Reader for WhiteHat Dynamic

Author: darkspirit510

plugin/src/main/java/org/owasp/benchmarkutils/score/ResultFile.java

@@ -133,19 +133,33 @@ public File file() {
     }
 
     public CSVParser csvRecords() {
+        return csvRecords(content());
+    }
+
+    private static CSVParser csvRecords(String content) {
         try {
             return CSVFormat.DEFAULT
                     .builder()
                     .setHeader()
                     .setSkipHeaderRecord(false)
                     .setIgnoreEmptyLines(false)
                     .build()
-                    .parse(new StringReader(content()));
+                    .parse(new StringReader(content));
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
     }
 
+    public CSVParser csvRecordsSkipFirstRows(int skipRows) {
+        List<String> rows = contentAsRows();
+
+        return csvRecords(String.join("\n", rows.subList(skipRows, rows.size())));
+    }
+
+    public List<String> contentAsRows() {
+        return Arrays.asList(content().split("\n"));
+    }
+
     /**
      * Read the specified line of the provided file. Returns empty string if the given file does not
      * have as many lines.

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java

@@ -28,6 +28,7 @@
 import org.owasp.benchmarkutils.score.BenchmarkScore;
 import org.owasp.benchmarkutils.score.ResultFile;
 import org.owasp.benchmarkutils.score.TestSuiteResults;
+import org.owasp.benchmarkutils.score.parsers.csv.WhiteHatDynamicReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.CodeQLReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.ContrastScanReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.DatadogSastReader;
@@ -109,6 +110,7 @@ public static List<Reader> allReaders() {
                 new WapitiJsonReader(),
                 new WapitiReader(),
                 new WebInspectReader(),
+                new WhiteHatDynamicReader(),
                 new ZapJsonReader(),
                 new ZapReader());
     }

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/csv/WhiteHatDynamicReader.java

@@ -0,0 +1,152 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details
+ *
+ * @author Sascha Knoop
+ * @created 2024
+ */
+package org.owasp.benchmarkutils.score.parsers.csv;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.apache.commons.csv.CSVParser;
+import org.apache.commons.csv.CSVRecord;
+import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestCaseResult;
+import org.owasp.benchmarkutils.score.TestSuiteResults;
+import org.owasp.benchmarkutils.score.parsers.Reader;
+
+/**
+ * Reader for <a
+ * href="https://www.synopsys.com/software-integrity/security-testing/dast.html">WhiteHat Dynamic
+ * (DAST)</a> results.
+ */
+public class WhiteHatDynamicReader extends Reader {
+
+    private final Map<String, Integer> categoryMappings = new HashMap<>();
+
+    public WhiteHatDynamicReader() {
+        categoryMappings.put("Directory Indexing", 548);
+        categoryMappings.put("Insecure Indexing", 548);
+        categoryMappings.put("Insufficient Authorization", 287);
+        categoryMappings.put("Insufficient Process Validation", 424);
+        categoryMappings.put("Path Traversal", 35);
+        categoryMappings.put("Predictable Resource Location", 425);
+        categoryMappings.put("URL Redirector Abuse", 601);
+        categoryMappings.put("Cross Site Request Forgery", 352);
+        categoryMappings.put("Insufficient Transport Layer Protection", 319);
+        categoryMappings.put("Session Prediction", 330);
+        categoryMappings.put("Application Code Execution", 94);
+        categoryMappings.put("Cross Site Scripting", CweNumber.XSS);
+        categoryMappings.put("HTTP Response Splitting", 113);
+        categoryMappings.put("Improper Input Handling", 20);
+        categoryMappings.put("LDAP Injection", CweNumber.LDAP_INJECTION);
+        categoryMappings.put("Mail Command Injection", 77);
+        categoryMappings.put("OS Command Injection", CweNumber.COMMAND_INJECTION);
+        categoryMappings.put("Query Language Injection", 943);
+        categoryMappings.put("SQL Injection", CweNumber.SQL_INJECTION);
+        categoryMappings.put("SSI Injection", 97);
+        categoryMappings.put("XML Injection", 91);
+        categoryMappings.put("XPath Injection", CweNumber.XPATH_INJECTION);
+        categoryMappings.put("XQuery Injection", 652);
+        categoryMappings.put("OS Commanding", CweNumber.COMMAND_INJECTION);
+        categoryMappings.put("Routing Detour", 610);
+        categoryMappings.put("Cacheable Sensitive Response", 525);
+        categoryMappings.put("Frameable Resource", 1021);
+        categoryMappings.put("Abuse of Functionality", 840);
+        categoryMappings.put("Brute Force", 799);
+        categoryMappings.put("Clickjacking", 1021);
+        categoryMappings.put("Insufficient Anti-automation", 799);
+        categoryMappings.put("Application Misconfiguration", 16);
+        categoryMappings.put("Autocomplete Attribute", 16);
+        categoryMappings.put("Fingerprinting", 497);
+        categoryMappings.put("Information Leakage", 200);
+        categoryMappings.put("Non-HttpOnly Session Cookie", 1004);
+        categoryMappings.put("Server Misconfiguration", 16);
+        categoryMappings.put("Unsecured Session Cookie", CweNumber.INSECURE_COOKIE);
+        categoryMappings.put("XML External Entities", CweNumber.XXE);
+        categoryMappings.put("Missing Secure Headers", 693);
+        categoryMappings.put("Unpatched Software", 1104);
+        categoryMappings.put("Insufficient Authentication", 285);
+        categoryMappings.put("Insufficient Password Policy Implementation", 521);
+        categoryMappings.put("Insufficient Password Recovery", 640);
+        categoryMappings.put("Insufficient Session Expiration", 613);
+        categoryMappings.put("Session Fixation", 384);
+        categoryMappings.put("Content Spoofing", 451);
+        categoryMappings.put("Remote File Inclusion", 829);
+        categoryMappings.put("Denial of Service", 400);
+        categoryMappings.put("Buffer Overflow", 788);
+    }
+
+    @Override
+    public boolean canRead(ResultFile resultFile) {
+        return resultFile.filename().endsWith(".csv")
+                && resultFile.line(0).contains("Report As Of");
+    }
+
+    @Override
+    public TestSuiteResults parse(ResultFile resultFile) throws Exception {
+        TestSuiteResults tr =
+                new TestSuiteResults("WhiteHat Dynamic", true, TestSuiteResults.ToolType.DAST);
+
+        try (CSVParser records = resultFile.csvRecordsSkipFirstRows(headerRow(resultFile))) {
+            records.stream()
+                    .filter(WhiteHatDynamicReader::isRelevant)
+                    .forEach(r -> tr.put(toTestCaseResult(r)));
+        }
+
+        return tr;
+    }
+
+    private int headerRow(ResultFile resultFile) {
+        List<String> rows = resultFile.contentAsRows();
+
+        for (int i = 0; i < rows.size(); i++) {
+            if (rows.get(i).startsWith("Vuln ID")) {
+                return i;
+            }
+        }
+
+        throw new RuntimeException("No header row found");
+    }
+
+    private static boolean isRelevant(CSVRecord r) {
+        return extractFilename(r.get("Attack Vector Path")).startsWith(BenchmarkScore.TESTCASENAME);
+    }
+
+    private TestCaseResult toTestCaseResult(CSVRecord record) {
+        String filename = record.get("Attack Vector Path");
+        String category = record.get("Class");
+
+        TestCaseResult tcr = new TestCaseResult();
+
+        tcr.setCategory(category);
+        tcr.setCWE(cweLookup(category));
+        tcr.setNumber(testNumber(filename));
+
+        return tcr;
+    }
+
+    private int cweLookup(String category) {
+        if (categoryMappings.containsKey(category)) {
+            return categoryMappings.get(category);
+        }
+
+        System.out.println(
+                "WARNING: WhiteHat result file contained unmapped category: " + category);
+        return CweNumber.DONTCARE;
+    }
+}

plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/csv/WhiteHatDynamicReaderTest.java

@@ -0,0 +1,61 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Sascha Knoop
+ * @created 2024
+ */
+package org.owasp.benchmarkutils.score.parsers.csv;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestHelper;
+import org.owasp.benchmarkutils.score.TestSuiteResults;
+import org.owasp.benchmarkutils.score.parsers.ReaderTestBase;
+
+public class WhiteHatDynamicReaderTest extends ReaderTestBase {
+
+    private ResultFile resultFile;
+
+    @BeforeEach
+    void setUp() {
+        resultFile = TestHelper.resultFileOf("testfiles/Benchmark_WhiteHat.csv");
+        BenchmarkScore.TESTCASENAME = "BenchmarkTest";
+    }
+
+    @Test
+    public void onlyWhiteHatDynamicReaderReportsCanReadAsTrue() {
+        assertOnlyMatcherClassIs(this.resultFile, WhiteHatDynamicReader.class);
+    }
+
+    @Test
+    void readerHandlesGivenResultFile() throws Exception {
+        WhiteHatDynamicReader reader = new WhiteHatDynamicReader();
+        TestSuiteResults result = reader.parse(resultFile);
+
+        assertEquals(TestSuiteResults.ToolType.DAST, result.getToolType());
+        assertTrue(result.isCommercial());
+        assertEquals("WhiteHat Dynamic", result.getToolName());
+
+        assertEquals(2, result.getTotalResults());
+
+        assertEquals(CweNumber.COMMAND_INJECTION, result.get(1).get(0).getCWE());
+        assertEquals(CweNumber.XSS, result.get(2).get(0).getCWE());
+    }
+}

plugin/src/test/resources/testfiles/Benchmark_WhiteHat.csv

@@ -0,0 +1,21 @@
+"Report As Of: Saturday, January 01, 2000",,,,,,,,,,,,,,,,,,,,,
+Prepared By: john.doe@example.com,,,,,,,,,,,,,,,,,,,,,
+Report Description: This report provides information about vulnerabilities.,,,,,,,,,,,,,,,,,,,,,
+Report Filtered By:,,,,,,,,,,,,,,,,,,,,,
+"Vulnerability Status: Closed, Open",,,,,,,,,,,,,,,,,,,,,
+"Rating: Note,  Low,  Medium,  High,  Critical",,,,,,,,,,,,,,,,,,,,,
+Start Date: 2000-01-01,,,,,,,,,,,,,,,,,,,,,
+End Date: 2000-02-02,,,,,,,,,,,,,,,,,,,,,
+Note: Vulnerability class descriptions and solutions are listed at the end.,,,,,,,,,,,,,,,,,,,,,
+,,,,,,,,,,,,,,,,,,,,,
+Vuln ID,Vuln URL,Attack Vector ID,Date Opened,Vuln Status,Attack Vector Status,Class,Asset Name,Asset URL,Asset ID,Rating,CVSS Score,CVSS Vector,Custom Description,Custom Solution,Attack Vector Path,Last Tested,Method,HTTP Request Header,Response Header,Notes,Response Status
+11111111,somedomain.com/benchmark/cmdi-00/BenchmarkTest0001,111111111,2000-01-01 01:01:01 -0100,Open,Open,OS Commanding,somedomain.com,https://somedomain.com/benchmark,100688,High,10.0,CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H,null,null,https://somedomain.com/benchmark/cmdi-00/BenchmarkTest0001,2000-01-01 01:01:01 -0100,POST,"Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7,Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5,Accept-Language:en-us,en;q=0.5,User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1 WhiteHat Security,Content-Length:50,Content-Type:application/x-www-form-urlencoded,null","Client-SSL-Version:TLSv1_3,Content-Type:text/html;charset=UTF-8,Client-SSL-Cipher:TLS_AES_128_GCM_SHA256,Client-SSL-Socket-Class:IO::Socket::SSL,X-Content-Type-Options:nosniff,X-Frame-Options:DENY,Client-SSL-Cert-Issuer:/DC=corp/DC=root/DC=accounts/CN=Express Scripts Issuing CA 02,Client-SSL-Cert-Subject:/C=US/O=Some Test/OU=SSL/CN=whitehat-test-benchmark-1-dev,Client-SSL-Warning:Peer certificate not verified,Cache-Control:no-cache, no-store, must-revalidate,Content-Length:471,Content-Security-Policy:frame-ancestors 'self'; form-action 'self'; default-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; style-src-elem 'self' fonts.googleapis.com; font-src 'self' fonts.gstatic.com,Date:Sat, 01 Jan 2000 01:01:01 GMT",null,200
+22222222,somedomain.com/benchmark/xss-00/BenchmarkTest00002,222222222,2000-02-02 02:02:02 -0100,Open,Open,Cross Site Scripting,somedomain.com,https://somedomain.com/benchmark,100688,Medium,4.3,CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N,"Some custom description",null,https://somedomain.com/benchmark/xss-00/BenchmarkTest00002,2000-02-02 02:02:02 -0100,POST,"Content-Type:application/x-www-form-urlencoded,User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1 WhiteHat Security,Accept-Language:en-us,en;q=0.5,Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7,Content-Length:84,Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5,null","Client-SSL-Socket-Class:IO::Socket::SSL,Content-Security-Policy:frame-ancestors 'self'; form-action 'self'; default-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; style-src-elem 'self' fonts.googleapis.com; font-src 'self' fonts.gstatic.com,Client-SSL-Cert-Subject:/C=US/O=Some Test/OU=SSL/CN=whitehat-test-benchmark-1-dev,Content-Type:text/html;charset=UTF-8,X-Content-Type-Options:nosniff,Client-SSL-Warning:Peer certificate not verified,Date:Sun, 02 Jan 2000 02:02:02 GMT,Cache-Control:no-cache, no-store, must-revalidate,X-Xss-Protection:0,Client-SSL-Cipher:TLS_AES_128_GCM_SHA256,Client-SSL-Cert-Issuer:/DC=corp/DC=root/DC=accounts/CN=Express Scripts Issuing CA 02,Content-Length:45,Client-SSL-Version:TLSv1_3,X-Frame-Options:DENY",null,200
+,,,,,,,,,,,,,,,,,,,,,
+,,,,,,,,,,,,,,,,,,,,,
+,,,,,,,,,,,,,,,,,,,,,
+Class Name,Description,Solution,,,,,,,,,,,,,,,,,,,
+Content Spoofing,"
+Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam.","Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam.",,,,,,,,,,,,,,,,,,,
+Cross Site Scripting,"Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam.","Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam.",,,,,,,,,,,,,,,,,,,
+"Copyright 2024 Synopsys, Inc. - Synopsys Inc. and customer confidential",,,,,,,,,,,,,,,,,,,,,