#68 - take first CWE number from tags

OWASP-Benchmark · Apr 18, 2024 · 5148873 · 5148873
1 parent f2eec0d
commit 5148873
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 3 deletions.
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java
@@ -34,8 +34,6 @@ public int mapCwe(int cwe) {
                 return CweNumber.COMMAND_INJECTION; // Command Injection
             case 335: // java/predictable-seed - Improves the tool's score
                 return CweNumber.WEAK_RANDOM; // Weak Random
-            case 564:
-                return CweNumber.SQL_INJECTION;
         }
         return cwe;
     }

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SarifReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SarifReader.java
@@ -159,7 +159,8 @@ private Map<String, Integer> ruleCweMappingsByTag(JSONObject tool) {
             for (int j = 0; j < tags.length(); j++) {
                 String tag = tags.getString(j).toLowerCase();
 
-                if (tag.contains("cwe")) {
+                // only take first CWE id for rule
+                if (tag.contains("cwe") && !mappings.containsKey(rule.getString("id"))) {
                     mappings.put(rule.getString("id"), mapCwe(extractCwe(tag)));
                 }
             }