diff --git a/docs/content/en/connecting_your_tools/parsers/file/checkmarx_cxflow_sast.md b/docs/content/en/connecting_your_tools/parsers/file/checkmarx_cxflow_sast.md new file mode 100644 index 00000000000..b984b7dd694 --- /dev/null +++ b/docs/content/en/connecting_your_tools/parsers/file/checkmarx_cxflow_sast.md @@ -0,0 +1,22 @@ +--- +title: "Checkmarx CxFlow SAST" +toc_hide: true +--- + +CxFlow is a Spring Boot application written by Checkmarx that enables initiations of scans and result orchestration. +CxFlow support interactive with various Checkmarx product. +This parser support JSON format export by bug tracker. + +``` +#YAML +cx-flow: + bug-tracker:Json + +#CLI +--cx-flow.bug-tracker=json +``` + +- `Checkmarx CxFlow SAST`: JSON report from Checkmarx Cxflow. + +### Sample Scan Data +Sample Checkmarx CxFlow SAST scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/checkmarx_cxflow_sast). diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 4f72fa171ce..754c4edaebe 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1288,6 +1288,7 @@ def saml2_attrib_map_format(dict): "Legitify Scan": ["title", "endpoints", "severity"], "ThreatComposer Scan": ["title", "description"], "Invicti Scan": ["title", "description", "severity"], + "Checkmarx CxFlow SAST": ["vuln_id_from_tool", "file_path", "line"], "HackerOne Cases": ["title", "severity"], "KrakenD Audit Scan": ["description", "mitigation", "severity"], "Red Hat Satellite": ["description", "severity"], @@ -1535,6 +1536,7 @@ def saml2_attrib_map_format(dict): "Legitify Scan": DEDUPE_ALGO_HASH_CODE, "ThreatComposer Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, "Invicti Scan": DEDUPE_ALGO_HASH_CODE, + "Checkmarx CxFlow SAST": DEDUPE_ALGO_HASH_CODE, "KrakenD Audit Scan": DEDUPE_ALGO_HASH_CODE, "PTART Report": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, "Red Hat Satellite": DEDUPE_ALGO_HASH_CODE, diff --git a/dojo/tools/checkmarx_cxflow_sast/__init__.py b/dojo/tools/checkmarx_cxflow_sast/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/dojo/tools/checkmarx_cxflow_sast/parser.py b/dojo/tools/checkmarx_cxflow_sast/parser.py new file mode 100644 index 00000000000..292bbfc7c5c --- /dev/null +++ b/dojo/tools/checkmarx_cxflow_sast/parser.py @@ -0,0 +1,149 @@ +import json +import logging + +import dateutil.parser + +from dojo.models import Finding + +logger = logging.getLogger(__name__) + + +class _PathNode: + def __init__(self, file: str, line: str, column: str, node_object: str, length: str, snippet: str): + self.file = file + self.line = line + self.column = int(column) + self.node_object = node_object + self.length = int(length) + self.snippet = snippet + + @classmethod + def from_json_object(cls, data): + return _PathNode( + data.get("file"), + data.get("line"), + data.get("column"), + data.get("object"), + data.get("length"), + data.get("snippet"), + ) + + +class _Path: + def __init__(self, sink: _PathNode, source: _PathNode, state: str, paths: [_PathNode]): + self.sink = sink + self.source = source + self.state = state + self.paths = paths + + +class CheckmarxCXFlowSastParser: + def __init__(self): + pass + + def get_scan_types(self): + return ["Checkmarx CxFlow SAST"] + + def get_label_for_scan_types(self, scan_type): + return scan_type # no custom label for now + + def get_description_for_scan_types(self, scan_type): + return "Detailed Report. Import all vulnerabilities from checkmarx without aggregation" + + def get_findings(self, file, test): + if file.name.strip().lower().endswith(".json"): + return self._get_findings_json(file, test) + # TODO: support CxXML format + logger.warning(f"Not supported file format ${file}") + return [] + + def _get_findings_json(self, file, test): + data = json.load(file) + findings = [] + additional_details = data.get("additionalDetails") + scan_start_date = additional_details.get("scanStartDate") + + issues = data.get("xissues", []) + + for issue in issues: + vulnerability = issue.get("vulnerability") + status = issue.get("vulnerabilityStatus") + cwe = issue.get("cwe") + description = issue.get("description") + language = issue.get("language") + severity = issue.get("severity") + link = issue.get("link") + filename = issue.get("filename") + similarity_id = issue.get("similarityId") + + issue_additional_details = issue.get("additionalDetails") + categories = issue_additional_details.get("categories") + results = issue_additional_details.get("results") + + map_paths = {} + + for result in results: + # all path nodes exclude sink, source, state + path_keys = sorted(filter(lambda k: isinstance(k, str) and k.isnumeric(), result.keys())) + + path = _Path( + sink=_PathNode.from_json_object(result.get("sink")), + source=_PathNode.from_json_object(result.get("source")), + state=result.get("state"), + paths=[result[k] for k in path_keys], + ) + + map_paths[str(path.source.line)] = path + + for detail_key in issue.get("details"): + if detail_key not in map_paths: + logger.warning(f"{detail_key} not found in path, ignore") + else: + detail = map_paths[detail_key] + + finding_detail = f"**Category:** {categories}\n" + finding_detail += f"**Language:** {language}\n" + finding_detail += f"**Status:** {status}\n" + finding_detail += f"**Finding link:** [{link}]({link})\n" + finding_detail += f"**Description:** {description}\n" + finding_detail += f"**Source snippet:** `{detail.source.snippet if detail.source is not None else ''}`\n" + finding_detail += f"**Sink snippet:** `{detail.sink.snippet if detail.sink is not None else ''}`\n" + + finding = Finding( + title=vulnerability.replace("_", " ") + " " + detail.sink.file.split("/")[ + -1] if detail.sink is not None else "", + cwe=int(cwe), + date=dateutil.parser.parse(scan_start_date), + static_finding=True, + test=test, + sast_source_object=detail.source.node_object if detail.source is not None else None, + sast_sink_object=detail.sink.node_object if detail.sink is not None else None, + sast_source_file_path=detail.source.file if detail.source is not None else None, + sast_source_line=detail.source.line if detail.source is not None else None, + vuln_id_from_tool=similarity_id, + severity=severity, + file_path=filename, + line=detail.sink.line, + false_p=issue.get("details")[detail_key].get("falsePositive") or self.is_not_exploitable( + detail.state), + description=finding_detail, + verified=self.is_verify(detail.state), + active=self.is_active(detail.state), + ) + + findings.append(finding) + + return findings + + def is_verify(self, state): + # Confirmed, urgent + verifiedStates = ["2", "3"] + return state in verifiedStates + + def is_active(self, state): + # To verify, Confirmed, Urgent, Proposed not exploitable + activeStates = ["0", "2", "3", "4"] + return state in activeStates + + def is_not_exploitable(self, state): + return state == "1" diff --git a/unittests/scans/checkmarx_cxflow_sast/1-finding.json b/unittests/scans/checkmarx_cxflow_sast/1-finding.json new file mode 100644 index 00000000000..dc872a2a66c --- /dev/null +++ b/unittests/scans/checkmarx_cxflow_sast/1-finding.json @@ -0,0 +1,192 @@ +{ + "projectId": "6", + "team": "CxServer", + "project": "some-example", + "link": "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6", + "files": "1", + "loc": "268", + "scanType": "Full", + "version":"8.9.0.210", + "additionalDetails": { + "flow-summary": { + "High": 1 + }, + "scanId": "1000026", + "scanStartDate": "Sunday, January 19, 2020 2:40:11 AM" + }, + "xissues": [ + { + "vulnerability": "Reflected_XSS_All_Clients", + "vulnerabilityStatus": "TO VERIFY", + "similarityId": "14660819", + "cwe": "79", + "description": "", + "language": "Java", + "severity": "High", + "link": "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=2", + "filename": "DOS_Login.java", + "falsePositiveCount": 0, + "details": { + "88": { + "falsePositive": false, + "codeSnippet": "username = s.getParser().getRawParameter(USERNAME);", + "comment": "" + } + }, + "additionalDetails": { + "recommendedFix": "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=591&queryVersionCode=56110529&queryTitle=Reflected_XSS_All_Clients", + "categories": "PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)", + "results": [ + { + "sink": { + "file": "AnotherFile.java", + "line": "107", + "column": "9", + "object": "username", + "length" : "8", + "snippet" : "+ username + \"' and password = '\" + password + \"'\";" + }, + "state": "0", + "source": { + "file": "DOS_Login.java", + "line": "88", + "column": "46", + "object": "getRawParameter", + "length" : "1", + "snippet" : "username = s.getParser().getRawParameter(USERNAME);" + }, + "1" : { + "snippet" : "username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "6", + "length" : "8", + "object" : "username" + }, + "3" : { + "snippet" : "if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "37", + "length" : "8", + "object" : "username" + }, + "4" : { + "snippet" : "if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "10", + "length" : "8", + "object" : "username" + }, + "5" : { + "snippet" : "+ username + \"' and password = '\" + password + \"'\";", + "file" : "AnotherFile.java", + "line" : "107", + "column" : "9", + "length" : "8", + "object" : "username" + } + } + ], + "CodeBashingLesson" : "https://cxa.codebashing.com/courses/" + }, + "allFalsePositive": false + } + ], + "unFilteredIssues": [ { + "vulnerability" : "Reflected_XSS_All_Clients", + "vulnerabilityStatus" : "TO VERIFY", + "similarityId" : "14660819", + "cwe" : "79", + "description" : "", + "language" : "Java", + "severity" : "High", + "link" : "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=2", + "filename" : "DOS_Login.java", + "gitUrl" : "", + "falsePositiveCount" : 0, + "details" : { + "88" : { + "falsePositive" : false, + "comment" : "" + } + }, + "additionalDetails" : { + "recommendedFix" : "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=591&queryVersionCode=56110529&queryTitle=Reflected_XSS_All_Clients", + "categories" : "PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)", + "results" : [ { + "1" : { + "snippet" : "username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "6", + "length" : "8", + "object" : "username" + }, + "3" : { + "snippet" : "if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "37", + "length" : "8", + "object" : "username" + }, + "4" : { + "snippet" : "if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "10", + "length" : "8", + "object" : "username" + }, + "5" : { + "snippet" : "+ username + \"' and password = '\" + password + \"'\";", + "file" : "AnotherFile.java", + "line" : "107", + "column" : "9", + "length" : "8", + "object" : "username" + }, + "sink" : { + "snippet" : "+ username + \"' and password = '\" + password + \"'\";", + "file" : "AnotherFile.java", + "line" : "107", + "column" : "9", + "length" : "8", + "object" : "username" + }, + "state" : "0", + "source" : { + "snippet" : "username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + } + } ] + }, + "allFalsePositive" : false + } ], + "reportCreationTime":"Sunday, January 19, 2020 2:41:53 AM", + "deepLink":"http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6", + "scanTime":"00h:01m:30s", + "sastResults": false +} \ No newline at end of file diff --git a/unittests/scans/checkmarx_cxflow_sast/4-findings.json b/unittests/scans/checkmarx_cxflow_sast/4-findings.json new file mode 100644 index 00000000000..f8008d29684 --- /dev/null +++ b/unittests/scans/checkmarx_cxflow_sast/4-findings.json @@ -0,0 +1,1220 @@ +{ + "projectId": "6", + "team": "CxServer", + "project": "some-example", + "link": "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6", + "files": "1", + "loc": "268", + "scanType": "Full", + "version":"8.9.0.210", + "additionalDetails": { + "flow-summary": { + "High": 4 + }, + "scanId": "1000026", + "scanStartDate": "Sunday, January 19, 2020 2:40:11 AM" + }, + "xissues": [ + { + "vulnerability": "Reflected_XSS_All_Clients", + "vulnerabilityStatus": "TO VERIFY", + "similarityId": "14660819", + "cwe": "79", + "description": "", + "language": "Java", + "severity": "High", + "link": "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=2", + "filename": "DOS_Login.java", + "gitUrl": "", + "falsePositiveCount": 0, + "details": { + "88": { + "falsePositive": false, + "codeSnippet": "\t username = s.getParser().getRawParameter(USERNAME);", + "comment": "" + }, + "89": { + "falsePositive": false, + "codeSnippet": "\t password = s.getParser().getRawParameter(PASSWORD);", + "comment": "" + } + }, + "additionalDetails": { + "recommendedFix": "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=591&queryVersionCode=56110529&queryTitle=Reflected_XSS_All_Clients", + "categories": "PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)", + "results": [ + { + "sink": { + "file": "DOS_Login.java", + "line": "108", + "column": "20", + "object": "StringElement", + "length" : "3", + "snippet" : "\t ec.addElement(new StringElement(query));" + }, + "state": "0", + "source": { + "file": "DOS_Login.java", + "line": "88", + "column": "46", + "object": "getRawParameter", + "length" : "1", + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);" + }, + "1" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "6", + "length" : "8", + "object" : "username" + }, + "3" : { + "snippet" : "\t if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "37", + "length" : "8", + "object" : "username" + }, + "4" : { + "snippet" : "\t if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "10", + "length" : "8", + "object" : "username" + }, + "5" : { + "snippet" : "\t\t + username + \"' and password = '\" + password + \"'\";", + "file" : "DOS_Login.java", + "line" : "107", + "column" : "9", + "length" : "8", + "object" : "username" + }, + "6" : { + "snippet" : "\t String query = \"SELECT * FROM user_system_data WHERE user_name = '\"", + "file" : "DOS_Login.java", + "line" : "106", + "column" : "13", + "length" : "5", + "object" : "query" + }, + "7" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "38", + "length" : "5", + "object" : "query" + }, + "8" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "20", + "length" : "3", + "object" : "StringElement" + } + }, + { + "sink": { + "file": "DOS_Login.java", + "line": "108", + "column": "20", + "object": "StringElement", + "length" : "3", + "snippet" : "\t ec.addElement(new StringElement(query));" + }, + "state": "0", + "source": { + "file": "DOS_Login.java", + "line": "89", + "column": "46", + "object": "getRawParameter", + "length" : "1", + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);" + }, + "1" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "6", + "length" : "8", + "object" : "password" + }, + "3" : { + "snippet" : "\t\t + username + \"' and password = '\" + password + \"'\";", + "file" : "DOS_Login.java", + "line" : "107", + "column" : "43", + "length" : "8", + "object" : "password" + }, + "4" : { + "snippet" : "\t String query = \"SELECT * FROM user_system_data WHERE user_name = '\"", + "file" : "DOS_Login.java", + "line" : "106", + "column" : "13", + "length" : "5", + "object" : "query" + }, + "5" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "38", + "length" : "5", + "object" : "query" + }, + "6" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "20", + "length" : "3", + "object" : "StringElement" + } + } + ] + }, + "allFalsePositive": false + }, + { + "vulnerability": "SQL_Injection", + "vulnerabilityStatus": "TO VERIFY", + "similarityId": "-1987639889", + "cwe": "89", + "description": "", + "language": "Java", + "severity": "High", + "link": "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=4", + "filename": "DOS_Login.java", + "falsePositiveCount": 0, + "details": { + "88": { + "falsePositive": false, + "codeSnippet": "\t username = s.getParser().getRawParameter(USERNAME);", + "comment": "" + }, + "89": { + "falsePositive": false, + "codeSnippet": "\t password = s.getParser().getRawParameter(PASSWORD);", + "comment": "" + } + }, + "additionalDetails": { + "recommendedFix": "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=594&queryVersionCode=56142311&queryTitle=SQL_Injection", + "categories": "PCI DSS v3.2;PCI DSS (3.2) - 6.5.1 - Injection flaws - particularly SQL injection,OWASP Top 10 2013;A1-Injection,FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-10 Information Input Validation (P1),OWASP Top 10 2017;A1-Injection,OWASP Mobile Top 10 2016;M7-Client Code Quality", + "results": [ + { + "sink": { + "file": "DOS_Login.java", + "line": "114", + "column": "45", + "object": "executeQuery", + "length" : "1", + "snippet" : "\t\tResultSet results = statement.executeQuery(query);" + }, + "state": "0", + "source": { + "file": "DOS_Login.java", + "line": "88", + "column": "46", + "object": "getRawParameter", + "length" : "1", + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);" + }, + "1" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "6", + "length" : "8", + "object" : "username" + }, + "3" : { + "snippet" : "\t if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "37", + "length" : "8", + "object" : "username" + }, + "4" : { + "snippet" : "\t if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "10", + "length" : "8", + "object" : "username" + }, + "5" : { + "snippet" : "\t\t + username + \"' and password = '\" + password + \"'\";", + "file" : "DOS_Login.java", + "line" : "107", + "column" : "9", + "length" : "8", + "object" : "username" + }, + "6" : { + "snippet" : "\t String query = \"SELECT * FROM user_system_data WHERE user_name = '\"", + "file" : "DOS_Login.java", + "line" : "106", + "column" : "13", + "length" : "5", + "object" : "query" + }, + "7" : { + "snippet" : "\t\tResultSet results = statement.executeQuery(query);", + "file" : "DOS_Login.java", + "line" : "114", + "column" : "46", + "length" : "5", + "object" : "query" + }, + "8" : { + "snippet" : "\t\tResultSet results = statement.executeQuery(query);", + "file" : "DOS_Login.java", + "line" : "114", + "column" : "45", + "length" : "1", + "object" : "executeQuery" + } + }, + { + "sink": { + "file": "DOS_Login.java", + "line": "114", + "column": "45", + "object": "executeQuery", + "length" : "1", + "snippet" : "\t\tResultSet results = statement.executeQuery(query);" + }, + "state": "0", + "source": { + "file": "DOS_Login.java", + "line": "89", + "column": "46", + "object": "getRawParameter", + "length" : "1", + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);" + }, + "1" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "6", + "length" : "8", + "object" : "password" + }, + "3" : { + "snippet" : "\t\t + username + \"' and password = '\" + password + \"'\";", + "file" : "DOS_Login.java", + "line" : "107", + "column" : "43", + "length" : "8", + "object" : "password" + }, + "4" : { + "snippet" : "\t String query = \"SELECT * FROM user_system_data WHERE user_name = '\"", + "file" : "DOS_Login.java", + "line" : "106", + "column" : "13", + "length" : "5", + "object" : "query" + }, + "5" : { + "snippet" : "\t\tResultSet results = statement.executeQuery(query);", + "file" : "DOS_Login.java", + "line" : "114", + "column" : "46", + "length" : "5", + "object" : "query" + }, + "6" : { + "snippet" : "\t\tResultSet results = statement.executeQuery(query);", + "file" : "DOS_Login.java", + "line" : "114", + "column" : "45", + "length" : "1", + "object" : "executeQuery" + } + } + ], + "CodeBashingLesson" : "https://cxa.codebashing.com/courses/" + }, + "allFalsePositive": false + } + ], + "unFilteredIssues": [ { + "vulnerability" : "Reflected_XSS_All_Clients", + "vulnerabilityStatus" : "TO VERIFY", + "similarityId" : "14660819", + "cwe" : "79", + "description" : "", + "language" : "Java", + "severity" : "High", + "link" : "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=2", + "filename" : "DOS_Login.java", + "gitUrl" : "", + "falsePositiveCount" : 0, + "details" : { + "88" : { + "falsePositive" : false, + "comment" : "" + }, + "89" : { + "falsePositive" : false, + "comment" : "" + } + }, + "additionalDetails" : { + "recommendedFix" : "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=591&queryVersionCode=56110529&queryTitle=Reflected_XSS_All_Clients", + "categories" : "PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)", + "results" : [ { + "1" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "6", + "length" : "8", + "object" : "username" + }, + "3" : { + "snippet" : "\t if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "37", + "length" : "8", + "object" : "username" + }, + "4" : { + "snippet" : "\t if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "10", + "length" : "8", + "object" : "username" + }, + "5" : { + "snippet" : "\t\t + username + \"' and password = '\" + password + \"'\";", + "file" : "DOS_Login.java", + "line" : "107", + "column" : "9", + "length" : "8", + "object" : "username" + }, + "sink" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "20", + "length" : "3", + "object" : "StringElement" + }, + "6" : { + "snippet" : "\t String query = \"SELECT * FROM user_system_data WHERE user_name = '\"", + "file" : "DOS_Login.java", + "line" : "106", + "column" : "13", + "length" : "5", + "object" : "query" + }, + "7" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "38", + "length" : "5", + "object" : "query" + }, + "8" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "20", + "length" : "3", + "object" : "StringElement" + }, + "state" : "0", + "source" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + } + }, { + "1" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "6", + "length" : "8", + "object" : "password" + }, + "3" : { + "snippet" : "\t\t + username + \"' and password = '\" + password + \"'\";", + "file" : "DOS_Login.java", + "line" : "107", + "column" : "43", + "length" : "8", + "object" : "password" + }, + "4" : { + "snippet" : "\t String query = \"SELECT * FROM user_system_data WHERE user_name = '\"", + "file" : "DOS_Login.java", + "line" : "106", + "column" : "13", + "length" : "5", + "object" : "query" + }, + "5" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "38", + "length" : "5", + "object" : "query" + }, + "sink" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "20", + "length" : "3", + "object" : "StringElement" + }, + "6" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "20", + "length" : "3", + "object" : "StringElement" + }, + "state" : "0", + "source" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + } + } ] + }, + "allFalsePositive" : false + }, { + "vulnerability" : "SQL_Injection", + "vulnerabilityStatus" : "TO VERIFY", + "similarityId" : "-1987639889", + "cwe" : "89", + "description" : "", + "language" : "Java", + "severity" : "High", + "link" : "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=4", + "filename" : "DOS_Login.java", + "gitUrl" : "", + "falsePositiveCount" : 0, + "details" : { + "88" : { + "falsePositive" : false, + "comment" : "" + }, + "89" : { + "falsePositive" : false, + "comment" : "" + } + }, + "additionalDetails" : { + "recommendedFix" : "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=594&queryVersionCode=56142311&queryTitle=SQL_Injection", + "categories" : "PCI DSS v3.2;PCI DSS (3.2) - 6.5.1 - Injection flaws - particularly SQL injection,OWASP Top 10 2013;A1-Injection,FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-10 Information Input Validation (P1),OWASP Top 10 2017;A1-Injection,OWASP Mobile Top 10 2016;M7-Client Code Quality", + "results" : [ { + "1" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "6", + "length" : "8", + "object" : "username" + }, + "3" : { + "snippet" : "\t if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "37", + "length" : "8", + "object" : "username" + }, + "4" : { + "snippet" : "\t if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "10", + "length" : "8", + "object" : "username" + }, + "5" : { + "snippet" : "\t\t + username + \"' and password = '\" + password + \"'\";", + "file" : "DOS_Login.java", + "line" : "107", + "column" : "9", + "length" : "8", + "object" : "username" + }, + "sink" : { + "snippet" : "\t\tResultSet results = statement.executeQuery(query);", + "file" : "DOS_Login.java", + "line" : "114", + "column" : "45", + "length" : "1", + "object" : "executeQuery" + }, + "6" : { + "snippet" : "\t String query = \"SELECT * FROM user_system_data WHERE user_name = '\"", + "file" : "DOS_Login.java", + "line" : "106", + "column" : "13", + "length" : "5", + "object" : "query" + }, + "7" : { + "snippet" : "\t\tResultSet results = statement.executeQuery(query);", + "file" : "DOS_Login.java", + "line" : "114", + "column" : "46", + "length" : "5", + "object" : "query" + }, + "8" : { + "snippet" : "\t\tResultSet results = statement.executeQuery(query);", + "file" : "DOS_Login.java", + "line" : "114", + "column" : "45", + "length" : "1", + "object" : "executeQuery" + }, + "state" : "0", + "source" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + } + }, { + "1" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "6", + "length" : "8", + "object" : "password" + }, + "3" : { + "snippet" : "\t\t + username + \"' and password = '\" + password + \"'\";", + "file" : "DOS_Login.java", + "line" : "107", + "column" : "43", + "length" : "8", + "object" : "password" + }, + "4" : { + "snippet" : "\t String query = \"SELECT * FROM user_system_data WHERE user_name = '\"", + "file" : "DOS_Login.java", + "line" : "106", + "column" : "13", + "length" : "5", + "object" : "query" + }, + "5" : { + "snippet" : "\t\tResultSet results = statement.executeQuery(query);", + "file" : "DOS_Login.java", + "line" : "114", + "column" : "46", + "length" : "5", + "object" : "query" + }, + "sink" : { + "snippet" : "\t\tResultSet results = statement.executeQuery(query);", + "file" : "DOS_Login.java", + "line" : "114", + "column" : "45", + "length" : "1", + "object" : "executeQuery" + }, + "6" : { + "snippet" : "\t\tResultSet results = statement.executeQuery(query);", + "file" : "DOS_Login.java", + "line" : "114", + "column" : "45", + "length" : "1", + "object" : "executeQuery" + }, + "state" : "0", + "source" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + } + } ] + }, + "allFalsePositive" : false + }, { + "vulnerability" : "Heap_Inspection", + "vulnerabilityStatus" : "TO VERIFY", + "cwe" : "244", + "description" : "", + "language" : "Java", + "severity" : "Medium", + "link" : "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=1", + "filename" : "DOS_Login.java", + "gitUrl" : "", + "falsePositiveCount" : 0, + "details" : { + "87" : { + "falsePositive" : false, + "comment" : "" + } + }, + "additionalDetails" : { + "recommendedFix" : "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=3771&queryVersionCode=94850879&queryTitle=Heap_Inspection", + "categories" : "OWASP Top 10 2013;A6-Sensitive Data Exposure,FISMA 2014;Media Protection,NIST SP 800-53;SC-4 Information in Shared Resources (P1),OWASP Top 10 2017;A3-Sensitive Data Exposure", + "results" : [ { + "1" : { + "snippet" : "\t String password = \"\";", + "file" : "DOS_Login.java", + "line" : "87", + "column" : "13", + "length" : "8", + "object" : "password" + }, + "sink" : { + "snippet" : "\t String password = \"\";", + "file" : "DOS_Login.java", + "line" : "87", + "column" : "13", + "length" : "8", + "object" : "password" + }, + "state" : "0", + "source" : { + "snippet" : "\t String password = \"\";", + "file" : "DOS_Login.java", + "line" : "87", + "column" : "13", + "length" : "8", + "object" : "password" + } + } ] + }, + "allFalsePositive" : false + }, { + "vulnerability" : "Privacy_Violation", + "vulnerabilityStatus" : "TO VERIFY", + "cwe" : "359", + "description" : "", + "language" : "Java", + "severity" : "Medium", + "link" : "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=10", + "filename" : "DOS_Login.java", + "gitUrl" : "", + "falsePositiveCount" : 0, + "details" : { + "89" : { + "falsePositive" : false, + "comment" : "" + } + }, + "additionalDetails" : { + "recommendedFix" : "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=639&queryVersionCode=56620121&queryTitle=Privacy_Violation", + "categories" : "PCI DSS v3.2;PCI DSS (3.2) - 6.5.1 - Injection flaws - particularly SQL injection,OWASP Top 10 2013;A6-Sensitive Data Exposure,FISMA 2014;Identification And Authentication,NIST SP 800-53;SC-4 Information in Shared Resources (P1),OWASP Top 10 2017;A3-Sensitive Data Exposure", + "results" : [ { + "1" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "6", + "length" : "8", + "object" : "password" + }, + "2" : { + "snippet" : "\t\t + username + \"' and password = '\" + password + \"'\";", + "file" : "DOS_Login.java", + "line" : "107", + "column" : "43", + "length" : "8", + "object" : "password" + }, + "3" : { + "snippet" : "\t String query = \"SELECT * FROM user_system_data WHERE user_name = '\"", + "file" : "DOS_Login.java", + "line" : "106", + "column" : "13", + "length" : "5", + "object" : "query" + }, + "4" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "38", + "length" : "5", + "object" : "query" + }, + "5" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "20", + "length" : "3", + "object" : "StringElement" + }, + "sink" : { + "snippet" : "\t ec.addElement(new StringElement(query));", + "file" : "DOS_Login.java", + "line" : "108", + "column" : "20", + "length" : "3", + "object" : "StringElement" + }, + "state" : "0", + "source" : { + "snippet" : "\t password = s.getParser().getRawParameter(PASSWORD);", + "file" : "DOS_Login.java", + "line" : "89", + "column" : "6", + "length" : "8", + "object" : "password" + } + } ] + }, + "allFalsePositive" : false + }, { + "vulnerability" : "XSRF", + "vulnerabilityStatus" : "TO VERIFY", + "cwe" : "352", + "description" : "", + "language" : "Java", + "severity" : "Medium", + "link" : "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=11", + "filename" : "DOS_Login.java", + "gitUrl" : "", + "falsePositiveCount" : 0, + "details" : { + "88" : { + "falsePositive" : false, + "comment" : "" + } + }, + "additionalDetails" : { + "recommendedFix" : "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=648&queryVersionCode=56715926&queryTitle=XSRF", + "categories" : "PCI DSS v3.2;PCI DSS (3.2) - 6.5.9 - Cross-site request forgery,OWASP Top 10 2013;A8-Cross-Site Request Forgery (CSRF),NIST SP 800-53;SC-23 Session Authenticity (P1)", + "results" : [ { + "1" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + }, + "2" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "6", + "length" : "8", + "object" : "username" + }, + "3" : { + "snippet" : "\t if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "37", + "length" : "8", + "object" : "username" + }, + "4" : { + "snippet" : "\t if (username.equals(\"jeff\") || username.equals(\"dave\"))", + "file" : "DOS_Login.java", + "line" : "92", + "column" : "10", + "length" : "8", + "object" : "username" + }, + "5" : { + "snippet" : "\t\t\t\t + username", + "file" : "DOS_Login.java", + "line" : "130", + "column" : "11", + "length" : "8", + "object" : "username" + }, + "sink" : { + "snippet" : "\t\t\t statement.executeUpdate(insertData1);", + "file" : "DOS_Login.java", + "line" : "134", + "column" : "31", + "length" : "1", + "object" : "executeUpdate" + }, + "6" : { + "snippet" : "\t\t\t String insertData1 = \"INSERT INTO user_login VALUES ( '\"", + "file" : "DOS_Login.java", + "line" : "129", + "column" : "15", + "length" : "11", + "object" : "insertData1" + }, + "7" : { + "snippet" : "\t\t\t statement.executeUpdate(insertData1);", + "file" : "DOS_Login.java", + "line" : "134", + "column" : "32", + "length" : "11", + "object" : "insertData1" + }, + "8" : { + "snippet" : "\t\t\t statement.executeUpdate(insertData1);", + "file" : "DOS_Login.java", + "line" : "134", + "column" : "31", + "length" : "1", + "object" : "executeUpdate" + }, + "state" : "0", + "source" : { + "snippet" : "\t username = s.getParser().getRawParameter(USERNAME);", + "file" : "DOS_Login.java", + "line" : "88", + "column" : "46", + "length" : "1", + "object" : "getRawParameter" + } + } ] + }, + "allFalsePositive" : false + }, { + "vulnerability" : "Information_Exposure_Through_an_Error_Message", + "vulnerabilityStatus" : "TO VERIFY", + "cwe" : "209", + "description" : "", + "language" : "Java", + "severity" : "Low", + "link" : "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=8", + "filename" : "DOS_Login.java", + "gitUrl" : "", + "falsePositiveCount" : 0, + "details" : { + "169" : { + "falsePositive" : false, + "comment" : "" + } + }, + "additionalDetails" : { + "recommendedFix" : "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=622&queryVersionCode=56439377&queryTitle=Information_Exposure_Through_an_Error_Message", + "categories" : "PCI DSS v3.2;PCI DSS (3.2) - 6.5.5 - Improper error handling,OWASP Top 10 2013;A5-Security Misconfiguration,FISMA 2014;Configuration Management,NIST SP 800-53;SI-11 Error Handling (P2),OWASP Top 10 2017;A6-Security Misconfiguration", + "results" : [ { + "1" : { + "snippet" : "\t catch (SQLException sqle)", + "file" : "DOS_Login.java", + "line" : "169", + "column" : "26", + "length" : "4", + "object" : "sqle" + }, + "2" : { + "snippet" : "\t\tec.addElement(new P().addElement(sqle.getMessage()));", + "file" : "DOS_Login.java", + "line" : "171", + "column" : "36", + "length" : "4", + "object" : "sqle" + }, + "3" : { + "snippet" : "\t\tsqle.printStackTrace();", + "file" : "DOS_Login.java", + "line" : "172", + "column" : "3", + "length" : "4", + "object" : "sqle" + }, + "4" : { + "snippet" : "\t\tsqle.printStackTrace();", + "file" : "DOS_Login.java", + "line" : "172", + "column" : "23", + "length" : "1", + "object" : "printStackTrace" + }, + "sink" : { + "snippet" : "\t\tsqle.printStackTrace();", + "file" : "DOS_Login.java", + "line" : "172", + "column" : "23", + "length" : "1", + "object" : "printStackTrace" + }, + "state" : "0", + "source" : { + "snippet" : "\t catch (SQLException sqle)", + "file" : "DOS_Login.java", + "line" : "169", + "column" : "26", + "length" : "4", + "object" : "sqle" + } + }, { + "1" : { + "snippet" : "\t catch (SQLException sqle)", + "file" : "DOS_Login.java", + "line" : "169", + "column" : "26", + "length" : "4", + "object" : "sqle" + }, + "2" : { + "snippet" : "\t\tec.addElement(new P().addElement(sqle.getMessage()));", + "file" : "DOS_Login.java", + "line" : "171", + "column" : "36", + "length" : "4", + "object" : "sqle" + }, + "3" : { + "snippet" : "\t\tec.addElement(new P().addElement(sqle.getMessage()));", + "file" : "DOS_Login.java", + "line" : "171", + "column" : "51", + "length" : "1", + "object" : "getMessage" + }, + "4" : { + "snippet" : "\t\tec.addElement(new P().addElement(sqle.getMessage()));", + "file" : "DOS_Login.java", + "line" : "171", + "column" : "35", + "length" : "1", + "object" : "addElement" + }, + "sink" : { + "snippet" : "\t\tec.addElement(new P().addElement(sqle.getMessage()));", + "file" : "DOS_Login.java", + "line" : "171", + "column" : "35", + "length" : "1", + "object" : "addElement" + }, + "state" : "0", + "source" : { + "snippet" : "\t catch (SQLException sqle)", + "file" : "DOS_Login.java", + "line" : "169", + "column" : "26", + "length" : "4", + "object" : "sqle" + } + } ] + }, + "allFalsePositive" : false + }, { + "vulnerability" : "Improper_Resource_Shutdown_or_Release", + "vulnerabilityStatus" : "TO VERIFY", + "cwe" : "404", + "description" : "", + "language" : "Java", + "severity" : "Low", + "link" : "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=6", + "filename" : "DOS_Login.java", + "gitUrl" : "", + "falsePositiveCount" : 0, + "details" : { + "103" : { + "falsePositive" : false, + "comment" : "" + } + }, + "additionalDetails" : { + "recommendedFix" : "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=600&queryVersionCode=56205902&queryTitle=Improper_Resource_Shutdown_or_Release", + "categories" : "NIST SP 800-53;SC-5 Denial of Service Protection (P1)", + "results" : [ { + "1" : { + "snippet" : "\t\tconnection = DatabaseUtilities.makeConnection(s);", + "file" : "DOS_Login.java", + "line" : "103", + "column" : "48", + "length" : "1", + "object" : "makeConnection" + }, + "2" : { + "snippet" : "\t\tconnection = DatabaseUtilities.makeConnection(s);", + "file" : "DOS_Login.java", + "line" : "103", + "column" : "3", + "length" : "10", + "object" : "connection" + }, + "3" : { + "snippet" : "\t\tStatement statement = connection.createStatement(", + "file" : "DOS_Login.java", + "line" : "111", + "column" : "25", + "length" : "10", + "object" : "connection" + }, + "4" : { + "snippet" : "\t\tStatement statement = connection.createStatement(", + "file" : "DOS_Login.java", + "line" : "111", + "column" : "51", + "length" : "1", + "object" : "createStatement" + }, + "sink" : { + "snippet" : "\t\tStatement statement = connection.createStatement(", + "file" : "DOS_Login.java", + "line" : "111", + "column" : "51", + "length" : "1", + "object" : "createStatement" + }, + "state" : "0", + "source" : { + "snippet" : "\t\tconnection = DatabaseUtilities.makeConnection(s);", + "file" : "DOS_Login.java", + "line" : "103", + "column" : "48", + "length" : "1", + "object" : "makeConnection" + } + } ] + }, + "allFalsePositive" : false + }, { + "vulnerability" : "Use_Of_Hardcoded_Password", + "vulnerabilityStatus" : "TO VERIFY", + "cwe" : "259", + "description" : "", + "language" : "Java", + "severity" : "Low", + "link" : "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=7", + "filename" : "DOS_Login.java", + "gitUrl" : "", + "falsePositiveCount" : 0, + "details" : { + "64" : { + "falsePositive" : false, + "comment" : "" + } + }, + "additionalDetails" : { + "recommendedFix" : "http://CX-FLOW-CLEAN/CxWebClient/ScanQueryDescription.aspx?queryID=604&queryVersionCode=56248316&queryTitle=Use_Of_Hardcoded_Password", + "categories" : "PCI DSS v3.2;PCI DSS (3.2) - 6.5.10 - Broken authentication and session management,OWASP Top 10 2013;A2-Broken Authentication and Session Management,FISMA 2014;Identification And Authentication,NIST SP 800-53;SC-28 Protection of Information at Rest (P1),OWASP Top 10 2017;A2-Broken Authentication,OWASP Mobile Top 10 2016;M9-Reverse Engineering", + "results" : [ { + "1" : { + "snippet" : " protected final static String PASSWORD = \"Password\";", + "file" : "DOS_Login.java", + "line" : "64", + "column" : "35", + "length" : "8", + "object" : "PASSWORD" + }, + "sink" : { + "snippet" : " protected final static String PASSWORD = \"Password\";", + "file" : "DOS_Login.java", + "line" : "64", + "column" : "35", + "length" : "8", + "object" : "PASSWORD" + }, + "state" : "0", + "source" : { + "snippet" : " protected final static String PASSWORD = \"Password\";", + "file" : "DOS_Login.java", + "line" : "64", + "column" : "35", + "length" : "8", + "object" : "PASSWORD" + } + } ] + }, + "allFalsePositive" : false + } ], + "reportCreationTime":"Sunday, January 19, 2020 2:41:53 AM", + "deepLink":"http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6", + "scanTime":"00h:01m:30s", + "sastResults": false +} diff --git a/unittests/scans/checkmarx_cxflow_sast/no_finding.json b/unittests/scans/checkmarx_cxflow_sast/no_finding.json new file mode 100644 index 00000000000..ba73c156ab1 --- /dev/null +++ b/unittests/scans/checkmarx_cxflow_sast/no_finding.json @@ -0,0 +1,21 @@ +{ + "projectId": "5", + "team": "CxServer", + "project": "EmptyClass", + "link": "http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000024&projectid=5", + "files": "1", + "loc": "6", + "scanType": "Full", + "version":"8.9.0.210", + "additionalDetails": { + "flow-summary": {}, + "scanId": "1000024", + "scanStartDate": "Wednesday, January 15, 2020 1:31:13 PM" + }, + "xissues": [], + "unFilteredIssues": [], + "reportCreationTime":"Wednesday, January 15, 2020 1:32:47 PM", + "deepLink":"http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000024&projectid=5", + "scanTime":"00h:01m:24s", + "sastResults": false +} \ No newline at end of file diff --git a/unittests/tools/test_checkmarx_cxflow_sast_parser.py b/unittests/tools/test_checkmarx_cxflow_sast_parser.py new file mode 100644 index 00000000000..7481002e3d2 --- /dev/null +++ b/unittests/tools/test_checkmarx_cxflow_sast_parser.py @@ -0,0 +1,74 @@ +import dateutil.parser + +from dojo.models import Engagement, Product, Test +from dojo.tools.checkmarx_cxflow_sast.parser import CheckmarxCXFlowSastParser +from unittests.dojo_test_case import DojoTestCase, get_unit_tests_path + + +class TestCheckmarxCxflowSast(DojoTestCase): + + def init(self, reportFilename): + my_file_handle = open(reportFilename, encoding="utf-8") + product = Product() + engagement = Engagement() + test = Test() + engagement.product = product + test.engagement = engagement + return my_file_handle, product, engagement, test + + def test_file_name_aggregated_parse_file_with_no_vulnerabilities_has_no_findings(self): + my_file_handle, _, _, test = self.init( + get_unit_tests_path() + "/scans/checkmarx_cxflow_sast/no_finding.json", + ) + parser = CheckmarxCXFlowSastParser() + findings = parser.get_findings(my_file_handle, test) + self.assertEqual(0, len(findings)) + + def test_file_name_aggregated_parse_file_with_no_vulnerabilities_has_1_finding(self): + my_file_handle, _, _, test = self.init( + get_unit_tests_path() + "/scans/checkmarx_cxflow_sast/1-finding.json", + ) + parser = CheckmarxCXFlowSastParser() + findings = parser.get_findings(my_file_handle, test) + self.assertEqual(1, len(findings)) + finding = findings[0] + self.assertIn("Reflected XSS All Clients", finding.title) + self.assertEqual(79, finding.cwe) + self.assertEqual(dateutil.parser.parse("Sunday, January 19, 2020 2:40:11 AM"), finding.date) + self.assertEqual("getRawParameter", finding.sast_source_object) + self.assertEqual("username", finding.sast_sink_object) + self.assertEqual("DOS_Login.java", finding.sast_source_file_path) + self.assertEqual("88", finding.sast_source_line) + self.assertEqual("14660819", finding.vuln_id_from_tool) + self.assertEqual("High", finding.severity) + self.assertEqual("107", finding.line) + self.assertEqual(False, finding.false_p) + self.assertIn("Java", finding.description) + self.assertIn("http://CX-FLOW-CLEAN/CxWebClient/ViewerMain.aspx?scanid=1000026&projectid=6&pathid=2", + finding.description) + self.assertIn("PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 " + "2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity," + "NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site " + "Scripting (XSS)", finding.description) + self.assertEqual(True, finding.active) + self.assertEqual(False, finding.verified) + + def test_file_name_aggregated_parse_file_with_no_vulnerabilities_has_4_findings(self): + my_file_handle, _, _, test = self.init( + get_unit_tests_path() + "/scans/checkmarx_cxflow_sast/4-findings.json", + ) + parser = CheckmarxCXFlowSastParser() + findings = parser.get_findings(my_file_handle, test) + self.assertEqual(4, len(findings)) + for finding in findings: + self.assertIsNotNone(finding.title) + self.assertIsNotNone(finding.date) + self.assertIsNotNone(finding.sast_source_object) + self.assertIsNotNone(finding.sast_sink_object) + self.assertIsNotNone(finding.sast_source_file_path) + self.assertIsNotNone(finding.sast_source_line) + self.assertIsNotNone(finding.vuln_id_from_tool) + self.assertIsNotNone(finding.severity) + self.assertIsNotNone(finding.line) + self.assertIsNotNone(finding.false_p) + self.assertIsNotNone(finding.description)