Merge branch 'main' into feature/command-line-tests and resolve merge conflicts.

Author: davewichers

.mvn/jvm.config

@@ -1,3 +1,8 @@
 --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED
 --add-opens java.base/java.lang=ALL-UNNAMED
 
+--add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED
+--add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED

plugin/pom.xml

@@ -53,7 +53,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>33.3.1-jre</version>
+            <version>33.4.8-jre</version>
         </dependency>
 
         <!-- The following dependency might be an upgrade/replacement for jaxb.xml.bind.JAXBContext,
@@ -79,7 +79,7 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.18.0</version>
+            <version>2.19.0</version>
         </dependency>
 
         <dependency>
@@ -91,7 +91,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-csv</artifactId>
-            <version>1.12.0</version>
+            <version>1.14.0</version>
         </dependency>
 
         <dependency>
@@ -103,13 +103,13 @@
         <dependency>
             <groupId>org.apache.httpcomponents.client5</groupId>
             <artifactId>httpclient5</artifactId>
-            <version>5.4.1</version>
+            <version>5.5</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.httpcomponents.core5</groupId>
             <artifactId>httpcore5</artifactId>
-            <version>5.3.1</version>
+            <version>5.3.4</version>
         </dependency>
 
         <dependency>
@@ -134,19 +134,19 @@
         <dependency>
             <groupId>org.jfree</groupId>
             <artifactId>jfreechart</artifactId>
-            <version>1.5.5</version>
+            <version>1.5.6</version>
         </dependency>
 
         <dependency>
             <groupId>org.json</groupId>
             <artifactId>json</artifactId>
-            <version>20240303</version>
+            <version>20250517</version>
         </dependency>
 
         <dependency>
             <groupId>org.yaml</groupId>
             <artifactId>snakeyaml</artifactId>
-            <version>2.3</version>
+            <version>2.4</version>
         </dependency>
 
         <dependency>
@@ -193,10 +193,10 @@
     </build>
 
     <properties>
-        <version.fasterxml.jackson>2.18.2</version.fasterxml.jackson>
+        <version.fasterxml.jackson>2.19.0</version.fasterxml.jackson>
         <!-- 3.0.3+ version of eclipse.persistence requires jakarta.xml.bind instead of jaxb -->
         <version.eclipse.persistence>2.7.15</version.eclipse.persistence>
-        <version.junit.jupiter>5.11.3</version.junit.jupiter>
+        <version.junit.jupiter>5.12.2</version.junit.jupiter>
     </properties>
 
 </project>

plugin/src/main/java/org/owasp/benchmarkutils/helpers/Utils.java

@@ -206,7 +206,9 @@ public static List<String> getLinesFromStream(InputStream fileStream, String sou
      * @throws TestCaseRequestFileParseException
      */
     public static TestSuite parseHttpFile(File file)
-            throws JAXBException, FileNotFoundException, SAXException,
+            throws JAXBException,
+                    FileNotFoundException,
+                    SAXException,
                     ParserConfigurationException {
 
         // Disable XXE
@@ -439,7 +441,9 @@ public static String objectToJson(Object object) throws JAXBException {
 
     public static TestCaseVerificationResultsCollection jsonToTestCaseVerificationResultsList(
             File file)
-            throws JAXBException, FileNotFoundException, SAXException,
+            throws JAXBException,
+                    FileNotFoundException,
+                    SAXException,
                     ParserConfigurationException {
 
         // Disable XXE

plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java

@@ -620,6 +620,8 @@ private static ToolResults calculateMetrics(Map<String, TP_FN_TN_FP_Counts> resu
             // c.tp & c.fp can both be zero, creating a precision of NaN. So set to 0.0.
             if (Double.isNaN(precision)) precision = 0.0;
             double tpr = (double) c.tp / (double) (c.tp + c.fn);
+            // c.tp & c.fn can both be zero, creating an tpr of NaN. So set to 0.0.
+            if (Double.isNaN(tpr)) tpr = 0.0;
             double fpr = (double) c.fp / (double) (c.fp + c.tn);
             // c.fp & c.tn can both be zero, creating an fpr of NaN. So set to 0.0.
             if (Double.isNaN(fpr)) fpr = 0.0;

plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java

@@ -19,168 +19,171 @@
 
 public class CweNumber {
 
+    /** Used occasionally to indicate a CWE isn't mapped yet, but might get mapped properly later */
+    public static final int UNMAPPED = -1;
+
     /** To be used when the CWE reported is one we don't care about in any test suite */
-    public static int DONTCARE = 0000;
+    public static final int DONTCARE = 0000;
 
     /** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') */
-    public static int PATH_TRAVERSAL = 22;
+    public static final int PATH_TRAVERSAL = 22;
 
     /** CWE-23: Relative Path Traversal */
-    public static int RELATIVE_PATH_TRAVERSAL = 23;
+    public static final int RELATIVE_PATH_TRAVERSAL = 23;
 
     /**
      * CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command
      * Injection')
      */
-    public static int COMMAND_INJECTION = 78;
+    public static final int COMMAND_INJECTION = 78;
 
     /**
      * CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
      */
-    public static int XSS = 79;
+    public static final int XSS = 79;
 
     /**
      * CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
      */
-    public static int SQL_INJECTION = 89;
+    public static final int SQL_INJECTION = 89;
 
     /**
      * CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
      */
-    public static int LDAP_INJECTION = 90;
+    public static final int LDAP_INJECTION = 90;
 
     /** CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') */
-    public static int CRLF_INJECTION = 93;
+    public static final int CRLF_INJECTION = 93;
 
     /**
      * CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response
      * Splitting')
      */
-    public static int HTTP_RESPONSE_SPLITTING = 113;
+    public static final int HTTP_RESPONSE_SPLITTING = 113;
 
     /** CWE-134: Use of Externally-Controlled Format String */
-    public static int EXTERNALLY_CONTROLLED_STRING = 134;
+    public static final int EXTERNALLY_CONTROLLED_STRING = 134;
 
     /** CWE-284: Improper Access Control */
-    public static int IMPROPER_ACCESS_CONTROL = 284;
+    public static final int IMPROPER_ACCESS_CONTROL = 284;
 
     /** CWE-327: Use of a Broken or Risky Cryptographic Algorithm */
-    public static int WEAK_CRYPTO_ALGO = 327;
+    public static final int WEAK_CRYPTO_ALGO = 327;
 
     /** CWE-328: Use of Weak Hash */
-    public static int WEAK_HASH_ALGO = 328;
+    public static final int WEAK_HASH_ALGO = 328;
 
     /** CWE-329: Generation of Predictable IV with CBC Mode */
-    public static int STATIC_CRYPTO_INIT = 329;
+    public static final int STATIC_CRYPTO_INIT = 329;
 
     /** CWE-330: Use of Insufficiently Random Values */
-    public static int WEAK_RANDOM = 330;
+    public static final int WEAK_RANDOM = 330;
 
     /** CWE-352: Cross-Site Request Forgery (CSRF) */
-    public static int CSRF = 352;
+    public static final int CSRF = 352;
 
     /** CWE-382: J2EE Bad Practices: Use of System.exit() */
-    public static int SYSTEM_EXIT = 382;
+    public static final int SYSTEM_EXIT = 382;
 
     /** CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference */
-    public static int CATCHING_NULL_POINTER_EXCEPTION = 395;
+    public static final int CATCHING_NULL_POINTER_EXCEPTION = 395;
 
     /** CWE-396: Declaration of Catch for Generic Exception */
-    public static int CATCH_GENERIC_EXCEPTION = 396;
+    public static final int CATCH_GENERIC_EXCEPTION = 396;
 
     /** CWE-397: Declaration of Throws for Generic Exception */
-    public static int THROW_GENERIC_EXCEPTION = 397;
+    public static final int THROW_GENERIC_EXCEPTION = 397;
 
     /** CWE-478: Missing Default Case in Switch Statement */
-    public static int MISSING_DEFAULT_CASE = 478;
+    public static final int MISSING_DEFAULT_CASE = 478;
 
     /** CWE-483: Incorrect Block Delimitation */
-    public static int INCORRECT_BLOCK_DELIMITATION = 483;
+    public static final int INCORRECT_BLOCK_DELIMITATION = 483;
 
     /** CWE-484: Omitted Break Statement in Switch */
-    public static int OMITTED_BREAK = 484;
+    public static final int OMITTED_BREAK = 484;
 
     /** CWE-493: Critical Public Variable Without Final Modifier */
-    public static int PUBLIC_VAR_WITHOUT_FINAL = 493;
+    public static final int PUBLIC_VAR_WITHOUT_FINAL = 493;
 
     /** CWE-500: Public Static Field Not Marked Final */
-    public static int PUBLIC_STATIC_NOT_FINAL = 500;
+    public static final int PUBLIC_STATIC_NOT_FINAL = 500;
 
     /** CWE-501: Trust Boundary Violation */
-    public static int TRUST_BOUNDARY_VIOLATION = 501;
+    public static final int TRUST_BOUNDARY_VIOLATION = 501;
 
     /** CWE-502: Deserialization of Untrusted Data */
-    public static int INSECURE_DESERIALIZATION = 502;
+    public static final int INSECURE_DESERIALIZATION = 502;
 
     /** CWE-523: Unprotected Transport of Credentials */
-    public static int UNPROTECTED_CREDENTIALS_TRANSPORT = 523;
+    public static final int UNPROTECTED_CREDENTIALS_TRANSPORT = 523;
 
     /** CWE-532: Insertion of Sensitive Information into Log File */
-    public static int SENSITIVE_LOGFILE = 532;
+    public static final int SENSITIVE_LOGFILE = 532;
 
     /** CWE-564: SQL Injection: Hibernate */
-    public static int HIBERNATE_INJECTION = 564;
+    public static final int HIBERNATE_INJECTION = 564;
 
     /** CWE-572: Call to Thread run() instead of start() */
-    public static int THREAD_WRONG_CALL = 572;
+    public static final int THREAD_WRONG_CALL = 572;
 
     /** CWE-580: clone() Method Without super.clone() */
-    public static int CLONE_WITHOUT_SUPER_CLONE = 580;
+    public static final int CLONE_WITHOUT_SUPER_CLONE = 580;
 
     /** CWE-563: Assignment to Variable without Use */
-    public static int UNUSED_VAR_ASSIGNMENT = 563;
+    public static final int UNUSED_VAR_ASSIGNMENT = 563;
 
     /** CWE-581: Object Model Violation: Just One of Equals and Hashcode Defined */
-    public static int OBJECT_MODEL_VIOLATION = 581;
+    public static final int OBJECT_MODEL_VIOLATION = 581;
 
     /** CWE-583: finalize() Method Declared Public */
-    public static int FINALIZE_DECLARED_PUBLIC = 583;
+    public static final int FINALIZE_DECLARED_PUBLIC = 583;
 
     /** CWE-584: Return Inside Finally Block */
-    public static int RETURN_INSIDE_FINALLY = 584;
+    public static final int RETURN_INSIDE_FINALLY = 584;
 
     /** CWE-595: Comparison of Object References Instead of Object Contents */
-    public static int OBJECT_REFERENCE_COMPARISON = 595;
+    public static final int OBJECT_REFERENCE_COMPARISON = 595;
 
     /** CWE-601: URL Redirection to Untrusted Site ('Open Redirect') */
-    public static int OPEN_REDIRECT = 601;
+    public static final int OPEN_REDIRECT = 601;
 
     /** CWE-611: Improper Restriction of XML External Entity Reference */
-    public static int XXE = 611;
+    public static final int XXE = 611;
 
     /** CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute */
-    public static int INSECURE_COOKIE = 614;
+    public static final int INSECURE_COOKIE = 614;
 
     /** CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') */
-    public static int XPATH_INJECTION = 643;
+    public static final int XPATH_INJECTION = 643;
 
     /**
      * CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity
      * Checking
      */
-    public static int OBFUSCATION = 649;
+    public static final int OBFUSCATION = 649;
 
     /** CWE-754: Improper Check for Unusual or Exceptional Conditions */
-    public static int IMPROPER_CHECK_FOR_CONDITIONS = 754;
+    public static final int IMPROPER_CHECK_FOR_CONDITIONS = 754;
 
     /** CWE-783: Operator Precedence Logic Error */
-    public static int OPERATOR_PRECEDENCE_LOGIC = 783;
+    public static final int OPERATOR_PRECEDENCE_LOGIC = 783;
 
     /** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') */
-    public static int LOOP_WITH_UNREACHABLE_EXIT = 835;
+    public static final int LOOP_WITH_UNREACHABLE_EXIT = 835;
 
     /** CWE-916: Use of Password Hash With Insufficient Computational Effort */
-    public static int PASSWORD_HASH_WITH_INSUFFICIENT_COMPUTATIONAL_EFFORT = 916;
+    public static final int PASSWORD_HASH_WITH_INSUFFICIENT_COMPUTATIONAL_EFFORT = 916;
 
     /** CWE-918: Server-Side Request Forgery (SSRF) */
-    public static int SSRF = 918;
+    public static final int SSRF = 918;
 
     /** CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag */
-    public static int COOKIE_WITHOUT_HTTPONLY = 1004;
+    public static final int COOKIE_WITHOUT_HTTPONLY = 1004;
 
     /** CWE-1021: Improper Restriction of Rendered UI Layers or Frames */
-    public static int IMPROPER_UI_LAYER_RESTRICTION = 1021;
+    public static final int IMPROPER_UI_LAYER_RESTRICTION = 1021;
 
     /** CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine */
-    public static int SSTI = 1336;
+    public static final int SSTI = 1336;
 }

plugin/src/main/java/org/owasp/benchmarkutils/score/ResultFile.java

@@ -143,7 +143,8 @@ private static CSVParser csvRecords(String content) {
                     .setHeader()
                     .setSkipHeaderRecord(false)
                     .setIgnoreEmptyLines(false)
-                    .build()
+                    .setTrim(true) // trim leading/trailing blanks in column values
+                    .get()
                     .parse(new StringReader(content));
         } catch (IOException e) {
             throw new RuntimeException(e);