utils/Parsers: update FluidAttacks parser (#53)

Signed-off-by: Alejandro Lagos <[email protected]>
OWASP-Benchmark · Aug 15, 2023 · 607f0f7 · 607f0f7
1 parent 0df83cc
commit 607f0f7
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 9 deletions.
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java
@@ -30,7 +30,11 @@ public class FluidAttacksReader extends Reader {
     @Override
     public boolean canRead(ResultFile resultFile) {
         return resultFile.filename().endsWith("csv")
-                && resultFile.line(0).trim().equals("title,what,where,cwe");
+                && resultFile
+                        .line(0)
+                        .trim()
+                        .equals(
+                                "title,cwe,description,cvss,finding,stream,kind,where,snippet,method");
     }
 
     @Override
@@ -43,10 +47,12 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
 
         for (CSVRecord record : records) {
             TestCaseResult testCaseResult = new TestCaseResult();
-
-            // Columns in the CSV
-            String what = record.get("what");
-            String cwe = record.get("cwe").split(" [+] ")[0];
+            // Read only useful rows of the csv results
+            if (record.get("description").split("OWASP").length < 2) {
+                continue;
+            }
+            String what = record.get("description").split("OWASP")[1];
+            String cwe = record.get("cwe").split("-")[1];
 
             // Parse columns into the correct types
             String category = cweToCategory(cwe);
@@ -128,4 +134,4 @@ private static String cweToCategory(String cwe) {
                 return "other";
         }
     }
-}
+}
diff --git a/plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv b/plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv
@@ -1,3 +1,3 @@
-title,what,where,cwe
-F001. SQL injection - Java SQL API,OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java,42,89
-F004. Remote command execution,OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java,42,78
+title,cwe,description,cvss,finding,stream,kind,where,snippet,method
+112. SQL injection - Java SQL API,CWE-89,Use of attacker controlled parameters for querying the data base in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java,CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:R,https://docs.fluidattacks.com/criteria/vulnerabilities/112,skims,SAST,59,"code snippet",java.java_sql_injection
+004. Remote command execution,CWE-78,"The system builds system commands using inputs that can be manipulated externally, it does not properly override special elements that could modify the system command in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java",CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:R,https://docs.fluidattacks.com/criteria/vulnerabilities/004,skims,SAST,71,"code snippet",java.java_remote_command_execution