From 68c9e5eeae38b0e43fef99ad6187aaf4eda2f76c Mon Sep 17 00:00:00 2001 From: Matteo Mara Date: Wed, 28 Sep 2022 16:19:43 +0200 Subject: SONAR-17393 add constants and common code for handling OWASP ASVS --- .../org/sonar/server/issue/index/IssueDoc.java | 10 ++++++ .../server/issue/index/IssueIndexDefinition.java | 2 ++ .../issue/index/IssueIteratorForSingleChunk.java | 1 + .../sonar/server/security/SecurityStandards.java | 41 ++++++++++++++-------- .../server/security/SecurityStandardsTest.java | 8 +++++ 5 files changed, 48 insertions(+), 14 deletions(-) (limited to 'server/sonar-server-common') diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueDoc.java b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueDoc.java index ac194d590ab..f00a40a8036 100644 --- a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueDoc.java +++ b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueDoc.java @@ -295,6 +295,16 @@ public class IssueDoc extends BaseDoc { return getNullableField(IssueIndexDefinition.FIELD_ISSUE_PCI_DSS_40); } + public IssueDoc setOwaspAsvs40(@Nullable Collection o) { + setField(IssueIndexDefinition.FIELD_ISSUE_OWASP_ASVS_40, o); + return this; + } + + @CheckForNull + public Collection getOwaspAsvs40() { + return getNullableField(IssueIndexDefinition.FIELD_ISSUE_OWASP_ASVS_40); + } + @CheckForNull public Collection getOwaspTop10() { return getNullableField(IssueIndexDefinition.FIELD_ISSUE_OWASP_TOP_10); diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java index a0bf4593815..0eaccdeb01e 100644 --- a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java +++ b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIndexDefinition.java @@ -98,6 +98,7 @@ public class IssueIndexDefinition implements IndexDefinition { public static final String FIELD_ISSUE_TYPE = "type"; public static final String FIELD_ISSUE_PCI_DSS_32 = "pciDss-3.2"; public static final String FIELD_ISSUE_PCI_DSS_40 = "pciDss-4.0"; + public static final String FIELD_ISSUE_OWASP_ASVS_40 = "owaspAsvs-4.0"; public static final String FIELD_ISSUE_OWASP_TOP_10 = "owaspTop10"; public static final String FIELD_ISSUE_OWASP_TOP_10_2021 = "owaspTop10-2021"; public static final String FIELD_ISSUE_SANS_TOP_25 = "sansTop25"; @@ -168,6 +169,7 @@ public class IssueIndexDefinition implements IndexDefinition { mapping.keywordFieldBuilder(FIELD_ISSUE_TYPE).disableNorms().build(); mapping.keywordFieldBuilder(FIELD_ISSUE_PCI_DSS_32).disableNorms().build(); mapping.keywordFieldBuilder(FIELD_ISSUE_PCI_DSS_40).disableNorms().build(); + mapping.keywordFieldBuilder(FIELD_ISSUE_OWASP_ASVS_40).disableNorms().build(); mapping.keywordFieldBuilder(FIELD_ISSUE_OWASP_TOP_10).disableNorms().build(); mapping.keywordFieldBuilder(FIELD_ISSUE_OWASP_TOP_10_2021).disableNorms().build(); mapping.keywordFieldBuilder(FIELD_ISSUE_SANS_TOP_25).disableNorms().build(); diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIteratorForSingleChunk.java b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIteratorForSingleChunk.java index 9586ff3cb55..d2b3715304d 100644 --- a/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIteratorForSingleChunk.java +++ b/server/sonar-server-common/src/main/java/org/sonar/server/issue/index/IssueIteratorForSingleChunk.java @@ -237,6 +237,7 @@ class IssueIteratorForSingleChunk implements IssueIterator { doc.setOwaspTop10For2021(securityStandards.getOwaspTop10For2021()); doc.setPciDss32(securityStandards.getPciDss32()); doc.setPciDss40(securityStandards.getPciDss40()); + doc.setOwaspAsvs40(securityStandards.getOwaspAsvs40()); doc.setCwe(securityStandards.getCwe()); doc.setSansTop25(securityStandards.getSansTop25()); doc.setSonarSourceSecurityCategory(sqCategory); diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java index afb13b4271b..b06a72461a4 100644 --- a/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java +++ b/server/sonar-server-common/src/main/java/org/sonar/server/security/SecurityStandards.java @@ -32,13 +32,14 @@ import java.util.Set; import java.util.stream.Collectors; import javax.annotation.Nullable; import javax.annotation.concurrent.Immutable; +import org.sonar.api.server.rule.RulesDefinition.OwaspAsvsVersion; +import org.sonar.api.server.rule.RulesDefinition.PciDssVersion; import static java.util.Arrays.asList; import static java.util.Arrays.stream; import static java.util.Collections.singleton; import static java.util.Collections.singletonList; import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion.V3_2; -import static org.sonar.api.server.rule.RulesDefinition.PciDssVersion.V4_0; import static org.sonar.core.util.stream.MoreCollectors.toList; import static org.sonar.core.util.stream.MoreCollectors.toSet; import static org.sonar.core.util.stream.MoreCollectors.uniqueIndex; @@ -57,7 +58,8 @@ public final class SecurityStandards { private static final String OWASP_TOP10_PREFIX = "owaspTop10:"; private static final String OWASP_TOP10_2021_PREFIX = "owaspTop10-2021:"; private static final String PCI_DSS_32_PREFIX = V3_2.prefix() + ":"; - private static final String PCI_DSS_40_PREFIX = V4_0.prefix() + ":"; + private static final String PCI_DSS_40_PREFIX = PciDssVersion.V4_0.prefix() + ":"; + private static final String OWASP_ASVS_40_PREFIX = OwaspAsvsVersion.V4_0.prefix() + ":"; private static final String CWE_PREFIX = "cwe:"; // See https://www.sans.org/top25-software-errors private static final Set INSECURE_CWE = new HashSet<>(asList("89", "78", "79", "434", "352", "601")); @@ -177,6 +179,20 @@ public final class SecurityStandards { } } + public enum OwaspAsvs { + C1("1"), C2("2"), C3("3"), C4("4"), C5("5"), C6("6"), C7("7"), C8("8"), C9("9"), C10("10"), C11("11"), C12("12"), C13("13"), C14("14"); + + private final String category; + + OwaspAsvs(String category) { + this.category = category; + } + + public String category() { + return category; + } + } + public static final Map> CWES_BY_SQ_CATEGORY = ImmutableMap.>builder() .put(SQCategory.BUFFER_OVERFLOW, Set.of("119", "120", "131", "676", "788")) .put(SQCategory.SQL_INJECTION, Set.of("89", "564", "943")) @@ -226,19 +242,23 @@ public final class SecurityStandards { } public Set getPciDss32() { - return toPciDss(standards, PCI_DSS_32_PREFIX); + return getMatchingStandards(standards, PCI_DSS_32_PREFIX); } public Set getPciDss40() { - return toPciDss(standards, PCI_DSS_40_PREFIX); + return getMatchingStandards(standards, PCI_DSS_40_PREFIX); + } + + public Set getOwaspAsvs40() { + return getMatchingStandards(standards, OWASP_ASVS_40_PREFIX); } public Set getOwaspTop10() { - return toOwaspTop10(standards, OWASP_TOP10_PREFIX); + return getMatchingStandards(standards, OWASP_TOP10_PREFIX); } public Set getOwaspTop10For2021() { - return toOwaspTop10(standards, OWASP_TOP10_2021_PREFIX); + return getMatchingStandards(standards, OWASP_TOP10_2021_PREFIX); } /** @@ -276,14 +296,7 @@ public final class SecurityStandards { return new SecurityStandards(standards, cwe, sqCategory, ignoredSQCategories); } - private static Set toPciDss(Set securityStandards, String prefix) { - return securityStandards.stream() - .filter(s -> s.startsWith(prefix)) - .map(s -> s.substring(prefix.length())) - .collect(toSet()); - } - - private static Set toOwaspTop10(Set securityStandards, String prefix) { + private static Set getMatchingStandards(Set securityStandards, String prefix) { return securityStandards.stream() .filter(s -> s.startsWith(prefix)) .map(s -> s.substring(prefix.length())) diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/security/SecurityStandardsTest.java b/server/sonar-server-common/src/test/java/org/sonar/server/security/SecurityStandardsTest.java index 665d27fa357..c61c4106a31 100644 --- a/server/sonar-server-common/src/test/java/org/sonar/server/security/SecurityStandardsTest.java +++ b/server/sonar-server-common/src/test/java/org/sonar/server/security/SecurityStandardsTest.java @@ -25,6 +25,7 @@ import java.util.List; import java.util.Set; import java.util.stream.Collectors; import org.junit.Test; +import org.sonar.server.security.SecurityStandards.OwaspAsvs; import org.sonar.server.security.SecurityStandards.PciDss; import org.sonar.server.security.SecurityStandards.SQCategory; @@ -125,4 +126,11 @@ public class SecurityStandardsTest { assertThat(pciDssCategories).hasSize(12).containsExactly("1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12"); } + + @Test + public void owaspAsvs_categories_check() { + List owaspAsvsCategories = Arrays.stream(OwaspAsvs.values()).map(OwaspAsvs::category).collect(Collectors.toList()); + + assertThat(owaspAsvsCategories).hasSize(14).containsExactly("1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14"); + } } -- cgit v1.2.3