
.setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10", UNKNOWN_STANDARD);
.setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10");
action.createParam(PARAM_SANS_TOP_25)
.setDescription("Comma-separated list of SANS Top 25 categories.")
.setSince("7.3")
@@ -271,9 +272,10 @@ public class SearchAction implements IssuesWsAction, Startable {
.setDescription("Comma-separated list of CWE identifiers. Use '" + UNKNOWN_STANDARD + "' to select issues not associated to any CWE.")
.setExampleValue("12,125," + UNKNOWN_STANDARD);
action.createParam(PARAM_SONARSOURCE_SECURITY)
.setDescription("Comma-separated list of SonarSource security categories.")
.setDescription("Comma-separated list of SonarSource security categories. Use '" + SONARSOURCE_OTHER_CWES_CATEGORY + "' to select issues not associated" +
" with any category")
.setSince("7.8")
.setPossibleValues(SONARSOURCE_CWE_MAPPING.keySet());
.setPossibleValues(ImmutableList.builder().addAll(SONARSOURCE_CWE_MAPPING.keySet()).add(SONARSOURCE_OTHER_CWES_CATEGORY).build());
action.createParam(DEPRECATED_PARAM_AUTHORS)
.setDeprecatedSince("7.7")
.setDescription("This parameter is deprecated, please use '%s' instead", PARAM_AUTHOR)

+ 12
- 9
server/sonar-server/src/main/java/org/sonar/server/rule/ws/RuleWsSupport.java View File

@@ -19,6 +19,7 @@
*/
package org.sonar.server.rule.ws;

import com.google.common.collect.ImmutableList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
@@ -35,7 +36,6 @@ import org.sonar.db.DbSession;
import org.sonar.db.organization.OrganizationDto;
import org.sonar.db.rule.RuleDto;
import org.sonar.db.user.UserDto;
import org.sonar.server.security.SecurityStandardHelper;
import org.sonar.server.organization.DefaultOrganizationProvider;
import org.sonar.server.qualityprofile.ActiveRuleInheritance;
import org.sonar.server.rule.index.RuleIndexDefinition;
@@ -50,8 +50,6 @@ import static org.sonar.core.util.stream.MoreCollectors.toSet;
import static org.sonar.core.util.stream.MoreCollectors.uniqueIndex;
import static org.sonar.db.organization.OrganizationDto.Subscription.PAID;
import static org.sonar.db.permission.OrganizationPermission.ADMINISTER_QUALITY_PROFILES;
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_CWE_MAPPING;
import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ACTIVATION;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_ACTIVE_SEVERITIES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_AVAILABLE_SINCE;
@@ -73,6 +71,10 @@ import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_STATUSES;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TAGS;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TEMPLATE_KEY;
import static org.sonar.server.rule.ws.RulesWsParameters.PARAM_TYPES;
import static org.sonar.server.security.SecurityStandardHelper.SANS_TOP_25_CWE_MAPPING;
import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_CWE_MAPPING;
import static org.sonar.server.security.SecurityStandardHelper.SONARSOURCE_OTHER_CWES_CATEGORY;
import static org.sonar.server.security.SecurityStandardHelper.UNKNOWN_STANDARD;
import static org.sonar.server.ws.WsUtils.checkFoundWithOptional;

@ServerSide
@@ -143,10 +145,9 @@ public class RuleWsSupport {
.setExampleValue("12,125," + UNKNOWN_STANDARD);

action.createParam(PARAM_OWASP_TOP_10)
.setDescription("Comma-separated list of OWASP Top 10 lowercase categories. Use '" + UNKNOWN_STANDARD + "' to select rules not associated to any OWASP " +
"Top 10 category.")
.setDescription("Comma-separated list of OWASP Top 10 lowercase categories.")
.setSince("7.3")
.setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10", UNKNOWN_STANDARD);
.setPossibleValues("a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "a10");

action.createParam(PARAM_SANS_TOP_25)
.setDescription("Comma-separated list of SANS Top 25 categories.")
@@ -155,9 +156,11 @@ public class RuleWsSupport {

action
.createParam(PARAM_SONARSOURCE_SECURITY)
.setDescription("Comma-separated list of SonarSource report categories.")
.setPossibleValues(SecurityStandardHelper.SONARSOURCE_CWE_MAPPING.keySet())
.setExampleValue("sql-injection,command-injection");
.setDescription("Comma-separated list of SonarSource security categories. Use '" + SONARSOURCE_OTHER_CWES_CATEGORY + "' to select rules not associated" +
" with any category")
.setSince("7.8")
.setPossibleValues(ImmutableList.builder().addAll(SONARSOURCE_CWE_MAPPING.keySet()).add(SONARSOURCE_OTHER_CWES_CATEGORY).build())
.setExampleValue("sql-injection,command-injection,others");

action
.createParam(PARAM_LANGUAGES)

+ 1
- 2
server/sonar-server/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java View File

@@ -218,8 +218,7 @@ public class IssueIndexSecurityReportsTest {
tuple("a7", 0L, OptionalInt.empty(), 0L, 0L, 0L),
tuple("a8", 0L, OptionalInt.empty(), 0L, 0L, 1L /* reviewedHotspot */),
tuple("a9", 0L, OptionalInt.empty(), 0L, 0L, 0L),
tuple("a10", 0L, OptionalInt.empty(), 0L, 0L, 0L),
tuple("unknown", 1L /* notowaspvul */, OptionalInt.of(4) /* CRITICAL = D */, 1L /* notowasphotspot */, 0L, 0L));
tuple("a10", 0L, OptionalInt.empty(), 0L, 0L, 0L));
return owaspTop10Report;
}


+ 0
- 114
server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/empty.json View File

@@ -1,114 +0,0 @@
{
"categories": [
{
"category": "a1",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 1,
"totalRules": 1
},
{
"category": "a2",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 1,
"totalRules": 1
},
{
"category": "a3",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 1
},
{
"category": "a4",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a5",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a6",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a7",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a8",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a9",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a10",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "unknown",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 1,
"totalRules": 2
}
]
}

+ 0
- 115
server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/owaspNoCwe.json View File

@@ -1,115 +0,0 @@
{
"categories": [
{
"category": "a1",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 1,
"totalRules": 1
},
{
"category": "a2",
"vulnerabilities": 1,
"vulnerabilityRating": 3,
"inReviewSecurityHotspots": 1,
"toReviewSecurityHotspots": 1,
"reviewedSecurityHotspots": 1,
"distribution": [],
"activeRules": 1,
"totalRules": 1
},
{
"category": "a3",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 1
},
{
"category": "a4",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a5",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a6",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a7",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a8",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a9",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "a10",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "unknown",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 1,
"totalRules": 2
}
]
}

+ 0
- 46
server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sansWithCwe.json View File

@@ -1,46 +0,0 @@
{
"categories": [
{
"category": "porous-defenses",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 1
},
{
"category": "risky-resource",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 1,
"totalRules": 1
},
{
"category": "insecure-interaction",
"vulnerabilities": 1,
"vulnerabilityRating": 3,
"inReviewSecurityHotspots": 1,
"toReviewSecurityHotspots": 1,
"reviewedSecurityHotspots": 0,
"distribution": [
{
"cwe": "89",
"vulnerabilities": 1,
"vulnerabilityRating": 3,
"inReviewSecurityHotspots": 1,
"toReviewSecurityHotspots": 1,
"reviewedSecurityHotspots": 0,
"activeRules": 1,
"totalRules": 1
}
],
"activeRules": 2,
"totalRules": 2
}
]
}

+ 0
- 205
server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityNoCwe.json View File

@@ -1,205 +0,0 @@
{
"categories": [
{
"category": "ldap-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "object-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "ssrf",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "insecure-conf",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "xxe",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "auth",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "xpath-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "weak-cryptography",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "dos",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "open-redirect",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "log-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "csrf",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "sql-injection",
"vulnerabilities": 1,
"vulnerabilityRating": 3,
"inReviewSecurityHotspots": 1,
"toReviewSecurityHotspots": 1,
"reviewedSecurityHotspots": 1,
"distribution": [],
"activeRules": 1,
"totalRules": 1
},
{
"category": "file-manipulation",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "expression-lang-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "rce",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "xss",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "path-traversal-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 1,
"totalRules": 1
},
{
"category": "command-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 1,
"totalRules": 1
},
{
"category": "http-response-splitting",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
}
]
}

+ 0
- 174
server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityOnApplication.json View File

@@ -1,174 +0,0 @@
{
"categories": [
{
"category": "ldap-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "object-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "ssrf",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "insecure-conf",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "xxe",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "auth",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "xpath-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "weak-cryptography",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "dos",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "open-redirect",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "log-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "csrf",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "sql-injection",
"vulnerabilities": 1,
"vulnerabilityRating": 3,
"inReviewSecurityHotspots": 1,
"toReviewSecurityHotspots": 1,
"reviewedSecurityHotspots": 1,
"distribution": [
{
"cwe": "89",
"vulnerabilities": 1,
"vulnerabilityRating": 3,
"inReviewSecurityHotspots": 1,
"toReviewSecurityHotspots": 1,
"reviewedSecurityHotspots": 1
}
]
},
{
"category": "file-manipulation",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "expression-lang-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "rce",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "xss",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "path-traversal-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "command-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
},
{
"category": "http-response-splitting",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": []
}
]
}

+ 0
- 216
server/sonar-server/src/test/resources/com/sonar/governance/securityreport/ws/ShowActionTest/sonarsourceSecurityWithCwe.json View File

@@ -1,216 +0,0 @@
{
"categories": [
{
"category": "ldap-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "object-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "ssrf",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "insecure-conf",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "xxe",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "auth",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "xpath-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "weak-cryptography",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "dos",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "open-redirect",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "log-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "csrf",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "sql-injection",
"vulnerabilities": 1,
"vulnerabilityRating": 3,
"inReviewSecurityHotspots": 1,
"toReviewSecurityHotspots": 1,
"reviewedSecurityHotspots": 1,
"distribution": [
{
"cwe": "89",
"vulnerabilities": 1,
"vulnerabilityRating": 3,
"inReviewSecurityHotspots": 1,
"toReviewSecurityHotspots": 1,
"reviewedSecurityHotspots": 1,
"activeRules": 1,
"totalRules": 1
}
],
"activeRules": 1,
"totalRules": 1
},
{
"category": "file-manipulation",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "expression-lang-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "rce",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "xss",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
},
{
"category": "path-traversal-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 1,
"totalRules": 1
},
{
"category": "command-injection",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 1,
"totalRules": 1
},
{
"category": "http-response-splitting",
"vulnerabilities": 0,
"inReviewSecurityHotspots": 0,
"toReviewSecurityHotspots": 0,
"reviewedSecurityHotspots": 0,
"distribution": [],
"activeRules": 0,
"totalRules": 0
}
]
}

+ 10
- 7
server/sonar-web/src/main/js/apps/issues/sidebar/__tests__/StandardFacet-test.tsx View File

@@ -160,25 +160,25 @@ it('should toggle sub-facets', () => {
it('should display correct selection', () => {
const wrapper = shallowRender({
open: true,
owaspTop10: ['a1', 'a3', 'unknown'],
owaspTop10: ['a1', 'a3'],
sansTop25: ['risky-resource', 'foo'],
cwe: ['42', '1111', 'unknown'],
sonarsourceSecurity: ['sql-injection']
sonarsourceSecurity: ['sql-injection', 'others']
});
checkValues('standards', [
'SONAR SQL Injection',
'Others',
'OWASP A1 - a1 title',
'OWASP A3',
'Not OWAPS',
'SANS Risky Resource Management',
'SANS foo',
'CWE-42 - cwe-42 title',
'CWE-1111',
'Unknown CWE'
]);
checkValues('owaspTop10', ['A1 - a1 title', 'A3', 'Not OWAPS']);
checkValues('owaspTop10', ['A1 - a1 title', 'A3']);
checkValues('sansTop25', ['Risky Resource Management', 'foo']);
checkValues('sonarsourceSecurity', ['SQL Injection']);
checkValues('sonarsourceSecurity', ['SQL Injection', 'Others']);

function checkValues(property: string, values: string[]) {
expect(
@@ -219,10 +219,13 @@ function shallowRender(props: Partial<StandardFacet['props']> = {}) {
);
wrapper.setState({
standards: {
owaspTop10: { a1: { title: 'a1 title' }, unknown: { title: 'Not OWAPS' } },
owaspTop10: { a1: { title: 'a1 title' } },
sansTop25: { 'risky-resource': { title: 'Risky Resource Management' } },
cwe: { 42: { title: 'cwe-42 title' }, unknown: { title: 'Unknown CWE' } },
sonarsourceSecurity: { 'sql-injection': { title: 'SQL Injection' } }
sonarsourceSecurity: {
'sql-injection': { title: 'SQL Injection' },
others: { title: 'Others' }
}
}
});
return wrapper;

+ 0
- 7
server/sonar-web/src/main/js/helpers/__tests__/security-standard-test.ts View File

@@ -53,9 +53,6 @@ describe('renderOwaspTop10Category', () => {
owaspTop10: {
a1: {
title: 'Injection'
},
unknown: {
title: 'Not OWASP'
}
},
sansTop25: {},
@@ -66,8 +63,6 @@ describe('renderOwaspTop10Category', () => {
expect(renderOwaspTop10Category(standards, 'a1', true)).toEqual('OWASP A1 - Injection');
expect(renderOwaspTop10Category(standards, 'a2')).toEqual('A2');
expect(renderOwaspTop10Category(standards, 'a2', true)).toEqual('OWASP A2');
expect(renderOwaspTop10Category(standards, 'unknown')).toEqual('Not OWASP');
expect(renderOwaspTop10Category(standards, 'unknown', true)).toEqual('Not OWASP');
});
});

@@ -115,8 +110,6 @@ describe('renderSonarSourceSecurityCategory', () => {
expect(renderSonarSourceSecurityCategory(standards, 'xss', true)).toEqual(
'SONAR Cross-Site Scripting (XSS)'
);
expect(renderSonarSourceSecurityCategory(standards, 'unknown')).toEqual('unknown');
expect(renderSonarSourceSecurityCategory(standards, 'unknown', true)).toEqual('SONAR unknown');
expect(renderSonarSourceSecurityCategory(standards, 'others')).toEqual('Others');
expect(renderSonarSourceSecurityCategory(standards, 'others', true)).toEqual('Others');
});

+ 4
- 4
server/sonar-web/src/main/js/helpers/security-standard.ts View File

@@ -40,8 +40,6 @@ export function renderOwaspTop10Category(
const record = standards.owaspTop10[category];
if (!record) {
return addPrefix(category.toUpperCase(), 'OWASP', withPrefix);
} else if (category === 'unknown') {
return record.title;
} else {
return addPrefix(`${category.toUpperCase()} - ${record.title}`, 'OWASP', withPrefix);
}
@@ -62,10 +60,12 @@ export function renderSonarSourceSecurityCategory(
withPrefix = false
): string {
const record = standards.sonarsourceSecurity[category];
if (category === 'others') {
if (!record) {
return addPrefix(category.toUpperCase(), 'SONAR', withPrefix);
} else if (category === 'others') {
return record.title;
} else {
return addPrefix(record ? record.title : category, 'SONAR', withPrefix);
return addPrefix(record.title, 'SONAR', withPrefix);
}
}


+ 0
- 3
server/sonar-web/src/main/js/helpers/standards.json View File

@@ -49,9 +49,6 @@
"title": "Insufficient Logging & Monitoring",
"description":
"Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring."
},
"unknown": {
"title": "Not OWASP"
}
},
"sansTop25": {

Write Preview
Loading…
Cancel
Save