diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java
index 8d8f0b0..ee1cd9f 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java
@@ -53,7 +53,7 @@ public SarifReader(String expectedToolName, boolean isCommercial, CweSourceType
@Override
public boolean canRead(ResultFile resultFile) {
try {
- return resultFile.isJson() && sarifToolName(resultFile).equals(expectedToolName);
+ return resultFile.isJson() && sarifToolName(resultFile).startsWith(expectedToolName);
} catch (Exception e) {
return false;
}
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SemgrepSarifReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SemgrepSarifReader.java
index ed01600..070300e 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SemgrepSarifReader.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SemgrepSarifReader.java
@@ -20,6 +20,6 @@
public class SemgrepSarifReader extends SarifReader {
public SemgrepSarifReader() {
- super("Semgrep OSS", false, CweSourceType.TAG);
+ super("Semgrep", false, CweSourceType.TAG);
}
}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SemgrepSarifReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SemgrepSarifReaderTest.java
index aed4b16..05a6866 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SemgrepSarifReaderTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SemgrepSarifReaderTest.java
@@ -31,23 +31,25 @@
class SemgrepSarifReaderTest extends ReaderTestBase {
- private ResultFile resultFile;
+ private ResultFile resultFileOSS, resultFilePRO;
@BeforeEach
void setUp() {
- resultFile = TestHelper.resultFileOf("testfiles/Benchmark_semgrep-v1.67.0.sarif");
+ resultFileOSS = TestHelper.resultFileOf("testfiles/Benchmark_semgrep-oss-v1.67.0.sarif");
+ resultFilePRO = TestHelper.resultFileOf("testfiles/Benchmark_semgrep-pro-v1.68.1.sarif");
BenchmarkScore.TESTCASENAME = "BenchmarkTest";
}
@Test
public void onlySemgrepSarifReaderReportsCanReadAsTrue() {
- assertOnlyMatcherClassIs(this.resultFile, SemgrepSarifReader.class);
+ assertOnlyMatcherClassIs(this.resultFileOSS, SemgrepSarifReader.class);
+ assertOnlyMatcherClassIs(this.resultFilePRO, SemgrepSarifReader.class);
}
@Test
- void readerHandlesGivenResultFile() throws Exception {
+ void readerHandlesSemgrepOSSResultFile() throws Exception {
SemgrepSarifReader reader = new SemgrepSarifReader();
- TestSuiteResults result = reader.parse(resultFile);
+ TestSuiteResults result = reader.parse(resultFileOSS);
assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
assertFalse(result.isCommercial());
@@ -59,4 +61,20 @@ void readerHandlesGivenResultFile() throws Exception {
assertEquals(CweNumber.COOKIE_WITHOUT_HTTPONLY, result.get(1).get(0).getCWE());
assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE());
}
+
+ @Test
+ void readerHandlesSemgrepPROResultFile() throws Exception {
+ SemgrepSarifReader reader = new SemgrepSarifReader();
+ TestSuiteResults result = reader.parse(resultFilePRO);
+
+ assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
+ assertFalse(result.isCommercial());
+ assertEquals("Semgrep PRO", result.getToolName());
+ assertEquals("1.68.1", result.getToolVersion());
+
+ assertEquals(2, result.getTotalResults());
+
+ assertEquals(CweNumber.COOKIE_WITHOUT_HTTPONLY, result.get(1).get(0).getCWE());
+ assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE());
+ }
}
diff --git a/plugin/src/test/resources/testfiles/Benchmark_semgrep-v1.67.0.sarif b/plugin/src/test/resources/testfiles/Benchmark_semgrep-oss-v1.67.0.sarif
similarity index 100%
rename from plugin/src/test/resources/testfiles/Benchmark_semgrep-v1.67.0.sarif
rename to plugin/src/test/resources/testfiles/Benchmark_semgrep-oss-v1.67.0.sarif
diff --git a/plugin/src/test/resources/testfiles/Benchmark_semgrep-pro-v1.68.1.sarif b/plugin/src/test/resources/testfiles/Benchmark_semgrep-pro-v1.68.1.sarif
new file mode 100644
index 0000000..f5f547d
--- /dev/null
+++ b/plugin/src/test/resources/testfiles/Benchmark_semgrep-pro-v1.68.1.sarif
@@ -0,0 +1,131 @@
+{
+ "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json",
+ "runs": [
+ {
+ "results": [
+ {
+ "fingerprints": {
+ "matchBasedId/v1": "1"
+ },
+ "locations": [
+ {
+ "physicalLocation": {
+ "artifactLocation": {
+ "uri": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java",
+ "uriBaseId": "%SRCROOT%"
+ },
+ "region": {
+ "endColumn": 40,
+ "endLine": 42,
+ "snippet": {
+ "text": " response.addCookie(userCookie);"
+ },
+ "startColumn": 9,
+ "startLine": 42
+ }
+ }
+ }
+ ],
+ "message": {
+ "text": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"
+ },
+ "properties": {},
+ "ruleId": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly"
+ },
+ {
+ "fingerprints": {
+ "matchBasedId/v1": "1"
+ },
+ "locations": [
+ {
+ "physicalLocation": {
+ "artifactLocation": {
+ "uri": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java",
+ "uriBaseId": "%SRCROOT%"
+ },
+ "region": {
+ "endColumn": 77,
+ "endLine": 73,
+ "snippet": {
+ "text": " response.getWriter()\n .println(\n \"Item: '\"\n + org.owasp.benchmark.helpers.Utils.encodeForHTML(param)\n + \"' with value: '10340' saved in session.\");"
+ },
+ "startColumn": 9,
+ "startLine": 69
+ }
+ }
+ }
+ ],
+ "message": {
+ "text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views."
+ },
+ "properties": {},
+ "ruleId": "java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer"
+ }
+ ],
+ "tool": {
+ "driver": {
+ "name": "Semgrep PRO",
+ "rules": [
+ {
+ "defaultConfiguration": {
+ "level": "warning"
+ },
+ "fullDescription": {
+ "text": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"
+ },
+ "help": {
+ "markdown": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n",
+ "text": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
+ },
+ "helpUri": "https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
+ "id": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
+ "name": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
+ "properties": {
+ "precision": "very-high",
+ "tags": [
+ "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag",
+ "LOW CONFIDENCE",
+ "OWASP-A05:2021 - Security Misconfiguration",
+ "security"
+ ]
+ },
+ "shortDescription": {
+ "text": "Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly"
+ }
+ },
+ {
+ "defaultConfiguration": {
+ "level": "warning"
+ },
+ "fullDescription": {
+ "text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views."
+ },
+ "help": {
+ "markdown": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n\n#### \ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer)\n - [https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html](https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html)\n",
+ "text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n\ud83d\udc8e Enable cross-file analysis and Pro rules for free at sg.run/pro"
+ },
+ "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
+ "id": "java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
+ "name": "java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
+ "properties": {
+ "precision": "very-high",
+ "tags": [
+ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+ "MEDIUM CONFIDENCE",
+ "OWASP-A03:2021 - Injection",
+ "OWASP-A07:2017 - Cross-Site Scripting (XSS)",
+ "security"
+ ]
+ },
+ "shortDescription": {
+ "text": "Semgrep Finding: java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer"
+ }
+ }
+ ],
+ "semanticVersion": "1.68.1"
+ }
+ }
+ }
+ ],
+ "version": "2.1.0"
+}
\ No newline at end of file