CWE number as enum #31
Conversation
| // Add any 'new' CWEs ever found to switch above so we know they are mapped properly. | ||
| System.out.println("INFO: Found following CWE which we haven't seen before: " + cweNum); | ||
| return Integer.parseInt(cweNum); | ||
| return CweNumber.lookup(cweNum); |
There was a problem hiding this comment.
This change doesn't allow us to manually decide how to map these. This can be especially important for DAST tools as they frequently report 1 type of injection as another. I'm thinking in cases like this we should leave the manual mapping the way it was. What do you think?
There was a problem hiding this comment.
As discussed: #31 (comment)
| return CweNumber | ||
| .SENSITIVE_INFORMATION_IN_BROWSER_CACHE; // Information Exposure Through | ||
| // Browser Caching-Cacheable HTTPS | ||
| // Response |
There was a problem hiding this comment.
Can you merge the above 2 lines into a single line comment?
There was a problem hiding this comment.
Already fixed
| } | ||
| return 0000; | ||
|
|
||
| return CweNumber.lookup(name.trim()); |
There was a problem hiding this comment.
Again, I think its better to leave the manual mapping here so we can map in anything 'new'.
There was a problem hiding this comment.
As discussed: #31 (comment)
| case 36: | ||
| case 23: | ||
| return CweNumber.PATH_TRAVERSAL; | ||
| case 338: | ||
| return CweNumber.WEAK_RANDOM; | ||
| } | ||
| return cwe; | ||
|
|
There was a problem hiding this comment.
I think we should add a warning like the others, e.g., "something new seen here not mapped before". Take exact message from other parser that already has this warning.
There was a problem hiding this comment.
As discussed: #31 (comment)
| case 36: | ||
| case 23: | ||
| return CweNumber.PATH_TRAVERSAL; | ||
| case 338: | ||
| return CweNumber.WEAK_RANDOM; | ||
| } | ||
| return cwe; | ||
|
|
There was a problem hiding this comment.
Can you add new/missing mapping warning here?
There was a problem hiding this comment.
As discussed: #31 (comment)
| + " for rule: " | ||
| + ruleName); | ||
| private CweNumber mapCWE(Integer cweNumber) { | ||
| if (cweNumber == 335) { |
There was a problem hiding this comment.
We should retain the explanatory comment of why we are doing this.
| } | ||
| return 0; // Not mapped to anything | ||
|
|
||
| return CweNumber.lookup(cweNumber); |
There was a problem hiding this comment.
I prefer that we keep the manual mapping so we can get the warning of 'new' types of issues not yet mapped.
There was a problem hiding this comment.
As discussed: #31 (comment)
| } | ||
|
|
There was a problem hiding this comment.
Can we restore what we had so we can flag reported CWEs not yet mapped?
There was a problem hiding this comment.
As discussed: #31 (comment)
| int cwe = cweNumber(finding); | ||
| tcr.setCWE(cwe); | ||
| String cwe = finding.getString("cwe").substring(4); | ||
| tcr.setCWE(CweNumber.lookup(cwe)); |
There was a problem hiding this comment.
Restore what we had so we can flag reported CWEs not yet mapped. And there is one mapping here that doesn't go straight up, 326 to Weak Crypto.
| } | ||
|
|
||
| return cwe; | ||
| return CweNumber.lookup(cwe); |
There was a problem hiding this comment.
Can we restore what we had so we can flag reported CWEs not yet mapped?
There was a problem hiding this comment.
As discussed: #31 (comment)
| } | ||
| return cwe; | ||
| return CweNumber.lookup(cwe); |
There was a problem hiding this comment.
Can we restore what we had so we can flag reported CWEs not yet mapped?
There was a problem hiding this comment.
As discussed: #31 (comment)
| case "xss": | ||
| return 79; | ||
| return CweNumber.XSS; | ||
| default: | ||
| throw new RuntimeException("Unknown category: " + category); |
There was a problem hiding this comment.
Maybe change this to a simple system out println? Runtime exception seems harsh.
There was a problem hiding this comment.
I can change this, but I didn't touch this in my PR.
| } | ||
| return 0; | ||
|
|
There was a problem hiding this comment.
Can we restore what we had so we can flag reported CWEs not yet mapped?
There was a problem hiding this comment.
As discussed: #31 (comment)
plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/SonarQubeReader.java
Outdated
Show resolved
Hide resolved
plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/VisualCodeGrepperReader.java
Outdated
Show resolved
Hide resolved
| Node refs = getNamedChild("references", vuln); | ||
| List<Node> references = getNamedChildren("reference", refs); | ||
| for (Node ref : references) { | ||
| String title = getNamedChild("title", ref).getTextContent(); | ||
| if (title.startsWith("CWE-")) { | ||
| String cweNum = title.substring("CWE-".length(), title.indexOf(":")); | ||
| cwe = cweLookup(cweNum); | ||
| cwe = CweNumber.lookup(cweNum); |
There was a problem hiding this comment.
Can we restore the old cweLookup so we can still get the warning "WARNING: Wapiti-Unmapped CWE number: " + cwe);"?
There was a problem hiding this comment.
As discussed: #31 (comment)
| } | ||
|
|
There was a problem hiding this comment.
Can we restore the old cweLookup so we can still get the warning "WARNING: ZAP CWE not mapped to expected test suite CWE: " + cwe);
There was a problem hiding this comment.
As discussed: #31 (comment)
|
@darkspirit510 - Thanks so much for all this refactoring work! I provided some minor comments in a few dozen of the files changed. Can you address those comments and we should be good to go. |
|
Sorry for the late reply :-) Since most of your comments are about the "missing" default message, one general reply why I removed them: After checking all mapping methods in all Reader classes, you can divide them into three groups:
|
|
As you address issues per my comments above, can you add comments to each issue you've addressed so I can resolve comments on fixed issues? |
|
If you accept my explaination, i can write a short note to every comment. |
|
@darkspirit510 - that works. Thanks. |
|
@darkspirit510 - Did you ever work on my comments (per above)? Also, there is a branch conflict now, w/SemgrepReader. Can you resolve that too? |
|
@davewichers most of the comments should be explained in comment #31 (comment). But I actually missed some comments, I'll go through them within the next days. |
|
I fixed/commented all the things. If you're still not sure about this PR, I think about closing and redoing it in smaller chunks. |
|
@darkspirit510 - There was a lot of work done here, but might have been overcome by events. Do you want finish this one? Or start over and do this in smaller chunks? |
@darkspirit510 - Nudge :-) |
|
Since this is way too old, I'll redo it in smaller chunks 😅 |
Migrated CweNumber to enum to ensure there is no magic number stuff going on. Could remove a lot of mapping code that just attempts to map string to number. Since the code has to go through CweNumber's lookup method (which informs about request of unknown number), this (at least somehow) handles #6 and #7. It obviously does not handle default blocks for mapping of any tools internal namings/ids to CweNumbers.