#68 - take first CWE number from tags

darkspirit510 · darkspirit510 · commit 5148873dcc35 · 2024-04-18T13:12:52.000+02:00
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java
@@ -34,8 +34,6 @@ public int mapCwe(int cwe) {
                 return CweNumber.COMMAND_INJECTION; // Command Injection
             case 335: // java/predictable-seed - Improves the tool's score
                 return CweNumber.WEAK_RANDOM; // Weak Random
-            case 564:
-                return CweNumber.SQL_INJECTION;
         }
         return cwe;
     }
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SarifReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SarifReader.java
@@ -159,7 +159,8 @@ private Map<String, Integer> ruleCweMappingsByTag(JSONObject tool) {
             for (int j = 0; j < tags.length(); j++) {
                 String tag = tags.getString(j).toLowerCase();
 
-                if (tag.contains("cwe")) {
+                // only take first CWE id for rule
+                if (tag.contains("cwe") && !mappings.containsKey(rule.getString("id"))) {
                     mappings.put(rule.getString("id"), mapCwe(extractCwe(tag)));
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -34,8 +34,6 @@ public int mapCwe(int cwe) {`
`34`	`34`	`return CweNumber.COMMAND_INJECTION; // Command Injection`
`35`	`35`	`case 335: // java/predictable-seed - Improves the tool's score`
`36`	`36`	`return CweNumber.WEAK_RANDOM; // Weak Random`
`37`		`- case 564:`
`38`		`- return CweNumber.SQL_INJECTION;`
`39`	`37`	`}`
`40`	`38`	`return cwe;`
`41`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,8 @@ private Map<String, Integer> ruleCweMappingsByTag(JSONObject tool) {`
`159`	`159`	`for (int j = 0; j < tags.length(); j++) {`
`160`	`160`	`String tag = tags.getString(j).toLowerCase();`
`161`	`161`
`162`		`- if (tag.contains("cwe")) {`
	`162`	`+ // only take first CWE id for rule`
	`163`	`+ if (tag.contains("cwe") && !mappings.containsKey(rule.getString("id"))) {`
`163`	`164`	`mappings.put(rule.getString("id"), mapCwe(extractCwe(tag)));`
`164`	`165`	`}`
`165`	`166`	`}`