diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java index 701ff68f..25dc6059 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java @@ -30,7 +30,11 @@ public class FluidAttacksReader extends Reader { @Override public boolean canRead(ResultFile resultFile) { return resultFile.filename().endsWith("csv") - && resultFile.line(0).trim().equals("title,what,where,cwe"); + && resultFile + .line(0) + .trim() + .equals( + "title,cwe,description,cvss,finding,stream,kind,where,snippet,method"); } @Override @@ -43,10 +47,12 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception { for (CSVRecord record : records) { TestCaseResult testCaseResult = new TestCaseResult(); - - // Columns in the CSV - String what = record.get("what"); - String cwe = record.get("cwe").split(" [+] ")[0]; + // Read only useful rows of the csv results + if (record.get("description").split("OWASP").length < 2) { + continue; + } + String what = record.get("description").split("OWASP")[1]; + String cwe = record.get("cwe").split("-")[1]; // Parse columns into the correct types String category = cweToCategory(cwe); @@ -128,4 +134,4 @@ private static String cweToCategory(String cwe) { return "other"; } } -} +} \ No newline at end of file diff --git a/plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv b/plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv index 1ccbfb38..bb0bc695 100644 --- a/plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv +++ b/plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv @@ -1,3 +1,3 @@ -title,what,where,cwe -F001. SQL injection - Java SQL API,OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java,42,89 -F004. Remote command execution,OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java,42,78 +title,cwe,description,cvss,finding,stream,kind,where,snippet,method +112. SQL injection - Java SQL API,CWE-89,Use of attacker controlled parameters for querying the data base in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java,CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:R,https://docs.fluidattacks.com/criteria/vulnerabilities/112,skims,SAST,59,"code snippet",java.java_sql_injection +004. Remote command execution,CWE-78,"The system builds system commands using inputs that can be manipulated externally, it does not properly override special elements that could modify the system command in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java",CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:R,https://docs.fluidattacks.com/criteria/vulnerabilities/004,skims,SAST,71,"code snippet",java.java_remote_command_execution \ No newline at end of file