extract commercial averages table to separate class (#78)

Author: darkspirit510

plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java

@@ -29,7 +29,6 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.SecureRandom;
-import java.text.DecimalFormat;
 import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.HashMap;
@@ -54,6 +53,7 @@
 import org.owasp.benchmarkutils.score.report.ScatterHome;
 import org.owasp.benchmarkutils.score.report.ScatterInterpretation;
 import org.owasp.benchmarkutils.score.report.ScatterVulns;
+import org.owasp.benchmarkutils.score.report.html.CommercialAveragesTable;
 import org.owasp.benchmarkutils.score.report.html.OverallStatsTable;
 import org.owasp.benchmarkutils.score.report.html.ToolScorecard;
 import org.owasp.benchmarkutils.score.report.html.VulnerabilityStatsTable;
@@ -265,7 +265,6 @@ public static void main(String[] args) {
         // Steps 4 & 5: Read the expected results so we know what each tool 'should do' and each
         // tool's results file. a) is for 'mixed' mode, and b) is for normal mode
         try {
-
             if (config.mixedMode) {
 
                 if (!resultsFileOrDir.isDirectory()) {
@@ -581,8 +580,6 @@ private static void process(
                 ToolResults metrics = calculateMetrics(scores);
                 metrics.setScanTime(rawToolResults.getTime());
 
-                // This has the side effect of also generating the tool's report in the
-                // scoreCardDir.
                 Tool tool =
                         new Tool(
                                 rawToolResults,
@@ -983,13 +980,7 @@ private static String produceResultsFile(TestSuiteResults actual, File scoreCard
      */
     private static void generateVulnerabilityScorecards(
             Set<Tool> tools, Set<String> catSet, File scoreCardDir) {
-        StringBuilder htmlForCommercialAverages = null;
-
-        int commercialToolTotal = 0;
-        int numberOfVulnCategories = 0;
-        int commercialLowTotal = 0;
-        int commercialAveTotal = 0;
-        int commercialHighTotal = 0;
+        CommercialAveragesTable commercialAveragesTable = new CommercialAveragesTable();
 
         // A side effect of this method is to calculate these averages
         averageCommercialToolResults = new HashMap<String, CategoryResults>();
@@ -1003,7 +994,6 @@ private static void generateVulnerabilityScorecards(
 
         for (String cat : catSet) {
             try {
-
                 // Generate a comparison chart for all tools for this vuln category. When
                 // constructed, scatter contains the Overall, Non-commercial, and Commercial stats
                 // for this category across all tools.
@@ -1065,88 +1055,22 @@ private static void generateVulnerabilityScorecards(
 
                 Files.write(htmlFile.toPath(), html.getBytes());
 
-                // Now build up the commercial stats scorecard if there are at 2+ commercial tools
+                // Only build commercial stats scorecard if there are at 2+ commercial tools
                 if (scatter.getCommercialToolCount() > 1) {
-                    if (htmlForCommercialAverages == null) {
-                        commercialToolTotal = scatter.getCommercialToolCount();
-                        htmlForCommercialAverages = new StringBuilder();
-                        htmlForCommercialAverages.append("<table class=\"table\">\n");
-                        htmlForCommercialAverages.append("<tr>");
-                        htmlForCommercialAverages.append("<th>Vulnerability Category</th>");
-                        htmlForCommercialAverages.append("<th>Low Tool Type</th>");
-                        htmlForCommercialAverages.append("<th>Low Score</th>");
-                        htmlForCommercialAverages.append("<th>Ave Score</th>");
-                        htmlForCommercialAverages.append("<th>High Score</th>");
-                        htmlForCommercialAverages.append("<th>High Tool Type</th>");
-                        htmlForCommercialAverages.append("</tr>\n");
-                    } // if 1st time through
-
-                    numberOfVulnCategories++;
-
-                    String style = "";
-                    htmlForCommercialAverages.append("<tr>");
-                    htmlForCommercialAverages.append("<td>" + cat + "</td>");
-                    htmlForCommercialAverages.append(
-                            "<td>" + scatter.getCommercialLowToolType() + "</td>");
-                    if (scatter.getCommercialLow() <= 10) style = "class=\"danger\"";
-                    else if (scatter.getCommercialLow() >= 50) style = "class=\"success\"";
-                    htmlForCommercialAverages.append(
-                            "<td " + style + ">" + scatter.getCommercialLow() + "</td>");
-                    commercialLowTotal += scatter.getCommercialLow();
-                    htmlForCommercialAverages.append("<td>" + scatter.getCommercialAve() + "</td>");
-                    commercialAveTotal += scatter.getCommercialAve();
-                    if (scatter.getCommercialHigh() <= 10) style = "class=\"danger\"";
-                    else if (scatter.getCommercialHigh() >= 50) style = "class=\"success\"";
-                    htmlForCommercialAverages.append(
-                            "<td " + style + ">" + scatter.getCommercialHigh() + "</td>");
-                    commercialHighTotal += scatter.getCommercialHigh();
-                    htmlForCommercialAverages.append(
-                            "<td>" + scatter.getCommercialHighToolType() + "</td>");
-                    htmlForCommercialAverages.append("</tr>\n");
-                } // if more than 1 commercial tool
+                    commercialAveragesTable.add(scatter);
+                }
 
             } catch (IOException e) {
                 System.out.println("Error generating vulnerability summaries: " + e.getMessage());
                 e.printStackTrace();
             }
         } // end for loop
 
-        // if we computed a commercial average, then add the last row to the table AND create the
-        // file and write the HTML to it.
-        if (htmlForCommercialAverages != null) {
-
-            htmlForCommercialAverages.append("<tr>");
-            htmlForCommercialAverages.append(
-                    "<td>Average across all categories for " + commercialToolTotal + " tools</td>");
-            htmlForCommercialAverages.append("<td></td>");
-            htmlForCommercialAverages.append(
-                    "<td>"
-                            + new DecimalFormat("0.0")
-                                    .format(
-                                            (float) commercialLowTotal
-                                                    / (float) numberOfVulnCategories)
-                            + "</td>");
-            htmlForCommercialAverages.append(
-                    "<td>"
-                            + new DecimalFormat("0.0")
-                                    .format(
-                                            (float) commercialAveTotal
-                                                    / (float) numberOfVulnCategories)
-                            + "</td>");
-            htmlForCommercialAverages.append(
-                    "<td>"
-                            + new DecimalFormat("0.0")
-                                    .format(
-                                            (float) commercialHighTotal
-                                                    / (float) numberOfVulnCategories)
-                            + "</td>");
-            htmlForCommercialAverages.append("<td></td>");
-            htmlForCommercialAverages.append("</tr>\n");
-            htmlForCommercialAverages.append("</table>\n");
-
+        if (commercialAveragesTable.hasEntries()) {
             try {
                 commercialAveScorecardFilename =
                         TESTSUITE + "_v" + TESTSUITEVERSION + "_Scorecard_for_Commercial_Tools";
+
                 Path htmlfile =
                         Paths.get(
                                 scoreCardDir.getAbsolutePath()
@@ -1164,8 +1088,7 @@ private static void generateVulnerabilityScorecards(
                 html = html.replace("${version}", TESTSUITEVERSION);
                 html = html.replace("${projectlink}", BenchmarkScore.PROJECTLINKENTRY);
 
-                String table = htmlForCommercialAverages.toString();
-                html = html.replace("${table}", table);
+                html = html.replace("${table}", commercialAveragesTable.render());
                 html = html.replace("${tprlabel}", config.tprLabel);
                 html =
                         html.replace(

plugin/src/main/java/org/owasp/benchmarkutils/score/report/Formats.java

@@ -22,5 +22,7 @@
 public class Formats {
 
     public static final DecimalFormat twoDecimalPlacesPercentage = new DecimalFormat("#0.00%");
+
+    public static final DecimalFormat singleDecimalPlaceNumber = new DecimalFormat("0.0");
     public static final DecimalFormat fourDecimalPlacesNumber = new DecimalFormat("#0.0000");
 }

plugin/src/main/java/org/owasp/benchmarkutils/score/report/html/CommercialAveragesTable.java

@@ -0,0 +1,124 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Sascha Knoop
+ * @created 2024
+ */
+package org.owasp.benchmarkutils.score.report.html;
+
+import static org.owasp.benchmarkutils.score.report.Formats.singleDecimalPlaceNumber;
+
+import java.util.ArrayList;
+import java.util.List;
+import org.owasp.benchmarkutils.score.report.ScatterVulns;
+
+public class CommercialAveragesTable {
+
+    private final List<ScatterVulns> entries = new ArrayList<>();
+
+    public void add(ScatterVulns scatter) {
+        entries.add(scatter);
+    }
+
+    public String render() {
+        HtmlStringBuilder htmlBuilder = new HtmlStringBuilder();
+
+        htmlBuilder.beginTable("table");
+
+        addHeaderTo(htmlBuilder);
+
+        entries.forEach(scatter -> appendRowTo(htmlBuilder, scatter));
+
+        addFooterTo(htmlBuilder);
+
+        htmlBuilder.endTable();
+
+        return htmlBuilder.toString();
+    }
+
+    private int commercialToolTotal() {
+        return entries.get(0).getCommercialToolCount();
+    }
+
+    private void addHeaderTo(HtmlStringBuilder htmlBuilder) {
+        htmlBuilder.beginTr();
+        htmlBuilder.th("Vulnerability Category");
+        htmlBuilder.th("Low Tool Type");
+        htmlBuilder.th("Low Score");
+        htmlBuilder.th("Ave Score");
+        htmlBuilder.th("High Score");
+        htmlBuilder.th("High Tool Type");
+        htmlBuilder.endTr();
+    }
+
+    private void appendRowTo(HtmlStringBuilder htmlBuilder, ScatterVulns scatter) {
+        htmlBuilder.beginTr();
+        htmlBuilder.td(scatter.CATEGORY);
+        htmlBuilder.td(scatter.getCommercialLowToolType() + "");
+
+        htmlBuilder.td(scatter.getCommercialLow(), cssClassFor(scatter.getCommercialLow()));
+        htmlBuilder.td(scatter.getCommercialAve());
+
+        htmlBuilder.td(scatter.getCommercialHigh(), cssClassFor(scatter.getCommercialHigh()));
+        htmlBuilder.td(scatter.getCommercialHighToolType() + "");
+        htmlBuilder.endTr();
+    }
+
+    private static String cssClassFor(int commercialLow) {
+        String cssClass = null;
+
+        if (commercialLow <= 10) {
+            cssClass = "danger";
+        } else if (commercialLow >= 50) {
+            cssClass = "success";
+        }
+
+        return cssClass;
+    }
+
+    private void addFooterTo(HtmlStringBuilder htmlBuilder) {
+        htmlBuilder.beginTr();
+        htmlBuilder.td("Average across all categories for " + commercialToolTotal() + " tools");
+        htmlBuilder.td("");
+        htmlBuilder.td(
+                singleDecimalPlaceNumber.format(
+                        (float) commercialLowTotal() / (float) entries.size()));
+        htmlBuilder.td(
+                singleDecimalPlaceNumber.format(
+                        (float) commercialAveTotal() / (float) entries.size()));
+        htmlBuilder.td(
+                singleDecimalPlaceNumber.format(
+                        (float) commercialHighTotal() / (float) entries.size()));
+        htmlBuilder.td("");
+        htmlBuilder.endTr();
+    }
+
+    // formattedRatio
+
+    private int commercialHighTotal() {
+        return entries.stream().mapToInt(ScatterVulns::getCommercialHigh).sum();
+    }
+
+    private int commercialAveTotal() {
+        return entries.stream().mapToInt(ScatterVulns::getCommercialAve).sum();
+    }
+
+    private int commercialLowTotal() {
+        return entries.stream().mapToInt(ScatterVulns::getCommercialLow).sum();
+    }
+
+    public boolean hasEntries() {
+        return !entries.isEmpty();
+    }
+}

plugin/src/main/java/org/owasp/benchmarkutils/score/report/html/HtmlStringBuilder.java

@@ -99,6 +99,16 @@ public HtmlStringBuilder td(long content) {
         return this;
     }
 
+    public HtmlStringBuilder td(long content, String cssClass) {
+        if (cssClass == null) {
+            return td(content);
+        }
+
+        sb.append("<td class=\"").append(cssClass).append("\">").append(content).append("</td>");
+
+        return this;
+    }
+
     public HtmlStringBuilder td(double content) {
         sb.append("<td>").append(content).append("</td>");
 

plugin/src/test/java/org/owasp/benchmarkutils/score/report/FormatsTest.java

@@ -19,6 +19,7 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.owasp.benchmarkutils.score.report.Formats.fourDecimalPlacesNumber;
+import static org.owasp.benchmarkutils.score.report.Formats.singleDecimalPlaceNumber;
 import static org.owasp.benchmarkutils.score.report.Formats.twoDecimalPlacesPercentage;
 
 import org.junit.jupiter.api.Test;
@@ -34,4 +35,9 @@ void hasFormatterForTwoDecimalPlacesPercentage() {
     void hasFormatterForFourDecimalPlaces() {
         assertEquals("12.3457", fourDecimalPlacesNumber.format(12.345678));
     }
+
+    @Test
+    void hasFormatterForSingleDecimalPlace() {
+        assertEquals("12.3", singleDecimalPlaceNumber.format(12.345678));
+    }
 }