def test_file_name_aggregated_parse_file_with_single_vulnerability_has_single_finding(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/single_finding.xml" ) parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_single_vulnerability_has_single_finding(findings) # Fields that differ from detailed scanner item = findings[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual( "**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "<b>Source filename: </b>WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java\n" "<b>Source line number: </b> 39\n" "<b>Source object: </b> executeQuery\n" "\n" "<b>Sink filename: </b>WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java\n" "<b>Sink line number: </b> 58\n" "<b>Sink object: </b> allUsersMap", item.description, ) self.assertEqual(1, item.nb_occurences) mock.assert_called_with(product, 'Java')
def test_file_name_aggregated_parse_file_with_utf8_various_non_ascii_char(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/utf8_various_non_ascii_char.xml" ) parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_utf8_various_non_ascii_char(findings) # Fields that differ from detailed scanner item = findings[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual( "**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "<b>Source filename: </b>WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſUsers.java\n" "<b>Source line number: </b> 39\n" "<b>Source object: </b> executeQuery¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "\n" "<b>Sink filename: </b>WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſUsers.java\n" "<b>Sink line number: </b> 58\n" "<b>Sink object: </b> allUsersMap¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ", item.description, ) self.assertIsNone(item.line) mock.assert_called_with(product, 'Java')
def test_file_with_multiple_findings_is_aggregated_with_query_id(self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/multiple_findings_same_query_id.xml" ) parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(6, len(findings))
def test_detailed_parse_file_with_no_vulnerabilities_has_no_findings(self): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/no_finding.xml") parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(0, len(findings))
def test_file_name_aggregated_parse_file_with_no_vulnerabilities_has_no_findings( self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/no_finding.xml") parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(0, len(findings))
def test_file_name_aggregated_parse_file_with_multiple_vulnerabilities_has_multiple_findings( self, ): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/multiple_findings.xml") parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # checkmarx says 3 but we're down to 2 due to the aggregation on sink filename rather than source filename + source line number + sink filename + sink line number self.assertEqual(2, len(findings))
def test_detailed_parse_file_with_false_positive_is_false_positive(self): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/single_finding_false_positive.xml") parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_false_positive_is_false_positive(findings)
def test_file_name_aggregated_parse_file_with_same_sourceFilename_different_sinkFilename_is_not_aggregated(self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/multiple_findings_same_sourceFilename_different_sinkFilename.xml" ) parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # aggregation is on sink filename but sink filename differ -> not aggregated self.assertEqual(2, len(findings)) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_same_sourceFilename_different_sinkFilename_is_not_aggregated(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/multiple_findings_same_sourceFilename_different_sinkFilename.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(2, len(findings)) mock.assert_called_with(product, 'Java')
def test_file_name_aggregated_parse_file_with_false_positive_is_false_positive(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/single_finding_false_positive.xml" ) parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_false_positive_is_false_positive(findings) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/multiple_findings.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(3, len(findings)) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_no_vulnerabilities_has_no_findings(self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/no_finding.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(0, len(findings)) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_false_positive_is_false_positive(self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/single_finding_false_positive.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_false_positive_is_false_positive(findings) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_different_sourceFilename_same_sinkFilename_is_not_aggregated( self, ): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/multiple_findings_different_sourceFilename_same_sinkFilename.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(2, len(findings)) self.assertIsNone(findings[0].nb_occurences) self.assertIsNone(findings[1].nb_occurences)
def test_file_name_aggregated_parse_file_with_different_sourceFilename_same_sinkFilename_is_aggregated(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/multiple_findings_different_sourceFilename_same_sinkFilename.xml" ) parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # aggregation is on sink filename so all vuln with different source filenames are aggregated self.assertEqual(1, len(findings)) item = findings[0] # nb_occurences counts the number of aggregated vulnerabilities from tool self.assertEqual(2, findings[0].nb_occurences) mock.assert_called_with(product, 'Java')
def test_file_with_empty_filename(self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/single_no_filename.xml") parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(1, len(findings)) mock.assert_called_with(product, 'PHP', files=1) with self.subTest(i=0): finding = findings[0] # ScanStart self.assertEqual("Missing HSTS Header", finding.title) self.assertEqual("Medium", finding.severity) self.assertEqual(datetime.datetime, type(finding.date)) self.assertEqual(datetime.datetime(2021, 12, 24, 9, 12, 14), finding.date) self.assertEqual(bool, type(finding.static_finding)) self.assertEqual(True, finding.static_finding)
def test_file_name_aggregated_parse_file_with_two_aggregated_findings_one_is_false_p(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/two_aggregated_findings_one_is_false_positive.xml" ) parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(1, len(findings)) # check content for aggregated finding item = findings[0] # finding is never active/verified yet at this time self.assertEqual(bool, type(item.active)) self.assertEqual(True, item.active) self.assertEqual(bool, type(item.verified)) self.assertEqual(True, item.verified) self.assertEqual(bool, type(item.false_p)) self.assertEqual(False, item.false_p) mock.assert_called_with(product, 'Java')
def test_file_name_aggregated_parse_file_with_two_aggregated_findings_one_is_false_p(self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/two_aggregated_findings_one_is_false_positive.xml" ) parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(1, len(findings)) # check content for aggregated finding item = findings[0] # if any of the findings in the aggregate is active, the aggregated finding is active self.assertEqual(bool, type(item.active)) self.assertEqual(True, item.active) self.assertEqual(bool, type(item.verified)) # state 0 in checkmarx = "To verify" self.assertEqual(False, item.verified) self.assertEqual(bool, type(item.false_p)) # If at least one of the findings in the aggregate is exploitable, the defectdojo finding should not be "false positive" self.assertEqual(False, item.false_p) mock.assert_called_with(product, 'Java')
def test_file_name_aggregated_parse_file_with_multiple_vulnerabilities_has_multiple_findings( self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/multiple_findings.xml") parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # checkmarx says 3 but we're down to 2 due to the aggregation on sink filename rather than source filename + source line number + sink filename + sink line number self.assertEqual(2, len(findings)) mock.assert_called_with(product, 'Java', files=3) with self.subTest(i=0): finding = findings[0] self.assertEqual("SQL Injection (Assignment5.java)", finding.title) self.assertEqual("High", finding.severity) self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52), finding.date) self.assertEqual(True, finding.static_finding) self.assertEqual( "WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java", finding.file_path)
def test_file_with_multiple_findings_is_aggregated_with_query_id( self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/multiple_findings_same_query_id.xml") parser = CheckmarxParser() findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(6, len(findings)) mock.assert_called_with(product, 'Java', files=4) with self.subTest(i=0): finding = findings[0] # ScanStart self.assertEqual("Client Potential ReDoS In Match (prettify.js)", finding.title) self.assertEqual("Low", finding.severity) self.assertEqual(datetime.datetime, type(finding.date)) self.assertEqual(datetime.datetime(2021, 11, 17, 13, 50, 45), finding.date) self.assertEqual(bool, type(finding.static_finding)) self.assertEqual(True, finding.static_finding)
def test_detailed_parse_file_with_multiple_vulnerabilities_has_multiple_findings( self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/multiple_findings.xml") parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(3, len(findings)) mock.assert_called_with(product, 'Java', files=3) with self.subTest(i=0): finding = findings[0] self.assertEqual("SQL Injection (Assignment5.java)", finding.title) self.assertEqual("High", finding.severity) self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52), finding.date) self.assertEqual(True, finding.static_finding) self.assertEqual( "WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java", finding.file_path) self.assertEqual(50, finding.line)
def test_detailed_parse_file_with_single_vulnerability_has_single_finding(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/single_finding.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_single_vulnerability_has_single_finding(findings) # Fields that differ from aggregated scanner item = findings[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual( "**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) {\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" '**Code:** userMap.put("loginCOunt",Integer.toString(results.getInt(6)));\n' "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description, ) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line) # Added field for detailed scanner self.assertEqual(str, type(item.unique_id_from_tool)) # unique_id_from_tool update from PathId to SimilarityId+PathId self.assertEqual("157422106028", item.unique_id_from_tool) self.assertEqual(str, type(item.sast_source_object)) self.assertEqual("executeQuery", item.sast_source_object) self.assertEqual(str, type(item.sast_sink_object)) self.assertEqual("allUsersMap", item.sast_sink_object) self.assertEqual(str, type(item.sast_source_line)) self.assertEqual("39", item.sast_source_line) self.assertEqual(str, type(item.sast_source_file_path)) self.assertEqual( "WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java", item.sast_source_file_path, ) self.assertIsNone(item.nb_occurences) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_utf8_various_non_ascii_char(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/utf8_various_non_ascii_char.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_utf8_various_non_ascii_char(findings) # Fields that differ from aggregated scanner item = findings[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual( "**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);//all latins non ascii with extended: U+00A1 to U+017F (ref https://www.utf8-chartable.de/unicode-utf8-table.pl): ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) { // other: ƒ\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" '**Code:** userMap.put("loginCOunt",Integer.toString(results.getInt(6)));\n' "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description, ) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_utf8_replacement_char(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/utf8_replacement_char.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_utf8_replacement_char(findings) # Fields that differ from aggregated scanner item = findings[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual( "**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery�\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);//�\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) {\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" '**Code:** userMap.put("loginCOunt",Integer.toString(results.getInt(6)));\n' "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap�\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description, ) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line) mock.assert_called_with(product, 'Java')