diff options
author | Léo Geoffroy <leo.geoffroy@sonarsource.com> | 2024-07-24 16:35:54 +0200 |
---|---|---|
committer | sonartech <sonartech@sonarsource.com> | 2024-07-26 20:02:47 +0000 |
commit | ca303d9b3ff58d12e14cabfbb58731f74b274663 (patch) | |
tree | e51cf492024f58be9cc441ca1bfbf955729245ec | |
parent | ebb080570d77aa6a8dbc0bd360a730e7015342ba (diff) | |
download | sonarqube-ca303d9b3ff58d12e14cabfbb58731f74b274663.tar.gz sonarqube-ca303d9b3ff58d12e14cabfbb58731f74b274663.zip |
SONAR-22543 Add CASA security report
5 files changed, 136 insertions, 33 deletions
diff --git a/plugins/sonar-xoo-plugin/src/main/java/org/sonar/xoo/rule/XooRulesDefinition.java b/plugins/sonar-xoo-plugin/src/main/java/org/sonar/xoo/rule/XooRulesDefinition.java index c02e8f42e99..39265fcbdcd 100644 --- a/plugins/sonar-xoo-plugin/src/main/java/org/sonar/xoo/rule/XooRulesDefinition.java +++ b/plugins/sonar-xoo-plugin/src/main/java/org/sonar/xoo/rule/XooRulesDefinition.java @@ -366,6 +366,7 @@ public class XooRulesDefinition implements RulesDefinition { break; case "pciDss-4.0": rule.addPciDss(PciDssVersion.V4_0, splitStandard[1]); + break; default: throw new IllegalArgumentException("Unknown standard: " + standard); } diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java index d13219e433e..7a4484d233e 100644 --- a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java +++ b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java @@ -125,7 +125,7 @@ public class IssueIndexDefinition implements IndexDefinition { private IssueIndexDefinition(Configuration config, boolean enableSource) { this.config = config; - this.enableSource = true; + this.enableSource = enableSource; } /** diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java index fa0c0e485f7..e863b3059f5 100644 --- a/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java +++ b/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java @@ -82,19 +82,19 @@ public class SearchRequestTest { assertThat(underTest.getSort()).isEqualTo("CREATION_DATE"); assertThat(underTest.getAsc()).isTrue(); assertThat(underTest.getInNewCodePeriod()).isTrue(); - assertOwasp(underTest); - assertThat(underTest.getStigAsdV5R3()).containsExactly("V-222400", "V-222401"); - assertThat(underTest.getStigAsdV5R3()).containsExactly("V-222400", "V-222401"); - assertThat(underTest.getPciDss32()).containsExactly("1", "4"); - assertThat(underTest.getPciDss40()).containsExactly("3", "5"); + assertSecurityStandards(underTest); assertThat(underTest.getCodeVariants()).containsExactly("variant1", "variant2"); assertCleanCodeInformation(underTest); } - private static void assertOwasp(SearchRequest underTest) { + private static void assertSecurityStandards(SearchRequest underTest) { assertThat(underTest.getOwaspTop10For2021()).containsExactly("a2", "a3"); assertThat(underTest.getOwaspAsvs40()).containsExactly("1.1.1", "4.2.2"); assertThat(underTest.getOwaspAsvsLevel()).isEqualTo(2); + assertThat(underTest.getStigAsdV5R3()).containsExactly("V-222400", "V-222401"); + assertThat(underTest.getCasa()).containsExactly("1.4.1", "6.4.2"); + assertThat(underTest.getPciDss32()).containsExactly("1", "4"); + assertThat(underTest.getPciDss40()).containsExactly("3", "5"); } private static void assertCleanCodeInformation(SearchRequest underTest) { diff --git a/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java b/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java index 8ce28b2d237..6b0d2b1b10a 100644 --- a/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java +++ b/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java @@ -1329,7 +1329,7 @@ public class IssueIndex { return search(request, includeCwe, version.label()); } - public List<SecurityStandardCategoryStatistics> getStig(String projectUuid, boolean isViewOrApp, RulesDefinition.StigVersion stigVersion) { + public List<SecurityStandardCategoryStatistics> getStigReport(String projectUuid, boolean isViewOrApp, RulesDefinition.StigVersion stigVersion) { SearchSourceBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp); Arrays.stream(StigSupportedRequirement.values()) .forEach(stigSupportedRequirement -> request.aggregation( @@ -1339,6 +1339,15 @@ public class IssueIndex { return search(request, false, stigVersion.label()); } + public List<SecurityStandardCategoryStatistics> getCasaReport(String projectUuid, boolean isViewOrApp) { + SearchSourceBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp); + IntStream.range(1, 15) + .forEach(casaTopCategory -> request.aggregation( + newSecurityReportSubAggregations( + AggregationBuilders.filter(String.valueOf(casaTopCategory), boolQuery().filter(prefixQuery(FIELD_ISSUE_CASA, casaTopCategory + "."))), FIELD_ISSUE_CASA))); + return searchWithDistribution(request, null, null); + } + private List<SecurityStandardCategoryStatistics> searchWithLevelDistribution(SearchSourceBuilder sourceBuilder, String version, @Nullable String level) { return getSearchResponse(sourceBuilder) .getAggregations().asList().stream() @@ -1346,7 +1355,7 @@ public class IssueIndex { .toList(); } - private List<SecurityStandardCategoryStatistics> searchWithDistribution(SearchSourceBuilder sourceBuilder, String version, @Nullable Integer level) { + private List<SecurityStandardCategoryStatistics> searchWithDistribution(SearchSourceBuilder sourceBuilder, @Nullable String version, @Nullable Integer level) { return getSearchResponse(sourceBuilder) .getAggregations().asList().stream() .map(c -> processSecurityReportIssueSearchResultsWithDistribution((ParsedFilter) c, version, level)) @@ -1366,7 +1375,8 @@ public class IssueIndex { return client.search(request); } - private static SecurityStandardCategoryStatistics processSecurityReportIssueSearchResultsWithDistribution(ParsedFilter categoryFilter, String version, @Nullable Integer level) { + private static SecurityStandardCategoryStatistics processSecurityReportIssueSearchResultsWithDistribution(ParsedFilter categoryFilter, @Nullable String version, + @Nullable Integer level) { var list = ((ParsedStringTerms) categoryFilter.getAggregations().get(AGG_DISTRIBUTION)).getBuckets(); List<SecurityStandardCategoryStatistics> children = list.stream() .filter(categoryBucket -> StringUtils.startsWith(categoryBucket.getKeyAsString(), categoryFilter.getName() + ".")) diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java index 38b17ff5f3e..3bdc73cf4d5 100644 --- a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java +++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java @@ -41,14 +41,14 @@ import static java.util.stream.Collectors.toList; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.tuple; import static org.sonar.api.server.rule.RulesDefinition.OwaspAsvsVersion; +import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion; import static org.sonar.api.server.rule.RulesDefinition.OwaspTop10Version.Y2017; import static org.sonar.api.server.rule.RulesDefinition.OwaspTop10Version.Y2021; -import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion; import static org.sonar.db.component.ComponentTesting.newPrivateProjectDto; import static org.sonar.server.issue.IssueDocTesting.newDocForProject; +import static org.sonar.server.security.SecurityStandards.UNKNOWN_STANDARD; import static org.sonar.server.security.SecurityStandards.StigSupportedRequirement.V222391; import static org.sonar.server.security.SecurityStandards.StigSupportedRequirement.V222397; -import static org.sonar.server.security.SecurityStandards.UNKNOWN_STANDARD; class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { @@ -57,10 +57,12 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { ComponentDto project = newPrivateProjectDto(); ComponentDto another = newPrivateProjectDto(); - IssueDoc openVulDoc = newDocForProject("openvul1", project).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR); + IssueDoc openVulDoc = newDocForProject("openvul1", project).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.MAJOR); openVulDoc.setOwaspTop10For2021(singletonList("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR); - IssueDoc otherProjectDoc = newDocForProject("anotherProject", another).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL); + IssueDoc otherProjectDoc = newDocForProject("anotherProject", another).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.CRITICAL); otherProjectDoc.setOwaspTop10For2021(singletonList("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL); indexIssues(openVulDoc, otherProjectDoc); @@ -89,7 +91,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { newDocForProject("openvul12021", project).setOwaspTop10For2021(List.of("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR), newDocForProject("notopenvul", project).setOwaspTop10(List.of("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED).setResolution(Issue.RESOLUTION_FIXED) .setSeverity(Severity.BLOCKER), - newDocForProject("notopenvul2021", project).setOwaspTop10For2021(List.of("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED).setResolution(Issue.RESOLUTION_FIXED) + newDocForProject("notopenvul2021", project).setOwaspTop10For2021(List.of("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED) + .setResolution(Issue.RESOLUTION_FIXED) .setSeverity(Severity.BLOCKER)); List<SecurityStandardCategoryStatistics> owaspTop10Report = underTest.getOwaspTop10Report(project.uuid(), false, false, Y2017); @@ -249,15 +252,15 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getChildren)); assertThat(cweByOwasp.get("a1")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities, - SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, - SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating) + SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating) .containsExactlyInAnyOrder( tuple("123", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1), tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1), tuple("unknown", 0L, OptionalInt.empty(), 1L /* openhotspot1 */, 0L, 5)); assertThat(cweByOwasp.get("a3")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities, - SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, - SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating) + SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating) .containsExactlyInAnyOrder( tuple("123", 2L /* openvul1, openvul2 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1), tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1), @@ -272,15 +275,15 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getChildren)); assertThat(cweByOwasp.get("a1")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities, - SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, - SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating) + SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating) .containsExactlyInAnyOrder( tuple("123", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1), tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1), tuple("unknown", 0L, OptionalInt.empty(), 1L /* openhotspot1 */, 0L, 5)); assertThat(cweByOwasp.get("a3")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities, - SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, - SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating) + SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots, + SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating) .containsExactlyInAnyOrder( tuple("123", 2L /* openvul1, openvul2 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1), tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1), @@ -294,7 +297,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .setSeverity(Severity.MAJOR), newDocForProject("openvul2", project).setOwaspTop10(asList("a3", "a6")).setCwe(List.of("123")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) .setSeverity(Severity.MINOR), - newDocForProject("notowaspvul", project).setOwaspTop10(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL), + newDocForProject("notowaspvul", project).setOwaspTop10(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.CRITICAL), newDocForProject("toreviewhotspot1", project).setOwaspTop10(asList("a1", "a3")).setCwe(singletonList(UNKNOWN_STANDARD)).setType(RuleType.SECURITY_HOTSPOT) .setStatus(Issue.STATUS_TO_REVIEW), newDocForProject("toreviewhotspot2", project).setOwaspTop10(asList("a3", "a6")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW), @@ -330,7 +334,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .setSeverity(Severity.MINOR), newDocForProject("openvul3", project).setPciDss32(asList("10.1.2", "6.5")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) .setSeverity(Severity.MINOR), - newDocForProject("notpcidssvul", project).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL), + newDocForProject("notpcidssvul", project).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.CRITICAL), newDocForProject("toreviewhotspot1", project).setPciDss32(asList("1.3.0", "3.3.2")).setType(RuleType.SECURITY_HOTSPOT) .setStatus(Issue.STATUS_TO_REVIEW), newDocForProject("toreviewhotspot2", project).setPciDss32(asList("3.5.6", "6.4.5")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW), @@ -427,7 +432,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .setSeverity(Severity.MINOR), newDocForProject("openvul3", project).setOwaspAsvs40(asList("10.2.4", "6.2.8")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) .setSeverity(Severity.MINOR), - newDocForProject("notowaspasvsvul", project).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL), + newDocForProject("notowaspasvsvul", project).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.CRITICAL), newDocForProject("toreviewhotspot1", project).setOwaspAsvs40(asList("2.2.5", "3.2.4")).setType(RuleType.SECURITY_HOTSPOT) .setStatus(Issue.STATUS_TO_REVIEW), newDocForProject("toreviewhotspot2", project).setOwaspAsvs40(asList("3.6.1", "7.1.1")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW), @@ -444,7 +450,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .setSeverity(Severity.MAJOR), newDocForProject("openvul2", project).setOwaspTop10For2021(asList("a3", "a6")).setCwe(List.of("123")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) .setSeverity(Severity.MINOR), - newDocForProject("notowaspvul", project).setOwaspTop10For2021(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL), + newDocForProject("notowaspvul", project).setOwaspTop10For2021(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.CRITICAL), newDocForProject("toreviewhotspot1", project).setOwaspTop10For2021(asList("a1", "a3")).setCwe(singletonList(UNKNOWN_STANDARD)).setType(RuleType.SECURITY_HOTSPOT) .setStatus(Issue.STATUS_TO_REVIEW), newDocForProject("toreviewhotspot2", project).setOwaspTop10For2021(asList("a3", "a6")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW), @@ -485,7 +492,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .setSeverity(Severity.MINOR), newDocForProject("openvul3", project1).setPciDss32(asList("10.1.2", "6.5")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) .setSeverity(Severity.MINOR), - newDocForProject("notpcidssvul", project1).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL), + newDocForProject("notpcidssvul", project1).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.CRITICAL), newDocForProject("toreviewhotspot1", project2).setPciDss32(asList("1.3.0", "3.3.2")).setType(RuleType.SECURITY_HOTSPOT) .setStatus(Issue.STATUS_TO_REVIEW), newDocForProject("toreviewhotspot2", project1).setPciDss32(asList("3.5.6", "6.4.5")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW), @@ -532,7 +540,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { .setSeverity(Severity.MINOR), newDocForProject("openvul3", project1).setOwaspAsvs40(asList("10.3.2", "6.2.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) .setSeverity(Severity.MINOR), - newDocForProject("notowaspasvsvul", project1).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL), + newDocForProject("notowaspasvsvul", project1).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.CRITICAL), newDocForProject("toreviewhotspot1", project2).setOwaspAsvs40(asList("2.1.3", "3.3.2")).setType(RuleType.SECURITY_HOTSPOT) .setStatus(Issue.STATUS_TO_REVIEW), newDocForProject("toreviewhotspot2", project1).setOwaspAsvs40(asList("3.4.4", "6.2.1")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW), @@ -692,7 +701,6 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { assertThat(findRuleInCweByYear(cwe2021, "295")).isNull(); assertThat(findRuleInCweByYear(cwe2021, "999")).isNull(); - SecurityStandardCategoryStatistics cwe2022 = cweTop25Reports.stream() .filter(s -> s.getCategory().equals("2022")) .findAny().get(); @@ -733,7 +741,7 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { } @Test - void getStigAsdV5R3_whenRequestingReportOnApplication_ShouldAggregateBasedOnStigRequirement() { + void getStigAsdV5R3_whenRequestingReportOnApplication_ShouldAggregateBasedOnStigReportRequirement() { ComponentDto application = db.components().insertPrivateApplication().getMainBranchComponent(); ComponentDto project1 = db.components().insertPrivateProject().getMainBranchComponent(); ComponentDto project2 = db.components().insertPrivateProject().getMainBranchComponent(); @@ -751,7 +759,7 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { indexView(application.uuid(), asList(project1.uuid(), project2.uuid())); - Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStig(application.uuid(), true, StigVersion.ASD_V5R3) + Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStigReport(application.uuid(), true, StigVersion.ASD_V5R3) .stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e)); assertThat(statisticsToMap).hasSize(41) @@ -783,7 +791,7 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { newDocForProject("reviewedHostpot", branch).setStigAsdV5R3(List.of(V222397.getRequirement())).setType(RuleType.SECURITY_HOTSPOT) .setStatus(Issue.STATUS_REVIEWED).setResolution(Issue.RESOLUTION_FIXED)); - Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStig(branch.uuid(), false, StigVersion.ASD_V5R3) + Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStigReport(branch.uuid(), false, StigVersion.ASD_V5R3) .stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e)); assertThat(statisticsToMap).hasSize(41) @@ -801,6 +809,90 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon { }); } + @Test + void getCasa_whenRequestingReportOnProject_ShouldAggregateBasedOnCasaReportRequirement() { + ComponentDto branch = newPrivateProjectDto(); + indexIssues( + newDocForProject("openvul", branch).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.MAJOR), + newDocForProject("openvul2", branch).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.MAJOR), + newDocForProject("notopenvul", branch).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED) + .setResolution(Issue.RESOLUTION_FIXED) + .setSeverity(Severity.BLOCKER), + newDocForProject("toreviewhotspot", branch).setCasa(List.of("2.7.6")).setType(RuleType.SECURITY_HOTSPOT) + .setStatus(Issue.STATUS_TO_REVIEW), + newDocForProject("reviewedHostpot", branch).setCasa(List.of("2.7.6")).setType(RuleType.SECURITY_HOTSPOT) + .setStatus(Issue.STATUS_REVIEWED).setResolution(Issue.RESOLUTION_FIXED)); + + Map<String, SecurityStandardCategoryStatistics> statisticsToMap = toMap(underTest.getCasaReport(branch.uuid(), false)); + + assertThat(statisticsToMap).hasSize(14) + .hasEntrySatisfying("2", stat -> { + assertThat(stat.getVulnerabilities()).isEqualTo(2); + assertThat(stat.getToReviewSecurityHotspots()).isEqualTo(1); + assertThat(stat.getReviewedSecurityHotspots()).isEqualTo(1); + assertThat(stat.getVersion()).isEmpty(); + assertThat(toMap(stat.getChildren())) + .hasSize(2) + .hasEntrySatisfying("2.6.1", cat -> { + assertThat(cat.getVulnerabilities()).isEqualTo(2); + assertThat(cat.getToReviewSecurityHotspots()).isZero(); + assertThat(cat.getReviewedSecurityHotspots()).isZero(); + assertThat(cat.getVulnerabilityRating()).as("MAJOR = C").isEqualTo(OptionalInt.of(3)); + }) + .hasEntrySatisfying("2.7.6", cat -> { + assertThat(cat.getVulnerabilities()).isZero(); + assertThat(cat.getToReviewSecurityHotspots()).isEqualTo(1); + assertThat(cat.getReviewedSecurityHotspots()).isEqualTo(1); + assertThat(stat.getSecurityReviewRating()).as("50% of hotspots are reviewed, so rating is C").isEqualTo(3); + }); + }); + } + + @Test + void getCasa_whenRequestingReportOnApplication_ShouldAggregateBasedOnCasaReportRequirement() { + ComponentDto application = db.components().insertPrivateApplication().getMainBranchComponent(); + ComponentDto project1 = db.components().insertPrivateProject().getMainBranchComponent(); + ComponentDto project2 = db.components().insertPrivateProject().getMainBranchComponent(); + + indexIssues( + newDocForProject("openvul1", project1).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) + .setSeverity(Severity.MAJOR), + newDocForProject("openvul2", project2).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) + .setSeverity(Severity.MINOR), + newDocForProject("toreviewhotspot", project1).setCasa(List.of("2.6.1")).setType(RuleType.SECURITY_HOTSPOT) + .setStatus(Issue.STATUS_TO_REVIEW), + + newDocForProject("unknown", project2).setCasa(List.of("2.7.6")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) + .setSeverity(Severity.MINOR)); + + indexView(application.uuid(), asList(project1.uuid(), project2.uuid())); + + Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getCasaReport(application.uuid(), true) + .stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e)); + + assertThat(statisticsToMap).hasSize(14) + .hasEntrySatisfying("2", stat -> { + assertThat(toMap(stat.getChildren())) + .hasSize(2) + .hasEntrySatisfying("2.6.1", cat -> { + assertThat(cat.getVulnerabilities()).isEqualTo(2); + assertThat(cat.getToReviewSecurityHotspots()).isEqualTo(1); + assertThat(cat.getReviewedSecurityHotspots()).isZero(); + }) + .hasEntrySatisfying("2.7.6", cat -> { + assertThat(cat.getVulnerabilities()).isEqualTo(1); + assertThat(cat.getToReviewSecurityHotspots()).isZero(); + assertThat(cat.getReviewedSecurityHotspots()).isZero(); + }); + }); + } + + private static Map<String, SecurityStandardCategoryStatistics> toMap(List<SecurityStandardCategoryStatistics> statistics) { + return statistics.stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e)); + } + private SecurityStandardCategoryStatistics findRuleInCweByYear(SecurityStandardCategoryStatistics statistics, String cweId) { return statistics.getChildren().stream().filter(stat -> stat.getCategory().equals(cweId)).findAny().orElse(null); } |