Check for matching Reader within reader and not in BenchmarkScore (+ lots of tests)

.gitignore

@@ -2,6 +2,7 @@
 .project
 .java-version
 .keystore
+.idea/
 
 # Package Files #
 *.jar

plugin/pom.xml

@@ -143,6 +143,13 @@
             <version>1.4.01</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter</artifactId>
+            <version>5.8.0</version>
+            <scope>test</scope>
+        </dependency>
+
     </dependencies>
 
     <build>

plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java

@@ -0,0 +1,162 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * <p>This reader reads JSON reports from the Horusec open source tool at:
+ * https://github.com/ZupIT/horusec
+ *
+ * @author Sascha Knoop
+ * @created 2021
+ */
+package org.owasp.benchmarkutils.score;
+
+public class CweNumber {
+
+    /** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') */
+    public static int PATH_TRAVERSAL = 22;
+
+    /**
+     * CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command
+     * Injection')
+     */
+    public static int COMMAND_INJECTION = 78;
+
+    /**
+     * CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
+     */
+    public static int XSS = 79;
+
+    /**
+     * CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
+     */
+    public static int SQL_INJECTION = 89;
+
+    /**
+     * CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
+     */
+    public static int LDAP_INJECTION = 90;
+
+    /**
+     * CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response
+     * Splitting')
+     */
+    public static int HTTP_RESPONSE_SPLITTING = 113;
+
+    /** CWE-134: Use of Externally-Controlled Format String */
+    public static int EXTERNALLY_CONTROLLED_STRING = 134;
+
+    /** CWE-284: Improper Access Control */
+    public static int IMPROPER_ACCESS_CONTROL = 284;
+
+    /** CWE-327: Use of a Broken or Risky Cryptographic Algorithm */
+    public static int BROKEN_CRYPTO = 327;
+
+    /** CWE-328: Reversible One-Way Hash */
+    public static int REVERSIBLE_HASH = 328;
+
+    /** CWE-329: Generation of Predictable IV with CBC Mode */
+    public static int STATIC_CRYPTO_INIT = 329;
+
+    /** CWE-330: Use of Insufficiently Random Values */
+    public static int WEAK_RANDOM = 330;
+
+    /** CWE-352: Cross-Site Request Forgery (CSRF) */
+    public static int CSRF = 352;
+
+    /** CWE-382: J2EE Bad Practices: Use of System.exit() */
+    public static int SYSTEM_EXIT = 382;
+
+    /** CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference */
+    public static int CATCHING_NULL_POINTER_EXCEPTION = 395;
+
+    /** CWE-396: Declaration of Catch for Generic Exception */
+    public static int CATCH_GENERIC_EXCEPTION = 396;
+
+    /** CWE-397: Declaration of Throws for Generic Exception */
+    public static int THROW_GENERIC_EXCEPTION = 397;
+
+    /** CWE-478: Missing Default Case in Switch Statement */
+    public static int MISSING_DEFAULT_CASE = 478;
+
+    /** CWE-483: Incorrect Block Delimitation */
+    public static int INCORRECT_BLOCK_DELIMITATION = 483;
+
+    /** CWE-484: Omitted Break Statement in Switch */
+    public static int OMITTED_BREAK = 484;
+
+    /** CWE-493: Critical Public Variable Without Final Modifier */
+    public static int PUBLIC_VAR_WITHOUT_FINAL = 493;
+
+    /** CWE-500: Public Static Field Not Marked Final */
+    public static int PUBLIC_STATIC_NOT_FINAL = 500;
+
+    /** CWE-501: Trust Boundary Violation */
+    public static int TRUST_BOUNDARY_VIOLATION = 501;
+
+    /** CWE-502: Deserialization of Untrusted Data */
+    public static int INSECURE_DESERIALIZATION = 502;
+
+    /** CWE-523: Unprotected Transport of Credentials */
+    public static int UNPROTECTED_CREDENTIALS_TRANSPORT = 523;
+
+    /** CWE-532: Insertion of Sensitive Information into Log File */
+    public static int SENSITIVE_LOGFILE = 532;
+
+    /** CWE-572: Call to Thread run() instead of start() */
+    public static int THREAD_WRONG_CALL = 572;
+
+    /** CWE-580: clone() Method Without super.clone() */
+    public static int CLONE_WITHOUT_SUPER_CLONE = 580;
+
+    /** CWE-563: Assignment to Variable without Use */
+    public static int UNUSED_VAR_ASSIGNMENT = 563;
+
+    /** CWE-581: Object Model Violation: Just One of Equals and Hashcode Defined */
+    public static int OBJECT_MODEL_VIOLATION = 581;
+
+    /** CWE-583: finalize() Method Declared Public */
+    public static int FINALIZE_DECLARED_PUBLIC = 583;
+
+    /** CWE-584: Return Inside Finally Block */
+    public static int RETURN_INSIDE_FINALLY = 584;
+
+    /** CWE-595: Comparison of Object References Instead of Object Contents */
+    public static int OBJECT_REFERENCE_COMPARISON = 595;
+
+    /** CWE-611: Improper Restriction of XML External Entity Reference */
+    public static int XML_ENTITIES = 611;
+
+    /** CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute */
+    public static int INSECURE_COOKIE = 614;
+
+    /** CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') */
+    public static int XPATH_INJECTION = 643;
+
+    /**
+     * CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity
+     * Checking
+     */
+    public static int OBFUSCATION = 649;
+
+    /** CWE-754: Improper Check for Unusual or Exceptional Conditions */
+    public static int IMPROPER_CHECK_FOR_CONDITIONS = 754;
+
+    /** CWE-783: Operator Precedence Logic Error */
+    public static int OPERATOR_PRECEDENCE_LOGIC = 783;
+
+    /** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') */
+    public static int LOOP_WITH_UNREACHABLE_EXIT = 835;
+
+    /** CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag */
+    public static int COOKIE_WITHOUT_HTTPONLY = 1004;
+}

plugin/src/main/java/org/owasp/benchmarkutils/score/ResultFile.java

@@ -0,0 +1,178 @@
+package org.owasp.benchmarkutils.score;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+import java.io.StringReader;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipInputStream;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import org.json.JSONObject;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.xml.sax.InputSource;
+import org.xml.sax.helpers.DefaultHandler;
+
+public class ResultFile {
+    private final byte[] rawContent;
+    private final String filename;
+    private final File originalFile;
+    private JSONObject contentAsJson;
+    private Document contentAsXml;
+
+    public ResultFile(File fileToParse) throws IOException {
+        this(fileToParse, readFileContent(fileToParse));
+    }
+
+    public ResultFile(String filename, String content) throws IOException {
+        this(filename, content.getBytes());
+    }
+
+    public ResultFile(String filename, byte[] rawContent) throws IOException {
+        this(new File(filename), rawContent);
+    }
+
+    public ResultFile(File fileToParse, byte[] rawContent) throws IOException {
+        this.rawContent = rawContent;
+        originalFile = fileToParse;
+        filename = originalFile.getName();
+        parseJson();
+        parseXml();
+    }
+
+    private String removeBom(byte[] rawContent) {
+        String s = new String(rawContent, StandardCharsets.UTF_8);
+
+        if (s.startsWith("\uFEFF")) {
+            return s.substring(1);
+        }
+
+        return s;
+    }
+
+    private static byte[] readFileContent(File fileToParse) throws IOException {
+        return Files.readAllBytes(Paths.get(fileToParse.getPath()));
+    }
+
+    private void parseJson() {
+        try {
+            contentAsJson = new JSONObject(removeBom(rawContent));
+        } catch (Exception ignored) {
+            // No JSON
+        }
+    }
+
+    private void parseXml() {
+        try {
+            DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+            // Prevent XXE = Note, disabling DTDs entirely breaks the parsing of some XML files,
+            // like a Burp results file, so have to use the alternate defense.
+            // dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            docBuilderFactory.setFeature(
+                    "http://xml.org/sax/features/external-general-entities", false);
+            docBuilderFactory.setFeature(
+                    "http://xml.org/sax/features/external-parameter-entities", false);
+            DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+            docBuilder.setErrorHandler(new DefaultHandler());
+            InputSource is = new InputSource(new StringReader(this.content()));
+            this.contentAsXml = docBuilder.parse(is);
+        } catch (Exception ignored) {
+            // No XML
+        }
+    }
+
+    public String filename() {
+        return filename;
+    }
+
+    public boolean isJson() {
+        return contentAsJson != null;
+    }
+
+    public boolean isXml() {
+        return contentAsXml != null;
+    }
+
+    public JSONObject json() {
+        return contentAsJson;
+    }
+
+    public String content() {
+        return removeBom(rawContent);
+    }
+
+    public File file() {
+        return originalFile;
+    }
+
+    /**
+     * Read the specified line of the provided file. Returns empty string if the given file does not
+     * have as many lines.
+     */
+    public String line(int lineNum) {
+        List<String> lines = Arrays.asList(removeBom(rawContent).split("\n"));
+
+        if (lineNum >= lines.size()) {
+            return "";
+        }
+
+        return lines.get(lineNum);
+    }
+
+    public List<String> lines() {
+        return new ArrayList<>();
+    }
+
+    public Document xml() {
+        return contentAsXml;
+    }
+
+    public Element xmlRootNode() {
+        return xml().getDocumentElement();
+    }
+
+    public String xmlRootNodeName() {
+        return isXml() ? xmlRootNode().getNodeName() : "";
+    }
+
+    /**
+     * Extracts a file from a packed ResultFile.
+     *
+     * @return
+     */
+    public ResultFile extract(String zipPath) {
+        try (ZipInputStream zipIn = new ZipInputStream(new ByteArrayInputStream(rawContent))) {
+            ZipEntry entry = zipIn.getNextEntry();
+            while (entry != null) {
+                if (entry.getName().equals(zipPath)) {
+                    return readFileFromZip(zipPath, zipIn);
+                }
+                zipIn.closeEntry();
+                entry = zipIn.getNextEntry();
+            }
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+
+        throw new RuntimeException("ZipFile does not contain " + zipPath);
+    }
+
+    private ResultFile readFileFromZip(String zipPath, ZipInputStream zipIn) throws IOException {
+        try (ByteArrayOutputStream bos = new ByteArrayOutputStream()) {
+            final byte[] buf = new byte[1024];
+            int length;
+            while ((length = zipIn.read(buf, 0, buf.length)) >= 0) {
+                bos.write(buf, 0, length);
+            }
+            return new ResultFile(zipPath, bos.toByteArray());
+        }
+    }
+}

plugin/src/main/java/org/owasp/benchmarkutils/score/TestSuiteResults.java

@@ -247,23 +247,6 @@ public void setTime(File f) {
         }
     }
 
-    // We had to create a custom method for Fortify since we extract the contents of the .fpr
-    // file out into a temp file whose name looks like this:
-    //      Benchmark_1.1-Fortify-13121.fpr8111236727473243675.fvdl
-
-    public void setFortifyTime(File f) {
-        String filename = f.getName();
-        // to make the same as normal filenames, strip off the '.fvdl' at the end of the filename
-        filename = filename.substring(0, filename.lastIndexOf('.') - 1);
-        String time = filename.substring(filename.lastIndexOf('-') + 1, filename.lastIndexOf('.'));
-        try {
-            int seconds = Integer.parseInt(time);
-            this.setTime(formatTime(seconds * 1000));
-        } catch (Exception e) {
-            this.setTime("Time not specified");
-        }
-    }
-
     /**
      * Get the total number of results for these TestResults.
      *