def test_detailed_parse_file_with_no_vulnerabilities_has_no_findings(self):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/checkmarx/no_finding.xml")
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
self.assertEqual(0, len(findings))
def test_detailed_parse_file_with_false_positive_is_false_positive(self):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/checkmarx/single_finding_false_positive.xml")
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
# Verifications common to both parsers
self.check_parse_file_with_false_positive_is_false_positive(findings)
def test_detailed_parse_file_with_same_sourceFilename_different_sinkFilename_is_not_aggregated(self, mock):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/checkmarx/multiple_findings_same_sourceFilename_different_sinkFilename.xml"
)
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
self.assertEqual(2, len(findings))
mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self, mock):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/checkmarx/multiple_findings.xml"
)
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
self.assertEqual(3, len(findings))
mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_no_vulnerabilities_has_no_findings(self, mock):
my_file_handle, product, engagement, test = self.init(
get_unit_tests_path() + "/scans/checkmarx/no_finding.xml"
)
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
self.assertEqual(0, len(findings))
mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_false_positive_is_false_positive(self, mock):
my_file_handle, product, engagement, test = self.init(
get_unit_tests_path() + "/scans/checkmarx/single_finding_false_positive.xml"
)
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
# Verifications common to both parsers
self.check_parse_file_with_false_positive_is_false_positive(findings)
mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_different_sourceFilename_same_sinkFilename_is_not_aggregated(
self, ):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/checkmarx/multiple_findings_different_sourceFilename_same_sinkFilename.xml"
)
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
self.assertEqual(2, len(findings))
self.assertIsNone(findings[0].nb_occurences)
self.assertIsNone(findings[1].nb_occurences)
def test_detailed_parse_file_with_multiple_vulnerabilities_has_multiple_findings(
self, mock):
my_file_handle, product, engagement, test = self.init(
get_unit_tests_path() + "/scans/checkmarx/multiple_findings.xml")
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
self.assertEqual(3, len(findings))
mock.assert_called_with(product, 'Java', files=3)
with self.subTest(i=0):
finding = findings[0]
self.assertEqual("SQL Injection (Assignment5.java)", finding.title)
self.assertEqual("High", finding.severity)
self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52),
finding.date)
self.assertEqual(True, finding.static_finding)
self.assertEqual(
"WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java",
finding.file_path)
self.assertEqual(50, finding.line)
def test_detailed_parse_file_with_single_vulnerability_has_single_finding(self, mock):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/checkmarx/single_finding.xml"
)
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
# Verifications common to both parsers
self.check_parse_file_with_single_vulnerability_has_single_finding(findings)
# Fields that differ from aggregated scanner
item = findings[0]
self.assertEqual(str, type(item.description))
self.assertMultiLineEqual(
"**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n"
"**Language:** Java\n"
"**Group:** Java High Risk\n"
"**Status:** New\n"
"**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n"
"\n"
"-----\n"
"**Line Number:** 39\n"
"**Column:** 59\n"
"**Source Object:** executeQuery\n"
"**Number:** 39\n"
"**Code:** ResultSet results = statement.executeQuery(query);\n"
"-----\n"
"**Line Number:** 39\n"
"**Column:** 27\n"
"**Source Object:** results\n"
"**Number:** 39\n"
"**Code:** ResultSet results = statement.executeQuery(query);\n"
"-----\n"
"**Line Number:** 46\n"
"**Column:** 28\n"
"**Source Object:** results\n"
"**Number:** 46\n"
"**Code:** while (results.next()) {\n"
"-----\n"
"**Line Number:** 47\n"
"**Column:** 34\n"
"**Source Object:** results\n"
"**Number:** 47\n"
"**Code:** int id = results.getInt(0);\n"
"-----\n"
"**Line Number:** 53\n"
"**Column:** 64\n"
"**Source Object:** getString\n"
"**Number:** 53\n"
'**Code:** userMap.put("cookie", results.getString(5));\n'
"-----\n"
"**Line Number:** 53\n"
"**Column:** 36\n"
"**Source Object:** put\n"
"**Number:** 53\n"
'**Code:** userMap.put("cookie", results.getString(5));\n'
"-----\n"
"**Line Number:** 54\n"
"**Column:** 25\n"
"**Source Object:** userMap\n"
"**Number:** 54\n"
'**Code:** userMap.put("loginCOunt",Integer.toString(results.getInt(6)));\n'
"-----\n"
"**Line Number:** 55\n"
"**Column:** 44\n"
"**Source Object:** userMap\n"
"**Number:** 55\n"
"**Code:** allUsersMap.put(id,userMap);\n"
"-----\n"
"**Line Number:** 55\n"
"**Column:** 40\n"
"**Source Object:** put\n"
"**Number:** 55\n"
"**Code:** allUsersMap.put(id,userMap);\n"
"-----\n"
"**Line Number:** 58\n"
"**Column:** 28\n"
"**Source Object:** allUsersMap\n"
"**Number:** 58\n"
"**Code:** return allUsersMap;\n"
"-----\n",
item.description,
)
self.assertEqual(str, type(item.line))
self.assertEqual("58", item.line)
# Added field for detailed scanner
self.assertEqual(str, type(item.unique_id_from_tool))
# unique_id_from_tool update from PathId to SimilarityId+PathId
self.assertEqual("157422106028", item.unique_id_from_tool)
self.assertEqual(str, type(item.sast_source_object))
self.assertEqual("executeQuery", item.sast_source_object)
self.assertEqual(str, type(item.sast_sink_object))
self.assertEqual("allUsersMap", item.sast_sink_object)
self.assertEqual(str, type(item.sast_source_line))
self.assertEqual("39", item.sast_source_line)
self.assertEqual(str, type(item.sast_source_file_path))
self.assertEqual(
"WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java",
item.sast_source_file_path,
)
self.assertIsNone(item.nb_occurences)
mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_utf8_various_non_ascii_char(self, mock):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/checkmarx/utf8_various_non_ascii_char.xml"
)
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
# Verifications common to both parsers
self.check_parse_file_with_utf8_various_non_ascii_char(findings)
# Fields that differ from aggregated scanner
item = findings[0]
self.assertEqual(str, type(item.description))
self.assertMultiLineEqual(
"**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n"
"**Language:** Java\n"
"**Group:** Java High Risk\n"
"**Status:** New\n"
"**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n"
"\n"
"-----\n"
"**Line Number:** 39\n"
"**Column:** 59\n"
"**Source Object:** executeQuery¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n"
"**Number:** 39\n"
"**Code:** ResultSet results = statement.executeQuery(query);\n"
"-----\n"
"**Line Number:** 39\n"
"**Column:** 27\n"
"**Source Object:** results\n"
"**Number:** 39\n"
"**Code:** ResultSet results = statement.executeQuery(query);//all latins non ascii with extended: U+00A1 to U+017F (ref https://www.utf8-chartable.de/unicode-utf8-table.pl): ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n"
"-----\n"
"**Line Number:** 46\n"
"**Column:** 28\n"
"**Source Object:** results\n"
"**Number:** 46\n"
"**Code:** while (results.next()) { // other: ƒ\n"
"-----\n"
"**Line Number:** 47\n"
"**Column:** 34\n"
"**Source Object:** results\n"
"**Number:** 47\n"
"**Code:** int id = results.getInt(0);\n"
"-----\n"
"**Line Number:** 53\n"
"**Column:** 64\n"
"**Source Object:** getString\n"
"**Number:** 53\n"
'**Code:** userMap.put("cookie", results.getString(5));\n'
"-----\n"
"**Line Number:** 53\n"
"**Column:** 36\n"
"**Source Object:** put\n"
"**Number:** 53\n"
'**Code:** userMap.put("cookie", results.getString(5));\n'
"-----\n"
"**Line Number:** 54\n"
"**Column:** 25\n"
"**Source Object:** userMap\n"
"**Number:** 54\n"
'**Code:** userMap.put("loginCOunt",Integer.toString(results.getInt(6)));\n'
"-----\n"
"**Line Number:** 55\n"
"**Column:** 44\n"
"**Source Object:** userMap\n"
"**Number:** 55\n"
"**Code:** allUsersMap.put(id,userMap);\n"
"-----\n"
"**Line Number:** 55\n"
"**Column:** 40\n"
"**Source Object:** put\n"
"**Number:** 55\n"
"**Code:** allUsersMap.put(id,userMap);\n"
"-----\n"
"**Line Number:** 58\n"
"**Column:** 28\n"
"**Source Object:** allUsersMap¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n"
"**Number:** 58\n"
"**Code:** return allUsersMap;\n"
"-----\n",
item.description,
)
self.assertEqual(str, type(item.line))
self.assertEqual("58", item.line)
mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_utf8_replacement_char(self, mock):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/checkmarx/utf8_replacement_char.xml"
)
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
# Verifications common to both parsers
self.check_parse_file_with_utf8_replacement_char(findings)
# Fields that differ from aggregated scanner
item = findings[0]
self.assertEqual(str, type(item.description))
self.assertMultiLineEqual(
"**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n"
"**Language:** Java\n"
"**Group:** Java High Risk\n"
"**Status:** New\n"
"**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n"
"\n"
"-----\n"
"**Line Number:** 39\n"
"**Column:** 59\n"
"**Source Object:** executeQuery�\n"
"**Number:** 39\n"
"**Code:** ResultSet results = statement.executeQuery(query);//�\n"
"-----\n"
"**Line Number:** 39\n"
"**Column:** 27\n"
"**Source Object:** results\n"
"**Number:** 39\n"
"**Code:** ResultSet results = statement.executeQuery(query);\n"
"-----\n"
"**Line Number:** 46\n"
"**Column:** 28\n"
"**Source Object:** results\n"
"**Number:** 46\n"
"**Code:** while (results.next()) {\n"
"-----\n"
"**Line Number:** 47\n"
"**Column:** 34\n"
"**Source Object:** results\n"
"**Number:** 47\n"
"**Code:** int id = results.getInt(0);\n"
"-----\n"
"**Line Number:** 53\n"
"**Column:** 64\n"
"**Source Object:** getString\n"
"**Number:** 53\n"
'**Code:** userMap.put("cookie", results.getString(5));\n'
"-----\n"
"**Line Number:** 53\n"
"**Column:** 36\n"
"**Source Object:** put\n"
"**Number:** 53\n"
'**Code:** userMap.put("cookie", results.getString(5));\n'
"-----\n"
"**Line Number:** 54\n"
"**Column:** 25\n"
"**Source Object:** userMap\n"
"**Number:** 54\n"
'**Code:** userMap.put("loginCOunt",Integer.toString(results.getInt(6)));\n'
"-----\n"
"**Line Number:** 55\n"
"**Column:** 44\n"
"**Source Object:** userMap\n"
"**Number:** 55\n"
"**Code:** allUsersMap.put(id,userMap);\n"
"-----\n"
"**Line Number:** 55\n"
"**Column:** 40\n"
"**Source Object:** put\n"
"**Number:** 55\n"
"**Code:** allUsersMap.put(id,userMap);\n"
"-----\n"
"**Line Number:** 58\n"
"**Column:** 28\n"
"**Source Object:** allUsersMap�\n"
"**Number:** 58\n"
"**Code:** return allUsersMap;\n"
"-----\n",
item.description,
)
self.assertEqual(str, type(item.line))
self.assertEqual("58", item.line)
mock.assert_called_with(product, 'Java')
