Positive Technologies Application Inspector (PT AI) SARIF report support (#123)

ZhukovAN · web-flow · commit 4b4514984cbb · 2024-11-18T10:46:45.000-05:00
* Positive Technologies Application Inspector SARIF report support added

* PT AI tool name and version are shortened
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java
@@ -32,6 +32,7 @@
 import org.owasp.benchmarkutils.score.parsers.sarif.CodeQLReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.ContrastScanReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.DatadogSastReader;
+import org.owasp.benchmarkutils.score.parsers.sarif.PTAIReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.PrecautionReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.SemgrepSarifReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.SnykReader;
@@ -89,6 +90,7 @@ public static List<Reader> allReaders() {
                 new ParasoftReader(),
                 new PrecautionReader(),
                 new PMDReader(),
+                new PTAIReader(),
                 new QualysWASReader(),
                 new Rapid7Reader(),
                 new ReshiftReader(),
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReader.java
@@ -0,0 +1,64 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Alexey Zhukov
+ * @created 2024
+ */
+package org.owasp.benchmarkutils.score.parsers.sarif;
+
+import org.owasp.benchmarkutils.score.CweNumber;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestSuiteResults;
+
+public class PTAIReader extends SarifReader {
+
+    static final int PTAI_CWE_EXTERNAL_FILEPATH_CONTROL = 73;
+    static final int PTAI_CWE_BLIND_XPATH_INJECTION = 91;
+
+    static final String EXPECTED_TOOL_NAME = "Positive Technologies Application Inspector";
+    static final String SHORTENED_TOOL_NAME = "PT Application Inspector";
+
+    public PTAIReader() {
+        super(EXPECTED_TOOL_NAME, true, CweSourceType.FIELD);
+    }
+
+    @Override
+    public String toolName(ResultFile resultFile) {
+        return SHORTENED_TOOL_NAME;
+    }
+
+    /**
+     * SARIF report tool version field is too long as it contains build number. Shorten it to X.Y.Z
+     */
+    @Override
+    public void setVersion(ResultFile resultFile, TestSuiteResults testSuiteResults) {
+        super.setVersion(resultFile, testSuiteResults);
+        String version = testSuiteResults.getToolVersion();
+        String[] versionItems = version.split("\\.");
+        if (versionItems.length < 4) return;
+        testSuiteResults.setToolVersion(
+                String.format("%s.%s.%s", versionItems[0], versionItems[1], versionItems[2]));
+    }
+
+    @Override
+    public int mapCwe(int cwe) {
+        switch (cwe) {
+            case PTAI_CWE_EXTERNAL_FILEPATH_CONTROL:
+                return CweNumber.PATH_TRAVERSAL;
+            case PTAI_CWE_BLIND_XPATH_INJECTION:
+                return CweNumber.XPATH_INJECTION;
+        }
+        return cwe;
+    }
+}
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/PTAIReaderTest.java
@@ -0,0 +1,57 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Alexey Zhukov
+ * @created 2024
+ */
+package org.owasp.benchmarkutils.score.parsers.sarif;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.benchmarkutils.score.*;
+import org.owasp.benchmarkutils.score.parsers.ReaderTestBase;
+
+public class PTAIReaderTest extends ReaderTestBase {
+
+    private ResultFile resultFile;
+
+    @BeforeEach
+    void setUp() {
+        resultFile = TestHelper.resultFileOf("testfiles/Benchmark_PTAI-v4.7.2.sarif");
+        BenchmarkScore.TESTCASENAME = "BenchmarkTest";
+    }
+
+    @Test
+    public void onlyPTAIReaderTestReportsCanReadAsTrue() {
+        assertOnlyMatcherClassIs(this.resultFile, PTAIReader.class);
+    }
+
+    @Test
+    void readerHandlesGivenResultFile() throws Exception {
+        PTAIReader reader = new PTAIReader();
+        TestSuiteResults result = reader.parse(resultFile);
+
+        assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
+
+        assertEquals("PT Application Inspector", result.getToolName());
+        assertEquals("4.7.2", result.getToolVersion());
+
+        assertEquals(2, result.getTotalResults());
+
+        assertEquals(CweNumber.PATH_TRAVERSAL, result.get(1).get(0).getCWE());
+        assertEquals(CweNumber.SQL_INJECTION, result.get(8).get(0).getCWE());
+    }
+}
diff --git a/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif b/plugin/src/test/resources/testfiles/Benchmark_PTAI-v4.7.2.sarif
@@ -0,0 +1,104 @@
+{
+  "version": "2.1.0",
+  "$schema": "http://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Positive Technologies Application Inspector",
+          "version": "4.7.2.36549",
+          "organization": "Positive Technologies",
+          "informationUri": "https://www.ptsecurity.com/ww-en/products/ai/",
+          "rules": [
+            {
+              "id": "SQL Injection",
+              "name": "SQL Injection",
+              "properties": {
+                "cwe": [
+                  "CWE-89"
+                ]
+              },
+              "defaultConfiguration": {
+                "level": "error",
+                "enabled": true
+              },
+              "messageStrings": {
+                "default": {
+                  "text": "SQL Injection"
+                }
+              }
+            },
+            {
+              "id": "Arbitrary File Reading",
+              "name": "Arbitrary File Reading",
+              "properties": {
+                "cwe": [
+                  "CWE-73"
+                ]
+              },
+              "defaultConfiguration": {
+                "level": "error",
+                "enabled": true
+              },
+              "messageStrings": {
+                "default": {
+                  "text": "Arbitrary File Reading"
+                }
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "Arbitrary File Reading",
+          "suppressions": [
+          ],
+          "message": {
+            "id": "default",
+            "text": "Arbitrary File Reading"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "./src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java"
+                },
+                "region": {
+                  "startLine": 71,
+                  "snippet": {
+                    "text": "new java.io.FileInputStream(new java.io.File(fileName))"
+                  }
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "SQL Injection",
+          "suppressions": [
+          ],
+          "message": {
+            "id": "default",
+            "text": "SQL Injection"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "./src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java"
+                },
+                "region": {
+                  "startLine": 57,
+                  "snippet": {
+                    "text": "connection.prepareCall(sql)"
+                  }
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
