Merge branch 'OWASP:master' into master

OWASP-Benchmark · May 31, 2021 · 95a938f · 95a938f
2 parents 8a3570e + a4ee4ce
commit 95a938f
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 29 deletions.
diff --git a/pom.xml b/pom.xml
@@ -101,7 +101,7 @@
                                 <plugin>
                                     <groupId>com.h3xstream.findsecbugs</groupId>
                                     <artifactId>findsecbugs-plugin</artifactId>
-                                    <version>1.10.1</version>
+                                    <version>1.11.0</version>
                                 </plugin>
                             </plugins>
                         </configuration>
@@ -1262,8 +1262,8 @@
         <version.jackson>2.9.8</version.jackson>
         <version.jersey>1.19.4</version.jersey>
         <version.slf4j>1.7.30</version.slf4j>
-        <version.spotbugs.maven>4.2.2</version.spotbugs.maven>
-        <version.spotbugs>4.2.2</version.spotbugs>
+        <version.spotbugs.maven>4.2.3</version.spotbugs.maven>
+        <version.spotbugs>4.2.3</version.spotbugs>
         <version.spotless>2.10.1</version.spotless>
         <version.springframework>4.3.30.RELEASE</version.springframework>
         <!-- tomcat 8.5 is last version to support Java 7. Tomcat 9+ requires Java 8. -->

diff --git a/src/main/java/org/owasp/benchmark/score/parsers/FindbugsReader.java b/src/main/java/org/owasp/benchmark/score/parsers/FindbugsReader.java
@@ -225,6 +225,12 @@ else if (cwe.equals("326")) {
             case "SECOPFP":
                 return 00; // Overly Permissive File Permissions
 
+                // Other
+            case "SECHPP":
+                return 235; // HTTP Parameter Polution
+            case "SECUNI":
+                return 00; // Improper Unicode
+
             default:
                 System.out.println("Unknown vuln category for FindBugs: " + cat);
         }

diff --git a/src/main/java/org/owasp/benchmark/score/parsers/PMDReader.java b/src/main/java/org/owasp/benchmark/score/parsers/PMDReader.java
@@ -19,6 +19,7 @@
 
 import java.io.File;
 import java.io.FileInputStream;
+import java.util.ArrayList;
 import java.util.List;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -53,53 +54,65 @@ public TestResults parse(File f) throws Exception {
         List<Node> fileList = getNamedNodes("file", rootList);
 
         for (Node file : fileList) {
-            TestCaseResult tcr = parsePMDItem(file);
-            if (tcr != null) {
+            List<TestCaseResult> tcrs = parsePMDItem(file);
+            for (TestCaseResult tcr : tcrs) {
                 tr.put(tcr);
             }
         }
 
         return tr;
     }
 
-    private TestCaseResult parsePMDItem(Node fileNode) {
+    private List<TestCaseResult> parsePMDItem(Node fileNode) {
 
+        List<TestCaseResult> results = new ArrayList<TestCaseResult>();
         String filename = fileNode.getAttributes().getNamedItem("name").getNodeValue();
 
-        Node violationNode = getNamedChild("violation", fileNode);
-        String violation = violationNode.getAttributes().getNamedItem("rule").getNodeValue();
-
-        String testclass = filename.substring(filename.lastIndexOf("/") + 1);
-        if (testclass.startsWith(BenchmarkScore.TESTCASENAME)) {
-            TestCaseResult tcr = new TestCaseResult();
-
-            String testNumber =
-                    testclass.substring(
-                            BenchmarkScore.TESTCASENAME.length(),
-                            BenchmarkScore.TESTCASENAME.length() + BenchmarkScore.TESTIDLENGTH);
-            try {
-                tcr.setNumber(Integer.parseInt(testNumber));
-            } catch (NumberFormatException e) {
-                return null; // If we can't parse the test #, its not in a real test case file.
-                // e.g.,
-                // BenchmarkTesting.java
+        List<Node> violationNodes = getNamedChildren("violation", fileNode);
+        for (Node violationNode : violationNodes) {
+            String violation = violationNode.getAttributes().getNamedItem("rule").getNodeValue();
+
+            String testclass = filename.substring(filename.lastIndexOf("/") + 1);
+            if (testclass.startsWith(BenchmarkScore.TESTCASENAME)) {
+                TestCaseResult tcr = new TestCaseResult();
+
+                String testNumber =
+                        testclass.substring(
+                                BenchmarkScore.TESTCASENAME.length(),
+                                BenchmarkScore.TESTCASENAME.length() + BenchmarkScore.TESTIDLENGTH);
+                try {
+                    tcr.setNumber(Integer.parseInt(testNumber));
+                } catch (NumberFormatException e) {
+                    return null; // If we can't parse the test #, its not in a real test case file.
+                    // e.g.,
+                    // BenchmarkTesting.java
+                }
+                tcr.setCWE(figureCWE(tcr, violation));
+
+                tcr.setCategory(violation);
+                tcr.setEvidence(violation);
+                results.add(tcr);
             }
-            tcr.setCWE(figureCWE(tcr, violation));
-
-            tcr.setCategory(violation);
-            tcr.setEvidence(violation);
-            return tcr;
         }
 
-        return null;
+        return results;
     }
 
     private static int figureCWE(TestCaseResult tcr, String rule) {
         switch (rule) {
+            case "AvoidUsingOctalValues":
             case "CollapsibleIfStatements":
             case "EmptyCatchBlock":
+            case "EmptyIfStmt":
+            case "EmptyStatementNotInLoop":
+            case "EmptySwitchStatements":
+            case "UnnecessaryConversionTemporary":
+            case "UnnecessaryFullyQualifiedName":
+            case "UnnecessaryModifier":
+            case "UnnecessaryReturn":
             case "UnusedFormalParameter":
             case "UnusedLocalVariable":
+            case "UnusedPrivateMethod":
             case "UselessParentheses":
                 return 0000; // Don't care
                 // Don't think PMD reports any of these: