Snyk reports on child CWEs for PathTraversal and password hashing (#90)

sebsnyk · web-flow · commit 64f72b2f5b34 · 2024-08-15T12:21:41.000-04:00
* Snyk reports on child CWEs for PathTraversal and password hashing

* Move CWE mapping logic into SnykReader itself &amp; add tests

Looks good to me. Thanks for fixing.
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java
@@ -25,6 +25,9 @@ public class CweNumber {
     /** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') */
     public static int PATH_TRAVERSAL = 22;
 
+    /** CWE-23: Relative Path Traversal */
+    public static int RELATIVE_PATH_TRAVERSAL = 23;
+
     /**
      * CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command
      * Injection')
@@ -166,6 +169,9 @@ public class CweNumber {
     /** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') */
     public static int LOOP_WITH_UNREACHABLE_EXIT = 835;
 
+    /** CWE-916: Use of Password Hash With Insufficient Computational Effort */
+    public static int PASSWORD_HASH_WITH_INSUFFICIENT_COMPUTATIONAL_EFFORT = 916;
+
     /** CWE-918: Server-Side Request Forgery (SSRF) */
     public static int SSRF = 918;
 
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SnykReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SnykReader.java
@@ -17,9 +17,24 @@
  */
 package org.owasp.benchmarkutils.score.parsers.sarif;
 
+import org.owasp.benchmarkutils.score.CweNumber;
+
 public class SnykReader extends SarifReader {
 
     public SnykReader() {
         super("SnykCode", true, CweSourceType.FIELD);
     }
+
+    @Override
+    public int mapCwe(int cwe) {
+        if (cwe == CweNumber.PASSWORD_HASH_WITH_INSUFFICIENT_COMPUTATIONAL_EFFORT) {
+            return CweNumber.WEAK_HASH_ALGO;
+        }
+
+        if (cwe == CweNumber.RELATIVE_PATH_TRAVERSAL) {
+            return CweNumber.PATH_TRAVERSAL;
+        }
+
+        return super.mapCwe(cwe);
+    }
 }
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SnykReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SnykReaderTest.java
@@ -59,4 +59,13 @@ void readerHandlesGivenResultFile() throws Exception {
         assertEquals(CweNumber.INSECURE_COOKIE, result.get(1).get(0).getCWE());
         assertEquals(CweNumber.XPATH_INJECTION, result.get(2).get(0).getCWE());
     }
+
+    @Test
+    void readerMapsCwes() {
+        SnykReader reader = new SnykReader();
+        assertEquals(
+                CweNumber.WEAK_HASH_ALGO,
+                reader.mapCwe(CweNumber.PASSWORD_HASH_WITH_INSUFFICIENT_COMPUTATIONAL_EFFORT));
+        assertEquals(CweNumber.PATH_TRAVERSAL, reader.mapCwe(CweNumber.RELATIVE_PATH_TRAVERSAL));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -59,4 +59,13 @@ void readerHandlesGivenResultFile() throws Exception {`
`59`	`59`	`assertEquals(CweNumber.INSECURE_COOKIE, result.get(1).get(0).getCWE());`
`60`	`60`	`assertEquals(CweNumber.XPATH_INJECTION, result.get(2).get(0).getCWE());`
`61`	`61`	`}`
	`62`	`+`
	`63`	`+ @Test`
	`64`	`+ void readerMapsCwes() {`
	`65`	`+ SnykReader reader = new SnykReader();`
	`66`	`+ assertEquals(`
	`67`	`+ CweNumber.WEAK_HASH_ALGO,`
	`68`	`+ reader.mapCwe(CweNumber.PASSWORD_HASH_WITH_INSUFFICIENT_COMPUTATIONAL_EFFORT));`
	`69`	`+ assertEquals(CweNumber.PATH_TRAVERSAL, reader.mapCwe(CweNumber.RELATIVE_PATH_TRAVERSAL));`
	`70`	`+ }`
`62`	`71`	`}`