search

OWASP-Benchmark / BenchmarkUtils

OWASP Benchmark Project Utilities - Provides scorecard generation and crawling tools for Benchmark style test suites.
https://owasp.org/www-project-benchmark/
GNU General Public License v3.0
16 stars 50 forks source link

fix seeker reader #26

Closed hbarshak closed 2 years ago

hbarshak commented 2 years ago

make sure seeker reader is first, otherwise other readers might process seeker results and fail

darkspirit510 commented 2 years ago

The order should not matter for selecting the correct Reader. Which other readers try to read Seeker file?

hbarshak commented 2 years ago 
new CheckmarxIASTReader()

is reading the seeker result file and fails...

see:

Analyzing results from synopsys-seeker-vulnerabilities_20220612210051_90afc46a-e3f8-4a19-b9a7-47b2fae1cfc1.csv
Error processing results/synopsys-seeker-vulnerabilities_20220612210051_90afc46a-e3f8-4a19-b9a7-47b2fae1cfc1.csv. Continuing.
java.lang.IllegalArgumentException: Mapping for Vulnerability Type not found, expected one of [Owner, ProjectKey, ItemKey, CheckerKey, VulnerabilityName, Severity, ticketUrls, URL, SourceName, SourceType, CodeLocation, StackTrace, VerificationTag, DetectionCount, FirstDetectionTime, LastDetectionTime, Status, OWASP2013, PCI-DSS, CWE-SANS, OWASP2017, GDPR, CAPEC, LastDetectionURL, SeekerServerLink, CustomTags, LatestVersion, LastDetectionHttpHeaders, LastDetectionHttpParams, Description, Remediation, Summary, VerificationProof, TriageEvents, Comments, CodeLocationType, OWASP2021]
        at org.apache.commons.csv.CSVRecord.get(CSVRecord.java:121)
        at org.owasp.benchmarkutils.score.parsers.CheckmarxIASTReader.parse(CheckmarxIASTReader.java:45)
        at org.owasp.benchmarkutils.score.BenchmarkScore.readActualResults(BenchmarkScore.java:860)
        at org.owasp.benchmarkutils.score.BenchmarkScore.process(BenchmarkScore.java:671)
        at org.owasp.benchmarkutils.score.BenchmarkScore.main(BenchmarkScore.java:565)
        at org.owasp.benchmarkutils.score.BenchmarkScore.execute(BenchmarkScore.java:307)
        at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:137)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:210)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:156)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:148)
        at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
        at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
        at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:56)
        at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:305)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:192)
        at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:105)
        at org.apache.maven.cli.MavenCli.execute(MavenCli.java:957)
        at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:289)
        at org.apache.maven.cli.MavenCli.main(MavenCli.java:193)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
        at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
        at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
        at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
darkspirit510 commented 2 years ago

Could you send me the csv file to github@darkspirit510.de? First few lines should be sufficient. I'd just prevent the CheckmarxIASTReader from detecting Seeker file instead.

hbarshak commented 2 years ago

here are the first 2 lines (columns + sample data):

Owner,ProjectKey,ItemKey,CheckerKey,VulnerabilityName,Severity,ticketUrls,URL,SourceName,SourceType,CodeLocation,StackTrace,VerificationTag,DetectionCount,FirstDetectionTime,LastDetectionTime,Status,OWASP2013,PCI-DSS,CWE-SANS,OWASP2017,GDPR,CAPEC,LastDetectionURL,SeekerServerLink,CustomTags,LatestVersion,LastDetectionHttpHeaders,LastDetectionHttpParams,Description,Remediation,Summary,VerificationProof,TriageEvents,Comments,CodeLocationType,OWASP2021
,owasp-benchmark,owasp-benchmark-1366,TRUST-BOUNDARY-VIOLATION,"Trust Boundary Violation",Informative,,"/benchmark/trustbound-00/BenchmarkTest01457",my_user_id,Parameter,"org.owasp.benchmark.testcode.BenchmarkTest01457.doPost():63",,Untagged,2,"2022-06-15 04:07:19 GMT","2022-06-15 04:08:31 GMT",Detected,,,"CWE-501: Trust Boundary Violation;CWE-1344: CWE View: Weaknesses in OWASP Top Ten (2021);CWE-1348: OWASP Top Ten 2021 Category A04:2021 - Insecure Design",,,,"/benchmark/trustbound-00/BenchmarkTest01457","http://server:8082/vulnerabilities/1356/detections/3071",,,,,,,,,,,"Customer code - direct calls","A04:2021 - Insecure Design"
davewichers commented 2 years ago

Given the change that @darkspirit510 made that I just accepted, is your suggested change required anymore?

hbarshak commented 2 years ago

nope.. seems like the fix is good enough... closing