SONAR-22543 Add CASA security report

author: Léo Geoffroy <leo.geoffroy@sonarsource.com> 2024-07-24 16:35:54 +0200
committer: sonartech <sonartech@sonarsource.com> 2024-07-26 20:02:47 +0000
commit: ca303d9b3ff58d12e14cabfbb58731f74b274663 (patch)
tree: e51cf492024f58be9cc441ca1bfbf955729245ec /server
parent: ebb080570d77aa6a8dbc0bd360a730e7015342ba (diff)
download: sonarqube-ca303d9b3ff58d12e14cabfbb58731f74b274663.tar.gz
sonarqube-ca303d9b3ff58d12e14cabfbb58731f74b274663.zip
4 files changed, 135 insertions, 33 deletions
diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java
index d13219e433e..7a4484d233e 100644
--- a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java
+++ b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java
@@ -125,7 +125,7 @@ public class IssueIndexDefinition implements IndexDefinition {
 
   private IssueIndexDefinition(Configuration config, boolean enableSource) {
     this.config = config;
-    this.enableSource = true;
+    this.enableSource = enableSource;
   }
 
   /**
diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java
index fa0c0e485f7..e863b3059f5 100644
--- a/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java
+++ b/server/sonar-server-common/src/test/java/org/sonar/server/issue/SearchRequestTest.java
@@ -82,19 +82,19 @@ public class SearchRequestTest {
     assertThat(underTest.getSort()).isEqualTo("CREATION_DATE");
     assertThat(underTest.getAsc()).isTrue();
     assertThat(underTest.getInNewCodePeriod()).isTrue();
-    assertOwasp(underTest);
-    assertThat(underTest.getStigAsdV5R3()).containsExactly("V-222400", "V-222401");
-    assertThat(underTest.getStigAsdV5R3()).containsExactly("V-222400", "V-222401");
-    assertThat(underTest.getPciDss32()).containsExactly("1", "4");
-    assertThat(underTest.getPciDss40()).containsExactly("3", "5");
+    assertSecurityStandards(underTest);
     assertThat(underTest.getCodeVariants()).containsExactly("variant1", "variant2");
     assertCleanCodeInformation(underTest);
   }
 
-  private static void assertOwasp(SearchRequest underTest) {
+  private static void assertSecurityStandards(SearchRequest underTest) {
     assertThat(underTest.getOwaspTop10For2021()).containsExactly("a2", "a3");
     assertThat(underTest.getOwaspAsvs40()).containsExactly("1.1.1", "4.2.2");
     assertThat(underTest.getOwaspAsvsLevel()).isEqualTo(2);
+    assertThat(underTest.getStigAsdV5R3()).containsExactly("V-222400", "V-222401");
+    assertThat(underTest.getCasa()).containsExactly("1.4.1", "6.4.2");
+    assertThat(underTest.getPciDss32()).containsExactly("1", "4");
+    assertThat(underTest.getPciDss40()).containsExactly("3", "5");
   }
 
   private static void assertCleanCodeInformation(SearchRequest underTest) {
diff --git a/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java b/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java
index 8ce28b2d237..6b0d2b1b10a 100644
--- a/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java
+++ b/server/sonar-webserver-es/src/main/java/org/sonar/server/issue/index/IssueIndex.java
@@ -1329,7 +1329,7 @@ public class IssueIndex {
     return search(request, includeCwe, version.label());
   }
 
-  public List<SecurityStandardCategoryStatistics> getStig(String projectUuid, boolean isViewOrApp, RulesDefinition.StigVersion stigVersion) {
+  public List<SecurityStandardCategoryStatistics> getStigReport(String projectUuid, boolean isViewOrApp, RulesDefinition.StigVersion stigVersion) {
     SearchSourceBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
     Arrays.stream(StigSupportedRequirement.values())
       .forEach(stigSupportedRequirement -> request.aggregation(
@@ -1339,6 +1339,15 @@ public class IssueIndex {
     return search(request, false, stigVersion.label());
   }
 
+  public List<SecurityStandardCategoryStatistics> getCasaReport(String projectUuid, boolean isViewOrApp) {
+    SearchSourceBuilder request = prepareNonClosedVulnerabilitiesAndHotspotSearch(projectUuid, isViewOrApp);
+    IntStream.range(1, 15)
+      .forEach(casaTopCategory -> request.aggregation(
+        newSecurityReportSubAggregations(
+          AggregationBuilders.filter(String.valueOf(casaTopCategory), boolQuery().filter(prefixQuery(FIELD_ISSUE_CASA, casaTopCategory + "."))), FIELD_ISSUE_CASA)));
+    return searchWithDistribution(request, null, null);
+  }
+
   private List<SecurityStandardCategoryStatistics> searchWithLevelDistribution(SearchSourceBuilder sourceBuilder, String version, @Nullable String level) {
     return getSearchResponse(sourceBuilder)
       .getAggregations().asList().stream()
@@ -1346,7 +1355,7 @@ public class IssueIndex {
       .toList();
   }
 
-  private List<SecurityStandardCategoryStatistics> searchWithDistribution(SearchSourceBuilder sourceBuilder, String version, @Nullable Integer level) {
+  private List<SecurityStandardCategoryStatistics> searchWithDistribution(SearchSourceBuilder sourceBuilder, @Nullable String version, @Nullable Integer level) {
     return getSearchResponse(sourceBuilder)
       .getAggregations().asList().stream()
       .map(c -> processSecurityReportIssueSearchResultsWithDistribution((ParsedFilter) c, version, level))
@@ -1366,7 +1375,8 @@ public class IssueIndex {
     return client.search(request);
   }
 
-  private static SecurityStandardCategoryStatistics processSecurityReportIssueSearchResultsWithDistribution(ParsedFilter categoryFilter, String version, @Nullable Integer level) {
+  private static SecurityStandardCategoryStatistics processSecurityReportIssueSearchResultsWithDistribution(ParsedFilter categoryFilter, @Nullable String version,
+    @Nullable Integer level) {
     var list = ((ParsedStringTerms) categoryFilter.getAggregations().get(AGG_DISTRIBUTION)).getBuckets();
     List<SecurityStandardCategoryStatistics> children = list.stream()
       .filter(categoryBucket -> StringUtils.startsWith(categoryBucket.getKeyAsString(), categoryFilter.getName() + "."))
diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
index 38b17ff5f3e..3bdc73cf4d5 100644
--- a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
+++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexSecurityReportsTest.java
@@ -41,14 +41,14 @@ import static java.util.stream.Collectors.toList;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.tuple;
 import static org.sonar.api.server.rule.RulesDefinition.OwaspAsvsVersion;
+import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion;
 import static org.sonar.api.server.rule.RulesDefinition.OwaspTop10Version.Y2017;
 import static org.sonar.api.server.rule.RulesDefinition.OwaspTop10Version.Y2021;
-import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion;
 import static org.sonar.db.component.ComponentTesting.newPrivateProjectDto;
 import static org.sonar.server.issue.IssueDocTesting.newDocForProject;
+import static org.sonar.server.security.SecurityStandards.UNKNOWN_STANDARD;
 import static org.sonar.server.security.SecurityStandards.StigSupportedRequirement.V222391;
 import static org.sonar.server.security.SecurityStandards.StigSupportedRequirement.V222397;
-import static org.sonar.server.security.SecurityStandards.UNKNOWN_STANDARD;
 
 class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
 
@@ -57,10 +57,12 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
     ComponentDto project = newPrivateProjectDto();
     ComponentDto another = newPrivateProjectDto();
 
-    IssueDoc openVulDoc = newDocForProject("openvul1", project).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR);
+    IssueDoc openVulDoc = newDocForProject("openvul1", project).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+      .setSeverity(Severity.MAJOR);
     openVulDoc.setOwaspTop10For2021(singletonList("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR);
 
-    IssueDoc otherProjectDoc = newDocForProject("anotherProject", another).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL);
+    IssueDoc otherProjectDoc = newDocForProject("anotherProject", another).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+      .setSeverity(Severity.CRITICAL);
     otherProjectDoc.setOwaspTop10For2021(singletonList("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL);
 
     indexIssues(openVulDoc, otherProjectDoc);
@@ -89,7 +91,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
       newDocForProject("openvul12021", project).setOwaspTop10For2021(List.of("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR),
       newDocForProject("notopenvul", project).setOwaspTop10(List.of("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED).setResolution(Issue.RESOLUTION_FIXED)
         .setSeverity(Severity.BLOCKER),
-      newDocForProject("notopenvul2021", project).setOwaspTop10For2021(List.of("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED).setResolution(Issue.RESOLUTION_FIXED)
+      newDocForProject("notopenvul2021", project).setOwaspTop10For2021(List.of("a2")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED)
+        .setResolution(Issue.RESOLUTION_FIXED)
         .setSeverity(Severity.BLOCKER));
 
     List<SecurityStandardCategoryStatistics> owaspTop10Report = underTest.getOwaspTop10Report(project.uuid(), false, false, Y2017);
@@ -249,15 +252,15 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
       .collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getChildren));
 
     assertThat(cweByOwasp.get("a1")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
+      SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+      SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
       .containsExactlyInAnyOrder(
         tuple("123", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("unknown", 0L, OptionalInt.empty(), 1L /* openhotspot1 */, 0L, 5));
     assertThat(cweByOwasp.get("a3")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
+      SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+      SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
       .containsExactlyInAnyOrder(
         tuple("123", 2L /* openvul1, openvul2 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
@@ -272,15 +275,15 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
       .collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getChildren));
 
     assertThat(cweByOwasp.get("a1")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
+      SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+      SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
       .containsExactlyInAnyOrder(
         tuple("123", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("unknown", 0L, OptionalInt.empty(), 1L /* openhotspot1 */, 0L, 5));
     assertThat(cweByOwasp.get("a3")).extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities,
-        SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
-        SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
+      SecurityStandardCategoryStatistics::getVulnerabilityRating, SecurityStandardCategoryStatistics::getToReviewSecurityHotspots,
+      SecurityStandardCategoryStatistics::getReviewedSecurityHotspots, SecurityStandardCategoryStatistics::getSecurityReviewRating)
       .containsExactlyInAnyOrder(
         tuple("123", 2L /* openvul1, openvul2 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
         tuple("456", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */, 0L, 0L, 1),
@@ -294,7 +297,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MAJOR),
       newDocForProject("openvul2", project).setOwaspTop10(asList("a3", "a6")).setCwe(List.of("123")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notowaspvul", project).setOwaspTop10(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notowaspvul", project).setOwaspTop10(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project).setOwaspTop10(asList("a1", "a3")).setCwe(singletonList(UNKNOWN_STANDARD)).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project).setOwaspTop10(asList("a3", "a6")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -330,7 +334,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MINOR),
       newDocForProject("openvul3", project).setPciDss32(asList("10.1.2", "6.5")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notpcidssvul", project).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notpcidssvul", project).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project).setPciDss32(asList("1.3.0", "3.3.2")).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project).setPciDss32(asList("3.5.6", "6.4.5")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -427,7 +432,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MINOR),
       newDocForProject("openvul3", project).setOwaspAsvs40(asList("10.2.4", "6.2.8")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notowaspasvsvul", project).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notowaspasvsvul", project).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project).setOwaspAsvs40(asList("2.2.5", "3.2.4")).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project).setOwaspAsvs40(asList("3.6.1", "7.1.1")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -444,7 +450,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MAJOR),
       newDocForProject("openvul2", project).setOwaspTop10For2021(asList("a3", "a6")).setCwe(List.of("123")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notowaspvul", project).setOwaspTop10For2021(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notowaspvul", project).setOwaspTop10For2021(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project).setOwaspTop10For2021(asList("a1", "a3")).setCwe(singletonList(UNKNOWN_STANDARD)).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project).setOwaspTop10For2021(asList("a3", "a6")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -485,7 +492,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MINOR),
       newDocForProject("openvul3", project1).setPciDss32(asList("10.1.2", "6.5")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notpcidssvul", project1).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notpcidssvul", project1).setPciDss32(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project2).setPciDss32(asList("1.3.0", "3.3.2")).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project1).setPciDss32(asList("3.5.6", "6.4.5")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -532,7 +540,8 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
         .setSeverity(Severity.MINOR),
       newDocForProject("openvul3", project1).setOwaspAsvs40(asList("10.3.2", "6.2.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
         .setSeverity(Severity.MINOR),
-      newDocForProject("notowaspasvsvul", project1).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL),
+      newDocForProject("notowaspasvsvul", project1).setOwaspAsvs40(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.CRITICAL),
       newDocForProject("toreviewhotspot1", project2).setOwaspAsvs40(asList("2.1.3", "3.3.2")).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_TO_REVIEW),
       newDocForProject("toreviewhotspot2", project1).setOwaspAsvs40(asList("3.4.4", "6.2.1")).setType(RuleType.SECURITY_HOTSPOT).setStatus(Issue.STATUS_TO_REVIEW),
@@ -692,7 +701,6 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
     assertThat(findRuleInCweByYear(cwe2021, "295")).isNull();
     assertThat(findRuleInCweByYear(cwe2021, "999")).isNull();
 
-
     SecurityStandardCategoryStatistics cwe2022 = cweTop25Reports.stream()
       .filter(s -> s.getCategory().equals("2022"))
       .findAny().get();
@@ -733,7 +741,7 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
   }
 
   @Test
-  void getStigAsdV5R3_whenRequestingReportOnApplication_ShouldAggregateBasedOnStigRequirement() {
+  void getStigAsdV5R3_whenRequestingReportOnApplication_ShouldAggregateBasedOnStigReportRequirement() {
     ComponentDto application = db.components().insertPrivateApplication().getMainBranchComponent();
     ComponentDto project1 = db.components().insertPrivateProject().getMainBranchComponent();
     ComponentDto project2 = db.components().insertPrivateProject().getMainBranchComponent();
@@ -751,7 +759,7 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
 
     indexView(application.uuid(), asList(project1.uuid(), project2.uuid()));
 
-    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStig(application.uuid(), true, StigVersion.ASD_V5R3)
+    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStigReport(application.uuid(), true, StigVersion.ASD_V5R3)
       .stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e));
 
     assertThat(statisticsToMap).hasSize(41)
@@ -783,7 +791,7 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
       newDocForProject("reviewedHostpot", branch).setStigAsdV5R3(List.of(V222397.getRequirement())).setType(RuleType.SECURITY_HOTSPOT)
         .setStatus(Issue.STATUS_REVIEWED).setResolution(Issue.RESOLUTION_FIXED));
 
-    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStig(branch.uuid(), false, StigVersion.ASD_V5R3)
+    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getStigReport(branch.uuid(), false, StigVersion.ASD_V5R3)
       .stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e));
 
     assertThat(statisticsToMap).hasSize(41)
@@ -801,6 +809,90 @@ class IssueIndexSecurityReportsTest extends IssueIndexTestCommon {
       });
   }
 
+  @Test
+  void getCasa_whenRequestingReportOnProject_ShouldAggregateBasedOnCasaReportRequirement() {
+    ComponentDto branch = newPrivateProjectDto();
+    indexIssues(
+      newDocForProject("openvul", branch).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.MAJOR),
+      newDocForProject("openvul2", branch).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.MAJOR),
+      newDocForProject("notopenvul", branch).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED)
+        .setResolution(Issue.RESOLUTION_FIXED)
+        .setSeverity(Severity.BLOCKER),
+      newDocForProject("toreviewhotspot", branch).setCasa(List.of("2.7.6")).setType(RuleType.SECURITY_HOTSPOT)
+        .setStatus(Issue.STATUS_TO_REVIEW),
+      newDocForProject("reviewedHostpot", branch).setCasa(List.of("2.7.6")).setType(RuleType.SECURITY_HOTSPOT)
+        .setStatus(Issue.STATUS_REVIEWED).setResolution(Issue.RESOLUTION_FIXED));
+
+    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = toMap(underTest.getCasaReport(branch.uuid(), false));
+
+    assertThat(statisticsToMap).hasSize(14)
+      .hasEntrySatisfying("2", stat -> {
+        assertThat(stat.getVulnerabilities()).isEqualTo(2);
+        assertThat(stat.getToReviewSecurityHotspots()).isEqualTo(1);
+        assertThat(stat.getReviewedSecurityHotspots()).isEqualTo(1);
+        assertThat(stat.getVersion()).isEmpty();
+        assertThat(toMap(stat.getChildren()))
+          .hasSize(2)
+          .hasEntrySatisfying("2.6.1", cat -> {
+            assertThat(cat.getVulnerabilities()).isEqualTo(2);
+            assertThat(cat.getToReviewSecurityHotspots()).isZero();
+            assertThat(cat.getReviewedSecurityHotspots()).isZero();
+            assertThat(cat.getVulnerabilityRating()).as("MAJOR = C").isEqualTo(OptionalInt.of(3));
+          })
+          .hasEntrySatisfying("2.7.6", cat -> {
+            assertThat(cat.getVulnerabilities()).isZero();
+            assertThat(cat.getToReviewSecurityHotspots()).isEqualTo(1);
+            assertThat(cat.getReviewedSecurityHotspots()).isEqualTo(1);
+            assertThat(stat.getSecurityReviewRating()).as("50% of hotspots are reviewed, so rating is C").isEqualTo(3);
+          });
+      });
+  }
+
+  @Test
+  void getCasa_whenRequestingReportOnApplication_ShouldAggregateBasedOnCasaReportRequirement() {
+    ComponentDto application = db.components().insertPrivateApplication().getMainBranchComponent();
+    ComponentDto project1 = db.components().insertPrivateProject().getMainBranchComponent();
+    ComponentDto project2 = db.components().insertPrivateProject().getMainBranchComponent();
+
+    indexIssues(
+      newDocForProject("openvul1", project1).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN)
+        .setSeverity(Severity.MAJOR),
+      newDocForProject("openvul2", project2).setCasa(List.of("2.6.1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
+        .setSeverity(Severity.MINOR),
+      newDocForProject("toreviewhotspot", project1).setCasa(List.of("2.6.1")).setType(RuleType.SECURITY_HOTSPOT)
+        .setStatus(Issue.STATUS_TO_REVIEW),
+
+      newDocForProject("unknown", project2).setCasa(List.of("2.7.6")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED)
+        .setSeverity(Severity.MINOR));
+
+    indexView(application.uuid(), asList(project1.uuid(), project2.uuid()));
+
+    Map<String, SecurityStandardCategoryStatistics> statisticsToMap = underTest.getCasaReport(application.uuid(), true)
+      .stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e));
+
+    assertThat(statisticsToMap).hasSize(14)
+      .hasEntrySatisfying("2", stat -> {
+        assertThat(toMap(stat.getChildren()))
+          .hasSize(2)
+          .hasEntrySatisfying("2.6.1", cat -> {
+            assertThat(cat.getVulnerabilities()).isEqualTo(2);
+            assertThat(cat.getToReviewSecurityHotspots()).isEqualTo(1);
+            assertThat(cat.getReviewedSecurityHotspots()).isZero();
+          })
+          .hasEntrySatisfying("2.7.6", cat -> {
+            assertThat(cat.getVulnerabilities()).isEqualTo(1);
+            assertThat(cat.getToReviewSecurityHotspots()).isZero();
+            assertThat(cat.getReviewedSecurityHotspots()).isZero();
+          });
+      });
+  }
+
+  private static Map<String, SecurityStandardCategoryStatistics> toMap(List<SecurityStandardCategoryStatistics> statistics) {
+    return statistics.stream().collect(Collectors.toMap(SecurityStandardCategoryStatistics::getCategory, e -> e));
+  }
+
   private SecurityStandardCategoryStatistics findRuleInCweByYear(SecurityStandardCategoryStatistics statistics, String cweId) {
     return statistics.getChildren().stream().filter(stat -> stat.getCategory().equals(cweId)).findAny().orElse(null);
   }
author	Léo Geoffroy <leo.geoffroy@sonarsource.com>	2024-07-24 16:35:54 +0200
committer	sonartech <sonartech@sonarsource.com>	2024-07-26 20:02:47 +0000
commit	ca303d9b3ff58d12e14cabfbb58731f74b274663 (patch)
tree	e51cf492024f58be9cc441ca1bfbf955729245ec /server
parent	ebb080570d77aa6a8dbc0bd360a730e7015342ba (diff)
download	sonarqube-ca303d9b3ff58d12e14cabfbb58731f74b274663.tar.gz sonarqube-ca303d9b3ff58d12e14cabfbb58731f74b274663.zip