diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java index 25dc605..39c9571 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java @@ -29,12 +29,26 @@ public class FluidAttacksReader extends Reader { @Override public boolean canRead(ResultFile resultFile) { - return resultFile.filename().endsWith("csv") - && resultFile - .line(0) - .trim() - .equals( - "title,cwe,description,cvss,finding,stream,kind,where,snippet,method"); + if (!resultFile.filename().endsWith("csv")) { + return false; + } + + String headerLine = resultFile.line(0).trim(); + String[] headers = headerLine.split(","); + + boolean hasCwe = false; + boolean hasDescription = false; + + for (String header : headers) { + if (header.equalsIgnoreCase("cwe")) { + hasCwe = true; + } + if (header.equalsIgnoreCase("description")) { + hasDescription = true; + } + } + + return hasCwe && hasDescription; } @Override @@ -48,7 +62,14 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception { for (CSVRecord record : records) { TestCaseResult testCaseResult = new TestCaseResult(); // Read only useful rows of the csv results - if (record.get("description").split("OWASP").length < 2) { + String description; + try { + description = record.get("description"); + } catch (IllegalArgumentException e) { + continue; + } + + if (description == null || description.split("OWASP").length < 2) { continue; } String what = record.get("description").split("OWASP")[1]; @@ -134,4 +155,4 @@ private static String cweToCategory(String cwe) { return "other"; } } -} \ No newline at end of file +} diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReaderTest.java index d1d3348..5a84dfd 100644 --- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReaderTest.java +++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReaderTest.java @@ -52,7 +52,7 @@ void readerHandlesGivenResultFile() throws Exception { assertTrue(result.isCommercial()); assertEquals("Fluid Attacks", result.getToolName()); - assertEquals(2, result.getTotalResults()); + assertEquals(3, result.getTotalResults()); assertEquals(CweNumber.SQL_INJECTION, result.get(1).get(0).getCWE()); assertEquals(CweNumber.COMMAND_INJECTION, result.get(2).get(0).getCWE()); diff --git a/plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv b/plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv index bb0bc69..22be0b6 100644 --- a/plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv +++ b/plugin/src/test/resources/testfiles/Benchmark_Fluid-Attacks-v20210416.csv @@ -1,3 +1,5 @@ -title,cwe,description,cvss,finding,stream,kind,where,snippet,method -112. SQL injection - Java SQL API,CWE-89,Use of attacker controlled parameters for querying the data base in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java,CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:R,https://docs.fluidattacks.com/criteria/vulnerabilities/112,skims,SAST,59,"code snippet",java.java_sql_injection -004. Remote command execution,CWE-78,"The system builds system commands using inputs that can be manipulated externally, it does not properly override special elements that could modify the system command in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java",CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:R,https://docs.fluidattacks.com/criteria/vulnerabilities/004,skims,SAST,71,"code snippet",java.java_remote_command_execution \ No newline at end of file +title,cwe,description,cvss,cvss_v4,finding,stream,kind,where,snippet,method +112. SQL injection - Java SQL API,CWE-89,Use of attacker controlled parameters for querying the data base in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java,CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:R,CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N,https://docs.fluidattacks.com/criteria/vulnerabilities/112,skims,SAST,59,"code snippet",java.java_sql_injection +004. Remote command execution,CWE-78,"The system builds system commands using inputs that can be manipulated externally, it does not properly override special elements that could modify the system command in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java",CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:R,CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N,https://docs.fluidattacks.com/criteria/vulnerabilities/004,skims,SAST,71,"code snippet",java.java_remote_command_execution +004. Remote command execution,CWE-78,"The system builds system commands using inputs that can be manipulated externally, it does not properly override special elements that could modify the system command in OWASP/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java",CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:R,CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N,https://docs.fluidattacks.com/criteria/vulnerabilities/004,skims,SAST,89,"code snippet",java.java_remote_command_execution +Summary: 2 Vulnerabilities were found in your execution \ No newline at end of file