|
| 1 | +/** |
| 2 | + * OWASP Benchmark Project |
| 3 | + * |
| 4 | + * This file is part of the Open Web Application Security Project (OWASP) |
| 5 | + * Benchmark Project For details, please see |
| 6 | + * <a href="https://www.owasp.org/index.php/Benchmark">https://www.owasp.org/index.php/Benchmark</a>. |
| 7 | + * |
| 8 | + * The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms |
| 9 | + * of the GNU General Public License as published by the Free Software Foundation, version 2. |
| 10 | + * |
| 11 | + * The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without |
| 12 | + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 13 | + * GNU General Public License for more details |
| 14 | + * |
| 15 | + * @author Dave Wichers <a href="https://www.aspectsecurity.com">Aspect Security</a> |
| 16 | + * @created 2015 |
| 17 | + */ |
| 18 | + |
| 19 | +package org.owasp.benchmark.score.parsers; |
| 20 | + |
| 21 | +import java.io.File; |
| 22 | +import java.io.FileInputStream; |
| 23 | +import java.util.List; |
| 24 | + |
| 25 | +import org.apache.commons.io.IOUtils; |
| 26 | + |
| 27 | +public class SourceMeterReader extends Reader { |
| 28 | + |
| 29 | + |
| 30 | + // Possible Cross-site Scripting Vulnerability: |
| 31 | + // Source: String getValue() |
| 32 | + // Sink: void println(String arg0) |
| 33 | + // Trace: |
| 34 | + // /home/istvan/owasp/ellenorzes/benchmark/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java(81):(81,30,81,51)[0] |
| 35 | + // /home/istvan/owasp/ellenorzes/benchmark/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java(80):(80,33,81,51)[0] |
| 36 | + // /home/istvan/owasp/ellenorzes/benchmark/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java(80):(80,33,81,61)[0] |
| 37 | + // /home/istvan/owasp/ellenorzes/benchmark/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java(80):(80,4,81,62)[0] |
| 38 | + |
| 39 | + public TestResults parse(File fileToParse) throws Exception { |
| 40 | + TestResults tr = new TestResults("SourceMeter VulnerabilityHunter", true, TestResults.ToolType.SAST); |
| 41 | + |
| 42 | + List<String> sourceLines = IOUtils.readLines(new FileInputStream(fileToParse)); |
| 43 | + |
| 44 | + String vuln = null; |
| 45 | + String file = null; |
| 46 | + boolean nextLine = false; |
| 47 | + for (String line : sourceLines) { |
| 48 | + try { |
| 49 | + if (line.length() == 0) { |
| 50 | + vuln = null; |
| 51 | + file = null; |
| 52 | + nextLine = false; |
| 53 | + } |
| 54 | + if (line.startsWith("Possible ")) { |
| 55 | + System.out.println("\t" + line); |
| 56 | + vuln = line.substring("Possible ".length()); |
| 57 | + vuln = vuln.substring(0, vuln.length() - " Vulnerability:".length() ); |
| 58 | + } else if (line.startsWith("Trace:")) { |
| 59 | + nextLine = true; |
| 60 | + } else if (nextLine) { |
| 61 | + int idx = line.indexOf(".java"); |
| 62 | + file = line.substring(0, idx); |
| 63 | + TestCaseResult tcr = parseSourceMeterItem(vuln, file); |
| 64 | + tr.put(tcr); |
| 65 | + //System.out.println(tcr.getNumber() + ", " + tcr.getCWE() + ", " + tcr.getEvidence()); |
| 66 | + nextLine = false; |
| 67 | + } |
| 68 | + } catch (Exception e) { |
| 69 | + e.printStackTrace(); |
| 70 | + } |
| 71 | + } |
| 72 | + return tr; |
| 73 | + } |
| 74 | + |
| 75 | + private TestCaseResult parseSourceMeterItem(String vuln, String file) throws Exception { |
| 76 | + TestCaseResult tcr = new TestCaseResult(); |
| 77 | + |
| 78 | + tcr.setCategory(vuln); |
| 79 | + tcr.setEvidence(file); |
| 80 | + tcr.setCWE(cweLookup(vuln)); |
| 81 | + |
| 82 | + String testno = file.substring(file.length() - 5); // extract test number |
| 83 | + try { |
| 84 | + tcr.setNumber(Integer.parseInt(testno)); |
| 85 | + return tcr; |
| 86 | + } catch (NumberFormatException e) { |
| 87 | + System.out.println("> Parse error " + file + ":: " + testno); |
| 88 | + } |
| 89 | + |
| 90 | + return null; |
| 91 | + } |
| 92 | + |
| 93 | + private static int cweLookup(String vuln) { |
| 94 | + switch (vuln) { |
| 95 | +// case "insecure-cookie": |
| 96 | +// return 614; // insecure cookie use |
| 97 | + case "SQL Injection": |
| 98 | + return 89; // sql injection |
| 99 | + case "Command Injection": |
| 100 | + return 78; // command injection |
| 101 | + case "LDAP Injection": |
| 102 | + return 90; // ldap injection |
| 103 | + case "HTTP Response Splitting": |
| 104 | + return 113; // header injection |
| 105 | +// case "hql-injection": |
| 106 | +// return 0000; // hql injection |
| 107 | +// case "unsafe-readline": |
| 108 | +// return 0000; // unsafe readline |
| 109 | +// case "reflection-injection": |
| 110 | +// return 0000; // reflection injection |
| 111 | + case "Cross-site Scripting": |
| 112 | + return 79; // xss |
| 113 | +// case "xpath-injection": |
| 114 | +// return 643; // xpath injection |
| 115 | + case "Path Traversal": |
| 116 | + return 22; // path traversal |
| 117 | +// case "crypto-bad-mac": |
| 118 | +// return 328; // weak hash |
| 119 | +// case "crypto-weak-randomness": |
| 120 | +// return 330; // weak random |
| 121 | +// case "crypto-bad-ciphers": |
| 122 | +// return 327; // weak encryption |
| 123 | +// case "trust-boundary-violation": |
| 124 | +// return 501; // trust boundary |
| 125 | +// case "xxe": |
| 126 | +// return 611; // xml entity |
| 127 | + } |
| 128 | + return 0; |
| 129 | + } |
| 130 | + |
| 131 | +} |
0 commit comments