Update HCL IAST reader (#55)

* Update HCLAppScanIASTReader.java * Update HCLAppScanIASTReader.java * Add test file with new DateTime format
OWASP-Benchmark · Oct 3, 2023 · f9029e0 · f9029e0
1 parent 1df51d0
commit f9029e0
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 6 deletions.
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java
@@ -20,6 +20,7 @@
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.StringReader;
+import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.HashMap;
@@ -64,10 +65,12 @@ private void createVulnerabilitiesMap() {
         vulnerabilityToCweNumber.put("PathTraversal", CweNumber.PATH_TRAVERSAL);
         vulnerabilityToCweNumber.put("Cryptography.InsecureAlgorithm", CweNumber.WEAK_HASH_ALGO);
         vulnerabilityToCweNumber.put("Cryptography.Mac", CweNumber.WEAK_HASH_ALGO);
+        vulnerabilityToCweNumber.put("Cryptography.WeakHash", CweNumber.WEAK_HASH_ALGO);
         vulnerabilityToCweNumber.put("Cryptography.PoorEntropy", CweNumber.WEAK_RANDOM);
         vulnerabilityToCweNumber.put("Cryptography.NonStandard", CweNumber.WEAK_CRYPTO_ALGO);
         vulnerabilityToCweNumber.put("Cryptography.Ciphers", CweNumber.WEAK_CRYPTO_ALGO);
         vulnerabilityToCweNumber.put("Validation.Required", CweNumber.TRUST_BOUNDARY_VIOLATION);
+        vulnerabilityToCweNumber.put("TrustBoundaryViolation", CweNumber.TRUST_BOUNDARY_VIOLATION);
         vulnerabilityToCweNumber.put("attLoginNotOverSSL", CweNumber.UNPROTECTED_CREDENTIALS_TRANSPORT);
         vulnerabilityToCweNumber.put("attFileUploadXXE", CweNumber.XXE);
         vulnerabilityToCweNumber.put("attCrossSiteRequestForgery", CweNumber.CSRF);
@@ -156,11 +159,21 @@ private int cweLookup(String rule) {
 
     private String calculateTime(String firstLine, String lastLine) {
         try {
-            String start = firstLine.split(" ")[0];
-            String stop = lastLine.split(" ")[0];
-            SimpleDateFormat sdf = new SimpleDateFormat("HH:mm:ss.SSS");
-            Date startTime = sdf.parse(start);
-            Date stopTime = sdf.parse(stop);
+            String start = firstLine.split(" \\[")[0];
+            String stop = lastLine.split(" \\[")[0];
+            SimpleDateFormat dateAndTimeParser = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS");
+            SimpleDateFormat timeParser = new SimpleDateFormat("HH:mm:ss.SSS");
+            Date startTime;
+            Date stopTime;
+            try {
+                // try parse date and time
+                startTime = dateAndTimeParser.parse(start);
+                stopTime = dateAndTimeParser.parse(stop);
+            } catch (ParseException e) {
+                // try parse time only (for older versions)
+                startTime = timeParser.parse(start);
+                stopTime = timeParser.parse(stop);
+            }
             long startMillis = startTime.getTime();
             long stopMillis = stopTime.getTime();
             long seconds = (stopMillis - startMillis) / 1000;

diff --git a/plugin/src/test/resources/testfiles/Benchmark_HCL-IAST.hcl b/plugin/src/test/resources/testfiles/Benchmark_HCL-IAST.hcl
@@ -1,5 +1,5 @@
 01:23:45.666 [main] INFO lorem.ipsum:dolor - doing the magic
 01:23:45.777 [https-jsse-nio-127.0.0.1-8443-exec-3] DEBUG utils.TaintTracker:enterAction - [checking URL: /benchmark/pathtraver-01/BenchmarkTest00001 queryString: ]
 01:23:45.888 [Distributor Thread] DEBUG utils.distributor.Distributor:writeVulnerabilityToFile - {"agent-version":"some-agent","issue-group":[{"id":"-000000000","issue-type":{"ref":"PathTraversal"},"variant-group":[{"id":"1","request":{"uri":"/benchmark/pathtraver-01/BenchmarkTest00001","method":"POST","queryString":""}}]}]}
-01:23:45.999[https-jsse-nio-127.0.0.1-8443-exec-6] DEBUG utils.TaintTracker:enterAction - [checking URL: /benchmark/sqli-01/BenchmarkTest00002 queryString: ]
+01:23:45.999 [https-jsse-nio-127.0.0.1-8443-exec-6] DEBUG utils.TaintTracker:enterAction - [checking URL: /benchmark/sqli-01/BenchmarkTest00002 queryString: ]
 01:23:46.000 [Distributor Thread] DEBUG utils.distributor.Distributor:writeVulnerabilityToFile - {"agent-version":"some-agent","issue-group":[{"id":"-000000000","issue-type":{"ref":"Injection.SQL"},"variant-group":[{"id":"1","request":{"uri":"/benchmark/sqli-01/BenchmarkTest00002","method":"POST","queryString":""}}]}]}
diff --git a/plugin/src/test/resources/testfiles/Benchmark_HCL-IAST_DateTime.hcl b/plugin/src/test/resources/testfiles/Benchmark_HCL-IAST_DateTime.hcl
@@ -0,0 +1,5 @@
+2023-10-03 01:23:45.666 [main] INFO lorem.ipsum:dolor - doing the magic
+2023-10-03 01:23:45.777 [https-jsse-nio-127.0.0.1-8443-exec-3] DEBUG utils.TaintTracker:enterAction - [checking URL: /benchmark/pathtraver-01/BenchmarkTest00001 queryString: ]
+2023-10-03 01:23:45.888 [Distributor Thread] DEBUG utils.distributor.Distributor:writeVulnerabilityToFile - {"agent-version":"some-agent","issue-group":[{"id":"-000000000","issue-type":{"ref":"PathTraversal"},"variant-group":[{"id":"1","request":{"uri":"/benchmark/pathtraver-01/BenchmarkTest00001","method":"POST","queryString":""}}]}]}
+2023-10-03 01:23:45.999 [https-jsse-nio-127.0.0.1-8443-exec-6] DEBUG utils.TaintTracker:enterAction - [checking URL: /benchmark/sqli-01/BenchmarkTest00002 queryString: ]
+2023-10-03 01:23:46.000 [Distributor Thread] DEBUG utils.distributor.Distributor:writeVulnerabilityToFile - {"agent-version":"some-agent","issue-group":[{"id":"-000000000","issue-type":{"ref":"Injection.SQL"},"variant-group":[{"id":"1","request":{"uri":"/benchmark/sqli-01/BenchmarkTest00002","method":"POST","queryString":""}}]}]}