Merge branch 'main' into generalizeScoring and resolve merge conflicts

Author: davewichers

plugin/pom.xml

@@ -47,7 +47,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>33.4.6-jre</version>
+            <version>33.4.8-jre</version>
         </dependency>
 
         <dependency>
@@ -65,7 +65,7 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.18.0</version>
+            <version>2.19.0</version>
         </dependency>
 
         <dependency>
@@ -89,7 +89,7 @@
         <dependency>
             <groupId>org.apache.httpcomponents.client5</groupId>
             <artifactId>httpclient5</artifactId>
-            <version>5.4.3</version>
+            <version>5.5</version>
         </dependency>
 
         <dependency>
@@ -128,13 +128,13 @@
         <dependency>
             <groupId>org.jfree</groupId>
             <artifactId>jfreechart</artifactId>
-            <version>1.5.5</version>
+            <version>1.5.6</version>
         </dependency>
 
         <dependency>
             <groupId>org.json</groupId>
             <artifactId>json</artifactId>
-            <version>20250107</version>
+            <version>20250517</version>
         </dependency>
 
         <dependency>
@@ -192,10 +192,10 @@
     </build>
 
     <properties>
-        <version.fasterxml.jackson>2.18.3</version.fasterxml.jackson>
+        <version.fasterxml.jackson>2.19.0</version.fasterxml.jackson>
         <!-- 3.0.3+ version of eclipse.persistence requires jakarta.xml.bind instead of jaxb -->
         <version.eclipse.persistence>2.7.15</version.eclipse.persistence>
-        <version.junit.jupiter>5.12.1</version.junit.jupiter>
+        <version.junit.jupiter>5.12.2</version.junit.jupiter>
     </properties>
 
 </project>

plugin/src/main/java/org/owasp/benchmarkutils/score/ResultFile.java

@@ -147,7 +147,8 @@ private static CSVParser csvRecords(String content) {
                     .setHeader()
                     .setSkipHeaderRecord(false)
                     .setIgnoreEmptyLines(false)
-                    .build()
+                    .setTrim(true) // trim leading/trailing blanks in column values
+                    .get()
                     .parse(new StringReader(content));
         } catch (IOException e) {
             throw new RuntimeException(e);

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/KlocworkCSVReader.java

@@ -56,7 +56,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
         String header = inReader.readLine();
         CSVFormat.Builder CSVBuilder = CSVFormat.Builder.create(CSVFormat.RFC4180);
         CSVBuilder.setHeader(header.split(","));
-        Iterable<CSVRecord> records = CSVBuilder.build().parse(inReader);
+        Iterable<CSVRecord> records = CSVBuilder.get().parse(inReader);
 
         for (CSVRecord record : records) {
             String category = record.get("Code"); // e.g., RLK.SQLOBJ

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java

@@ -28,6 +28,7 @@
 import org.owasp.benchmarkutils.score.BenchmarkScore;
 import org.owasp.benchmarkutils.score.ResultFile;
 import org.owasp.benchmarkutils.score.TestSuiteResults;
+import org.owasp.benchmarkutils.score.parsers.csv.SemgrepCSVReader;
 import org.owasp.benchmarkutils.score.parsers.csv.WhiteHatDynamicReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.CodeQLReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.CodeSonarReader;
@@ -103,6 +104,7 @@ public static List<Reader> allReaders() {
                 new ScnrReader(),
                 new SeekerReader(),
                 new SemgrepReader(),
+                new SemgrepCSVReader(),
                 new SemgrepSarifReader(),
                 new ShiftLeftReader(),
                 new ShiftLeftScanReader(),

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/ReshiftReader.java

@@ -103,7 +103,7 @@ public TestSuiteResults parse(ResultFile resultFile) throws Exception {
 
         CSVFormat.Builder CSVBuilder = CSVFormat.Builder.create(CSVFormat.RFC4180);
         CSVBuilder.setHeader(header.split(","));
-        Iterable<CSVRecord> records = CSVBuilder.build().parse(inReader);
+        Iterable<CSVRecord> records = CSVBuilder.get().parse(inReader);
 
         for (CSVRecord record : records) {
             String url = record.get("Issue-File");

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/csv/SemgrepCSVReader.java

@@ -0,0 +1,197 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details
+ *
+ * @author Dave Wichers
+ * @created 2025
+ */
+package org.owasp.benchmarkutils.score.parsers.csv;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.apache.commons.csv.CSVParser;
+import org.apache.commons.csv.CSVRecord;
+import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestCaseResult;
+import org.owasp.benchmarkutils.score.TestSuiteResults;
+import org.owasp.benchmarkutils.score.parsers.Reader;
+
+/**
+ * Reader for <a href="https://semgrep.dev/orgs/YOUR_org/findings">SemGrep</a> results downloaded
+ * via: "Download findings as CSV" button, next to Sort menu.
+ */
+public class SemgrepCSVReader extends Reader {
+
+    private final Map<String, Integer> categoryMappings = new HashMap<>();
+
+    // Mapping/explanation of SemGrep rules can be found here, for example:
+    // https://semgrep.dev/r?q=java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request
+    public SemgrepCSVReader() {
+        categoryMappings.put(
+                "java.lang.security.audit.active-debug-code-printstacktrace.active-debug-code-printstacktrace",
+                209); // CWE-209: Generation of Error Message Containing Sensitive Information
+        categoryMappings.put(
+                "java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
+                CweNumber.COMMAND_INJECTION);
+        categoryMappings.put(
+                "java.lang.security.audit.command-injection-process-builder.command-injection-process-builder",
+                CweNumber.COMMAND_INJECTION);
+        categoryMappings.put(
+                "java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request",
+                CweNumber.COMMAND_INJECTION);
+        categoryMappings.put(
+                "java.servlets.security.tainted-cmd-from-http-request-deepsemgrep.tainted-cmd-from-http-request-deepsemgrep",
+                CweNumber.COMMAND_INJECTION);
+        categoryMappings.put(
+                "python.django.security.django-no-csrf-token.django-no-csrf-token", CweNumber.CSRF);
+        categoryMappings.put(
+                "java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal",
+                CweNumber.PATH_TRAVERSAL);
+        categoryMappings.put(
+                "java.servlets.security.httpservlet-path-traversal-deepsemgrep.httpservlet-path-traversal-deepsemgrep",
+                CweNumber.PATH_TRAVERSAL);
+        categoryMappings.put(
+                "java.servlets.security.httpservlet-path-traversal.httpservlet-path-traversal",
+                CweNumber.PATH_TRAVERSAL);
+        categoryMappings.put(
+                "java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
+                CweNumber.LDAP_INJECTION);
+        categoryMappings.put(
+                "java.servlets.security.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request",
+                CweNumber.LDAP_INJECTION);
+        categoryMappings.put(
+                "java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep",
+                CweNumber.LDAP_INJECTION);
+        categoryMappings.put(
+                "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli", CweNumber.SQL_INJECTION);
+        categoryMappings.put(
+                "java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request",
+                CweNumber.SQL_INJECTION);
+        categoryMappings.put(
+                "java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request",
+                CweNumber.TRUST_BOUNDARY_VIOLATION);
+        categoryMappings.put(
+                "java.servlets.security.tainted-session-from-http-request.tainted-session-from-http-request",
+                CweNumber.TRUST_BOUNDARY_VIOLATION);
+        categoryMappings.put(
+                "java.servlets.security.tainted-session-from-http-request-deepsemgrep.tainted-session-from-http-request-deepsemgrep",
+                CweNumber.TRUST_BOUNDARY_VIOLATION);
+        categoryMappings.put(
+                "java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
+                CweNumber.XPATH_INJECTION);
+        categoryMappings.put(
+                "java.servlets.security.tainted-xpath-from-http-request.tainted-xpath-from-http-request",
+                CweNumber.XPATH_INJECTION);
+        categoryMappings.put(
+                "java.servlets.security.tainted-xpath-from-http-request-deepsemgrep.tainted-xpath-from-http-request-deepsemgrep",
+                CweNumber.XPATH_INJECTION);
+        categoryMappings.put(
+                "java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer",
+                CweNumber.XSS);
+        categoryMappings.put(
+                "java.servlets.security.servletresponse-writer-xss.servletresponse-writer-xss",
+                CweNumber.XSS);
+        categoryMappings.put(
+                "java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep",
+                CweNumber.XSS);
+        categoryMappings.put(
+                "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly",
+                CweNumber.COOKIE_WITHOUT_HTTPONLY);
+        categoryMappings.put(
+                "java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly",
+                CweNumber.COOKIE_WITHOUT_HTTPONLY);
+        categoryMappings.put(
+                "java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag",
+                CweNumber.INSECURE_COOKIE);
+        categoryMappings.put(
+                "java.servlets.security.audit.cookie-secure-flag-false.cookie-secure-flag-false",
+                CweNumber.INSECURE_COOKIE);
+        categoryMappings.put(
+                "java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite",
+                1275); //  CWE-1275: Sensitive Cookie with Improper SameSite Attribute
+        categoryMappings.put(
+                "java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated",
+                CweNumber.WEAK_CRYPTO_ALGO);
+        categoryMappings.put(
+                "java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated",
+                CweNumber.WEAK_CRYPTO_ALGO);
+        categoryMappings.put(
+                "java.lang.security.audit.crypto.use-of-md5.use-of-md5", CweNumber.WEAK_HASH_ALGO);
+        categoryMappings.put(
+                "java.lang.security.audit.crypto.use-of-sha1.use-of-sha1",
+                CweNumber.WEAK_HASH_ALGO);
+        categoryMappings.put(
+                "java.lang.security.audit.crypto.weak-random.weak-random", CweNumber.WEAK_RANDOM);
+    }
+
+    @Override
+    public boolean canRead(ResultFile resultFile) {
+        return resultFile.filename().endsWith(".csv")
+                && resultFile.line(0).contains("Semgrep Platform Link");
+    }
+
+    @Override
+    public TestSuiteResults parse(ResultFile resultFile) throws Exception {
+        TestSuiteResults tr =
+                new TestSuiteResults("Semgrep", false, TestSuiteResults.ToolType.SAST);
+
+        try (CSVParser records = resultFile.csvRecordsSkipFirstRows(headerRow(resultFile))) {
+            records.stream()
+                    .filter(SemgrepCSVReader::isRelevant)
+                    .forEach(r -> tr.put(toTestCaseResult(r)));
+        }
+
+        return tr;
+    }
+
+    private int headerRow(ResultFile resultFile) {
+        List<String> rows = resultFile.contentAsRows();
+
+        for (int i = 0; i < rows.size(); i++) {
+            if (rows.get(i).startsWith("Id")) {
+                return i;
+            }
+        }
+
+        throw new RuntimeException("No header row found");
+    }
+
+    private static boolean isRelevant(CSVRecord r) {
+        return extractFilenameWithoutEnding(r.get("Line Of Code Url"))
+                .startsWith(BenchmarkScore.TESTCASENAME);
+    }
+
+    private TestCaseResult toTestCaseResult(CSVRecord record) {
+        String filename = record.get("Line Of Code Url");
+        String category = record.get("Rule Name");
+
+        TestCaseResult tcr = new TestCaseResult();
+        tcr.setActualResultTestID(filename);
+        tcr.setCWE(cweLookup(category));
+
+        return tcr;
+    }
+
+    private int cweLookup(String category) {
+        if (categoryMappings.containsKey(category)) {
+            return categoryMappings.get(category);
+        }
+
+        System.out.println(
+                "WARNING: SemGrep CSV results file contained unmapped category: " + category);
+        return CweNumber.DONTCARE;
+    }
+}

plugin/src/main/java/org/owasp/benchmarkutils/score/service/ExpectedResultsProvider.java

@@ -34,16 +34,17 @@
 
 public class ExpectedResultsProvider {
 
-    private static final String PREFIX = " version: ";
+    // The following are column titles or elements in the expected results file
+    public static final String PREFIX = " version: ";
 
-    private static final String TEST_NAME = "# test name";
-    // private static final String CATEGORY = " category";
-    private static final String REAL_VULNERABILITY = " real vulnerability";
-    private static final String CWE = " cwe";
+    public static final String TEST_NAME = "# test name";
+    public static final String CATEGORY = "category";
+    public static final String REAL_VULNERABILITY = "real vulnerability";
+    public static final String CWE = "cwe";
 
-    private static final String SOURCE = " source";
-    private static final String DATA_FLOW = " data flow";
-    private static final String SINK = " sink";
+    public static final String SOURCE = "source";
+    public static final String DATA_FLOW = "data flow";
+    public static final String SINK = "sink";
 
     private static boolean standardBenchmarkStyleScoring;
     private static TestSuiteResults expectedResults;
@@ -65,11 +66,14 @@ public static TestSuiteResults parse(ResultFile resultFile) throws IOException {
             for (CSVRecord record : allExpectedResults) {
                 TestCaseResult tcr = new TestCaseResult();
 
-                String testCaseFileName = record.get(TEST_NAME).trim();
+                String testCaseFileName = record.get(TEST_NAME);
                 tcr.setTestCaseName(testCaseFileName);
-                tcr.setTruePositive(parseBoolean(record.get(REAL_VULNERABILITY).trim()));
-                int cwe = parseInt(record.get(CWE).trim());
+                //                tcr.setCategory(record.get(CATEGORY));
+                tcr.setTruePositive(parseBoolean(record.get(REAL_VULNERABILITY)));
+                int cwe = parseInt(record.get(CWE));
                 tcr.setCWE(cwe);
+                //                tcr.setNumber(testNumber(record.get(TEST_NAME), testCaseName));
+
                 if (TestCaseResult.UNMAPPED_CATEGORY.equals(tcr.getCategory())) {
                     System.out.println(
                             "FATAL ERROR: CWE metadata missing for CWE: "

plugin/src/main/java/org/owasp/benchmarkutils/tools/CalculateToolCodeBlocksSupport.java

@@ -45,6 +45,7 @@
 import org.owasp.benchmarkutils.score.TestCaseResult;
 import org.owasp.benchmarkutils.score.TestSuiteResults;
 import org.owasp.benchmarkutils.score.TestSuiteResults.ToolType;
+import org.owasp.benchmarkutils.score.service.ExpectedResultsProvider;
 import org.w3c.dom.Element;
 
 @Mojo(
@@ -237,12 +238,13 @@ protected void run() {
                 TestCaseResult theResult = new TestCaseResult(theTestcases.get(i));
 
                 // Get whether this test case is a true or false positive and set that
-                String truePositive = records.get(i).get(" real vulnerability").trim();
+                String truePositive =
+                        records.get(i).get(ExpectedResultsProvider.REAL_VULNERABILITY);
                 theResult.setTruePositive(Boolean.parseBoolean(truePositive));
 
                 // Get whether the tool passed/failed this test case and set that result
-                String passFail = records.get(i).get(" pass/fail").trim();
-                theResult.setPassed("pass".equals(passFail));
+                String passFail = records.get(i).get("pass/fail");
+                theResult.setPassed(passFail.equals("pass"));
 
                 // While we are spinning through all the test cases, populate the lists of the
                 // sources, dataflows, and sinks.
@@ -338,7 +340,7 @@ protected void run() {
                                             + sinkCodeBlockFilename.replace(".code", ".xml"));
                     if (sinkMetaDataFile.exists()) {
                         // For sinks, we also add the vuln category to the CodeBlockSupportResults
-                        String vulnCategory = records.get(i).get(" category").trim();
+                        String vulnCategory = records.get(i).get(ExpectedResultsProvider.CATEGORY);
 
                         Element emetadata =
                                 CodeblockUtils.getSinkElementFromXMLFile(sinkMetaDataFile);