diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java index 97da88bf..f156ebb9 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java @@ -32,6 +32,7 @@ import org.owasp.benchmarkutils.score.parsers.sarif.CodeQLReader; import org.owasp.benchmarkutils.score.parsers.sarif.ContrastScanReader; import org.owasp.benchmarkutils.score.parsers.sarif.DatadogSastReader; +import org.owasp.benchmarkutils.score.parsers.sarif.PTAIReader; import org.owasp.benchmarkutils.score.parsers.sarif.PrecautionReader; import org.owasp.benchmarkutils.score.parsers.sarif.SemgrepSarifReader; import org.owasp.benchmarkutils.score.parsers.sarif.SnykReader; @@ -89,6 +90,7 @@ public static List allReaders() { new ParasoftReader(), new PrecautionReader(), new PMDReader(), + new PTAIReader(), new QualysWASReader(), new Rapid7Reader(), new ReshiftReader(), diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java new file mode 100644 index 00000000..af0d1fa8 --- /dev/null +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java @@ -0,0 +1,41 @@ +/** + * OWASP Benchmark Project + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Alexey Zhukov + * @created 2024 + */ +package org.owasp.benchmarkutils.score.parsers.sarif; + +import org.owasp.benchmarkutils.score.CweNumber; + +public class PTAIReader extends SarifReader { + + static final int PTAI_CWE_EXTERNAL_FILEPATH_CONTROL = 73; + static final int PTAI_CWE_BLIND_XPATH_INJECTION = 91; + + public PTAIReader() { + super("Positive Technologies Application Inspector", true, CweSourceType.FIELD); + } + + @Override + public int mapCwe(int cwe) { + switch (cwe) { + case PTAI_CWE_EXTERNAL_FILEPATH_CONTROL: + return CweNumber.PATH_TRAVERSAL; + case PTAI_CWE_BLIND_XPATH_INJECTION: + return CweNumber.XPATH_INJECTION; + } + return cwe; + } +} diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java new file mode 100644 index 00000000..ef3d798e --- /dev/null +++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java @@ -0,0 +1,57 @@ +/** + * OWASP Benchmark Project + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Alexey Zhukov + * @created 2024 + */ +package org.owasp.benchmarkutils.score.parsers.sarif; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.owasp.benchmarkutils.score.*; +import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; + +public class PTAIReaderTest extends ReaderTestBase { + + private ResultFile resultFile; + + @BeforeEach + void setUp() { + resultFile = TestHelper.resultFileOf("testfiles/Benchmark_PTAI-v4.7.2.sarif"); + BenchmarkScore.TESTCASENAME = "BenchmarkTest"; + } + + @Test + public void onlyPTAIReaderTestReportsCanReadAsTrue() { + assertOnlyMatcherClassIs(this.resultFile, PTAIReader.class); + } + + @Test + void readerHandlesGivenResultFile() throws Exception { + PTAIReader reader = new PTAIReader(); + TestSuiteResults result = reader.parse(resultFile); + + assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); + + assertEquals("Positive Technologies Application Inspector", result.getToolName()); + assertEquals("4.7.2.36549", result.getToolVersion()); + + assertEquals(2, result.getTotalResults()); + + assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE()); + assertEquals(CweNumber.SQL_INJECTION, result.get(8).get(0).getCWE()); + } +} diff --git a/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif b/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif new file mode 100644 index 00000000..c861425d --- /dev/null +++ b/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif @@ -0,0 +1,104 @@ +{ + "version": "2.1.0", + "$schema": "http://json.schemastore.org/sarif-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "name": "Positive Technologies Application Inspector", + "version": "4.7.2.36549", + "organization": "Positive Technologies", + "informationUri": "https://www.ptsecurity.com/ww-en/products/ai/", + "rules": [ + { + "id": "SQL Injection", + "name": "SQL Injection", + "properties": { + "cwe": [ + "CWE-89" + ] + }, + "defaultConfiguration": { + "level": "error", + "enabled": true + }, + "messageStrings": { + "default": { + "text": "SQL Injection" + } + } + }, + { + "id": "Arbitrary File Reading", + "name": "Arbitrary File Reading", + "properties": { + "cwe": [ + "CWE-73" + ] + }, + "defaultConfiguration": { + "level": "error", + "enabled": true + }, + "messageStrings": { + "default": { + "text": "Arbitrary File Reading" + } + } + } + ] + } + }, + "results": [ + { + "ruleId": "Arbitrary File Reading", + "suppressions": [ + ], + "message": { + "id": "default", + "text": "Arbitrary File Reading" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "./src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java" + }, + "region": { + "startLine": 71, + "snippet": { + "text": "new java.io.FileInputStream(new java.io.File(fileName))" + } + } + } + } + ] + }, + { + "ruleId": "SQL Injection", + "suppressions": [ + ], + "message": { + "id": "default", + "text": "SQL Injection" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "./src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java" + }, + "region": { + "startLine": 57, + "snippet": { + "text": "connection.prepareCall(sql)" + } + } + } + } + ] + } + ] + } + ] +}