def test_file_name_aggregated_parse_file_with_no_vulnerabilities_has_no_findings(
self):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/sonarqube/sonar-no-finding.html")
self.parser = SonarQubeHtmlParser(my_file_handle, test)
self.teardown(my_file_handle)
self.check_parse_file_with_no_vulnerabilities_has_no_findings()
def test_detailed_parse_file_with_vuln_on_same_filename(self):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/sonarqube/sonar-4-findings-3-to-aggregate.html"
)
self.parser = SonarQubeHtmlParser(my_file_handle, test, 'detailed')
self.teardown(my_file_handle)
# specific verifications
self.assertEqual(4, len(self.parser.items))
def test_file_name_aggregated_parse_file_with_vuln_on_same_filename(self):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/sonarqube/sonar-4-findings-3-to-aggregate.html"
)
self.parser = SonarQubeHtmlParser(my_file_handle, test)
self.teardown(my_file_handle)
# specific verifications
self.assertEqual(2, len(self.parser.items))
# checking both items because they aren't always in the same order
item1 = self.parser.items[0]
item2 = self.parser.items[1]
if item1.nb_occurences == 3:
aggregatedItem = item1
# there is nothing to aggregate on the other finding
self.assertEqual(int, type(item2.nb_occurences))
self.assertEqual(1, item2.nb_occurences)
elif item2.nb_occurences == 3:
aggregatedItem = item2
# there is nothing to aggregate on the other finding
self.assertEqual(int, type(item1.nb_occurences))
self.assertEqual(1, item1.nb_occurences)
else:
self.fail("cannot find aggregated item")
self.assertEqual(str, type(aggregatedItem.description))
self.assertMultiLineEqual(
"Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to\n"
"end up in the hands of an attacker. This is particularly true for applications that are distributed.\n"
"Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.\n"
"**Noncompliant Code Example**\n"
"\n"
"Connection conn = null;\n"
"try {\n"
" conn = DriverManager.getConnection(\"jdbc:mysql://localhost/test?\" +\n"
" \"user=steve&password=blue\"); // Noncompliant\n"
" String uname = \"steve\";\n"
" String password = \"blue\";\n"
" conn = DriverManager.getConnection(\"jdbc:mysql://localhost/test?\" +\n"
" \"user=\" + uname + \"&password=\" + password); // Noncompliant\n"
"\n"
" java.net.PasswordAuthentication pa = new java.net.PasswordAuthentication(\"userName\", \"1234\".toCharArray()); // Noncompliant\n"
"\n"
"**Compliant Solution**\n"
"\n"
"Connection conn = null;\n"
"try {\n"
" String uname = getEncryptedUser();\n"
" String password = getEncryptedPass();\n"
" conn = DriverManager.getConnection(\"jdbc:mysql://localhost/test?\" +\n"
" \"user=\" + uname + \"&password=\" + password);\n"
"\n"
"-----\n"
"Occurences:\n"
"Line: 12\n"
"Line: 13\n"
"Line: 14", aggregatedItem.description)
self.assertIsNone(aggregatedItem.line)
self.assertIsNone(aggregatedItem.unique_id_from_tool)
self.assertEqual(int, type(aggregatedItem.nb_occurences))
def test_detailed_parse_file_with_multiple_vulnerabilities_has_multiple_findings(
self):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/sonarqube/sonar-6-findings.html")
self.parser = SonarQubeHtmlParser(my_file_handle, test, 'detailed')
self.teardown(my_file_handle)
# common verifications
self.check_parse_file_with_multiple_vulnerabilities_has_multiple_findings(
)
def test_parse_file_with_no_vulnerabilities_has_no_findings(self):
my_file_handle = open(
"dojo/unittests/scans/sonarqube/sonar-no-finding.html")
product = Product()
engagement = Engagement()
test = Test()
engagement.product = product
test.engagement = engagement
self.parser = SonarQubeHtmlParser(my_file_handle, test)
my_file_handle.close()
self.assertEqual(0, len(self.parser.items))
def test_file_name_aggregated_parse_file_with_single_vulnerability_has_single_finding(
self):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/sonarqube/sonar-single-finding.html")
self.parser = SonarQubeHtmlParser(my_file_handle, test)
self.teardown(my_file_handle)
# common verifications
self.check_parse_file_with_single_vulnerability_has_single_finding()
# specific verifications
item = self.parser.items[0]
self.assertEqual(str, type(item.description))
self.assertMultiLineEqual(
"Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to\n"
"end up in the hands of an attacker. This is particularly true for applications that are distributed.\n"
"Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.\n"
"It's recommended to customize the configuration of this rule with additional credential words such as \"oauthToken\", \"secret\", ...\n"
"**Noncompliant Code Example**\n"
"\n"
"Connection conn = null;\n"
"try {\n"
" conn = DriverManager.getConnection(\"jdbc:mysql://localhost/test?\" +\n"
" \"user=steve&password=blue\"); // Noncompliant\n"
" String uname = \"steve\";\n"
" String password = \"blue\";\n"
" conn = DriverManager.getConnection(\"jdbc:mysql://localhost/test?\" +\n"
" \"user=\" + uname + \"&password=\" + password); // Noncompliant\n"
"\n"
" java.net.PasswordAuthentication pa = new java.net.PasswordAuthentication(\"userName\", \"1234\".toCharArray()); // Noncompliant\n"
"\n"
"**Compliant Solution**\n"
"\n"
"Connection conn = null;\n"
"try {\n"
" String uname = getEncryptedUser();\n"
" String password = getEncryptedPass();\n"
" conn = DriverManager.getConnection(\"jdbc:mysql://localhost/test?\" +\n"
" \"user=\" + uname + \"&password=\" + password);\n"
"\n"
"-----\n"
"Occurences:\n"
"Line: 66", item.description)
self.assertIsNone(item.line)
self.assertIsNone(item.unique_id_from_tool)
self.assertEqual(int, type(item.nb_occurences))
self.assertEqual(1, item.nb_occurences)
def test_parse_file_with_rule_undefined(self):
my_file_handle = open(
"dojo/unittests/scans/sonarqube/sonar-rule-undefined.html")
product = Product()
engagement = Engagement()
test = Test()
engagement.product = product
test.engagement = engagement
self.parser = SonarQubeHtmlParser(my_file_handle, test)
my_file_handle.close()
self.assertEqual(1, len(self.parser.items))
# check content
item = self.parser.items[0]
self.assertEqual(str, type(self.parser.items[0].title))
self.assertEqual("\"clone\" should not be overridden", item.title)
self.assertEqual(int, type(item.cwe))
# no rule found -> 0
self.assertEqual(0, item.cwe)
self.assertEqual(bool, type(item.active))
self.assertEqual(False, item.active)
self.assertEqual(bool, type(item.verified))
self.assertEqual(False, item.verified)
self.assertEqual(str, type(item.description))
self.assertEqual("No description provided", item.description)
self.assertEqual(str, type(item.severity))
self.assertEqual("Critical", item.severity)
self.assertEqual(str, type(item.numerical_severity))
self.assertEqual("S0", item.numerical_severity)
self.assertEqual(str, type(item.mitigation))
self.assertEqual(
"Remove this \"clone\" implementation; use a copy constructor or copy factory instead.",
item.mitigation)
self.assertEqual(str, type(item.references))
self.assertEqual("", item.references)
self.assertEqual(str, type(item.file_path))
self.assertEqual(
"tomcat_180410:java/org/apache/catalina/util/URLEncoder.java",
item.file_path)
self.assertEqual(str, type(item.line))
self.assertEqual("190", item.line)
self.assertEqual(bool, type(item.static_finding))
self.assertEqual(True, item.static_finding)
self.assertEqual(bool, type(item.dynamic_finding))
self.assertEqual(False, item.dynamic_finding)
def test_detailed_parse_file_with_rule_undefined(self):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/sonarqube/sonar-rule-undefined.html")
self.parser = SonarQubeHtmlParser(my_file_handle, test, 'detailed')
self.teardown(my_file_handle)
self.assertEqual(1, len(self.parser.items))
# check content
item = self.parser.items[0]
self.assertEqual(str, type(self.parser.items[0].title))
self.assertEqual("\"clone\" should not be overridden", item.title)
self.assertEqual(int, type(item.cwe))
# no rule found -> 0
self.assertEqual(0, item.cwe)
self.assertEqual(bool, type(item.active))
self.assertEqual(False, item.active)
self.assertEqual(bool, type(item.verified))
self.assertEqual(False, item.verified)
self.assertEqual(str, type(item.description))
self.assertEqual("No description provided", item.description)
self.assertEqual(str, type(item.severity))
self.assertEqual("Critical", item.severity)
self.assertEqual(str, type(item.numerical_severity))
self.assertEqual("S0", item.numerical_severity)
self.assertEqual(str, type(item.mitigation))
self.assertEqual(
"Remove this \"clone\" implementation; use a copy constructor or copy factory instead.",
item.mitigation)
self.assertEqual(str, type(item.references))
self.assertEqual("", item.references)
self.assertEqual(str, type(item.file_path))
self.assertEqual("java/org/apache/catalina/util/URLEncoder.java",
item.file_path)
self.assertEqual(str, type(item.line))
self.assertEqual("190", item.line)
self.assertEqual(str, type(item.unique_id_from_tool))
self.assertEqual("AWK40IMu-pl6AHs22MnV", item.unique_id_from_tool)
self.assertEqual(bool, type(item.static_finding))
self.assertEqual(True, item.static_finding)
self.assertEqual(bool, type(item.dynamic_finding))
self.assertEqual(False, item.dynamic_finding)
def import_parser_factory(file, test, scan_type=None):
if scan_type is None:
scan_type = test.test_type.name
if scan_type == "Burp Scan":
parser = BurpXmlParser(file, test)
elif scan_type == "Nessus Scan":
filename = file.name.lower()
if filename.endswith("csv"):
parser = NessusCSVParser(file, test)
elif filename.endswith("xml") or filename.endswith("nessus"):
parser = NessusXMLParser(file, test)
elif scan_type == "Clair Scan":
parser = ClairParser(file, test)
elif scan_type == "Nmap Scan":
parser = NmapXMLParser(file, test)
elif scan_type == "Nikto Scan":
parser = NiktoXMLParser(file, test)
elif scan_type == "Nexpose Scan":
parser = NexposeFullXmlParser(file, test)
elif scan_type == "Veracode Scan":
parser = VeracodeXMLParser(file, test)
elif scan_type == "Checkmarx Scan":
parser = CheckmarxXMLParser(file, test)
elif scan_type == "Contrast Scan":
parser = ContrastCSVParser(file, test)
elif scan_type == "Crashtest Security Scan":
parser = CrashtestSecurityXmlParser(file, test)
elif scan_type == "Bandit Scan":
parser = BanditParser(file, test)
elif scan_type == "ZAP Scan":
parser = ZapXmlParser(file, test)
elif scan_type == "AppSpider Scan":
parser = AppSpiderXMLParser(file, test)
elif scan_type == "Arachni Scan":
parser = ArachniJSONParser(file, test)
elif scan_type == 'VCG Scan':
parser = VCGParser(file, test)
elif scan_type == 'Dependency Check Scan':
parser = DependencyCheckParser(file, test)
elif scan_type == 'Retire.js Scan':
parser = RetireJsParser(file, test)
elif scan_type == 'Node Security Platform Scan':
parser = NspParser(file, test)
elif scan_type == 'NPM Audit Scan':
parser = NpmAuditParser(file, test)
elif scan_type == 'Generic Findings Import':
parser = GenericFindingUploadCsvParser(file, test)
elif scan_type == 'Qualys Scan':
parser = QualysParser(file, test)
elif scan_type == 'Qualys Webapp Scan':
parser = QualysWebAppParser(file, test)
elif scan_type == "OpenVAS CSV":
parser = OpenVASUploadCsvParser(file, test)
elif scan_type == 'Snyk Scan':
parser = SnykParser(file, test)
elif scan_type == 'SKF Scan':
parser = SKFCsvParser(file, test)
elif scan_type == 'SSL Labs Scan':
parser = SSLlabsParser(file, test)
elif scan_type == 'Trufflehog Scan':
parser = TruffleHogJSONParser(file, test)
elif scan_type == 'Clair Klar Scan':
parser = ClairKlarParser(file, test)
elif scan_type == 'Gosec Scanner':
parser = GosecScannerParser(file, test)
elif scan_type == 'Trustwave Scan (CSV)':
parser = TrustwaveUploadCsvParser(file, test)
elif scan_type == 'Netsparker Scan':
parser = NetsparkerParser(file, test)
elif scan_type == 'PHP Security Audit v2':
parser = PhpSecurityAuditV2(file, test)
elif scan_type == 'Acunetix Scan':
parser = AcunetixScannerParser(file, test)
elif scan_type == 'Fortify Scan':
parser = FortifyXMLParser(file, test)
elif scan_type == 'SonarQube Scan':
parser = SonarQubeHtmlParser(file, test)
elif scan_type == 'MobSF Scan':
parser = MobSFParser(file, test)
elif scan_type == 'AWS Scout2 Scan':
parser = AWSScout2Parser(file, test)
elif scan_type == 'AWS Prowler Scan':
parser = AWSProwlerParser(file, test)
elif scan_type == 'Brakeman Scan':
parser = BrakemanScanParser(file, test)
elif scan_type == 'SpotBugs Scan':
parser = SpotbugsXMLParser(file, test)
elif scan_type == 'Safety Scan':
parser = SafetyParser(file, test)
else:
raise ValueError('Unknown Test Type')
return parser
def import_parser_factory(file, test, active, verified, scan_type=None):
if scan_type is None:
scan_type = test.test_type.name
if scan_type == "Burp Scan":
parser = BurpXmlParser(file, test)
elif scan_type == "Burp Enterprise Scan":
parser = BurpEnterpriseHtmlParser(file, test)
elif scan_type == "Nessus Scan":
filename = file.name.lower()
if filename.endswith("csv"):
parser = NessusCSVParser(file, test)
elif filename.endswith("xml") or filename.endswith("nessus"):
parser = NessusXMLParser(file, test)
elif scan_type == "Clair Scan":
parser = ClairParser(file, test)
elif scan_type == "Nmap Scan":
parser = NmapXMLParser(file, test)
elif scan_type == "Nikto Scan":
parser = NiktoXMLParser(file, test)
elif scan_type == "Nexpose Scan":
parser = NexposeFullXmlParser(file, test)
elif scan_type == "Veracode Scan":
parser = VeracodeXMLParser(file, test)
elif scan_type == "Checkmarx Scan":
parser = CheckmarxXMLParser(file, test)
elif scan_type == "Checkmarx Scan detailed":
parser = CheckmarxXMLParser(file, test, 'detailed')
elif scan_type == "Contrast Scan":
parser = ContrastCSVParser(file, test)
elif scan_type == "Crashtest Security JSON File":
parser = CrashtestSecurityJsonParser(file, test)
elif scan_type == "Crashtest Security XML File":
parser = CrashtestSecurityXmlParser(file, test)
elif scan_type == "Bandit Scan":
parser = BanditParser(file, test)
elif scan_type == "ESLint Scan":
parser = ESLintParser(file, test)
elif scan_type == "ZAP Scan":
parser = ZapXmlParser(file, test)
elif scan_type == "AppSpider Scan":
parser = AppSpiderXMLParser(file, test)
elif scan_type == "Arachni Scan":
parser = ArachniJSONParser(file, test)
elif scan_type == 'VCG Scan':
parser = VCGParser(file, test)
elif scan_type == 'Dependency Check Scan':
parser = DependencyCheckParser(file, test)
elif scan_type == 'Dependency Track Finding Packaging Format (FPF) Export':
parser = DependencyTrackParser(file, test)
elif scan_type == 'Retire.js Scan':
parser = RetireJsParser(file, test)
elif scan_type == 'Node Security Platform Scan':
parser = NspParser(file, test)
elif scan_type == 'NPM Audit Scan':
parser = NpmAuditParser(file, test)
elif scan_type == 'PHP Symfony Security Check':
parser = PhpSymfonySecurityCheckParser(file, test)
elif scan_type == 'Generic Findings Import':
parser = GenericFindingUploadCsvParser(file, test, active, verified)
elif scan_type == 'Qualys Scan':
parser = QualysParser(file, test)
elif scan_type == 'Qualys Infrastructure Scan (WebGUI XML)':
parser = QualysInfraScanParser(file, test)
elif scan_type == 'Qualys Webapp Scan':
parser = QualysWebAppParser(file, test)
elif scan_type == "OpenVAS CSV":
parser = OpenVASUploadCsvParser(file, test)
elif scan_type == 'Snyk Scan':
parser = SnykParser(file, test)
elif scan_type == 'SKF Scan':
parser = SKFCsvParser(file, test)
elif scan_type == 'SSL Labs Scan':
parser = SSLlabsParser(file, test)
elif scan_type == 'Trufflehog Scan':
parser = TruffleHogJSONParser(file, test)
elif scan_type == 'Clair Klar Scan':
parser = ClairKlarParser(file, test)
elif scan_type == 'Gosec Scanner':
parser = GosecScannerParser(file, test)
elif scan_type == 'Trustwave Scan (CSV)':
parser = TrustwaveUploadCsvParser(file, test)
elif scan_type == 'Netsparker Scan':
parser = NetsparkerParser(file, test)
elif scan_type == 'PHP Security Audit v2':
parser = PhpSecurityAuditV2(file, test)
elif scan_type == 'Acunetix Scan':
parser = AcunetixScannerParser(file, test)
elif scan_type == 'Fortify Scan':
parser = FortifyXMLParser(file, test)
elif scan_type == 'SonarQube Scan':
parser = SonarQubeHtmlParser(file, test)
elif scan_type == 'SonarQube Scan detailed':
parser = SonarQubeHtmlParser(file, test, 'detailed')
elif scan_type == SCAN_SONARQUBE_API:
parser = SonarQubeApiImporter(test)
elif scan_type == 'MobSF Scan':
parser = MobSFParser(file, test)
elif scan_type == 'AWS Scout2 Scan':
parser = AWSScout2Parser(file, test)
elif scan_type == 'AWS Prowler Scan':
parser = AWSProwlerParser(file, test)
elif scan_type == 'Brakeman Scan':
parser = BrakemanScanParser(file, test)
elif scan_type == 'SpotBugs Scan':
parser = SpotbugsXMLParser(file, test)
elif scan_type == 'Safety Scan':
parser = SafetyParser(file, test)
elif scan_type == 'DawnScanner Scan':
parser = DawnScannerParser(file, test)
elif scan_type == 'Anchore Engine Scan':
parser = AnchoreEngineScanParser(file, test)
elif scan_type == 'Bundler-Audit Scan':
parser = BundlerAuditParser(file, test)
elif scan_type == 'Twistlock Image Scan':
parser = TwistlockParser(file, test)
elif scan_type == 'IBM AppScan DAST':
parser = IbmAppScanDASTXMLParser(file, test)
elif scan_type == 'Kiuwan Scan':
parser = KiuwanCSVParser(file, test)
elif scan_type == 'Blackduck Hub Scan':
parser = BlackduckHubCSVParser(file, test)
elif scan_type == 'Blackduck Component Risk':
parser = BlackduckHubParser(file, test)
elif scan_type == 'Sonatype Application Scan':
parser = SonatypeJSONParser(file, test)
elif scan_type == 'Openscap Vulnerability Scan':
parser = OpenscapXMLParser(file, test)
elif scan_type == 'Immuniweb Scan':
parser = ImmuniwebXMLParser(file, test)
elif scan_type == 'Wapiti Scan':
parser = WapitiXMLParser(file, test)
elif scan_type == 'Cobalt.io Scan':
parser = CobaltCSVParser(file, test)
elif scan_type == 'Mozilla Observatory Scan':
parser = MozillaObservatoryJSONParser(file, test)
elif scan_type == 'Whitesource Scan':
parser = WhitesourceJSONParser(file, test)
elif scan_type == 'Microfocus Webinspect Scan':
parser = MicrofocusWebinspectXMLParser(file, test)
elif scan_type == 'Wpscan':
parser = WpscanJSONParser(file, test)
elif scan_type == 'Sslscan':
parser = SslscanXMLParser(file, test)
elif scan_type == 'JFrog Xray Scan':
parser = XrayJSONParser(file, test)
elif scan_type == 'Sslyze Scan':
parser = SslyzeXmlParser(file, test)
elif scan_type == 'Testssl Scan':
parser = TestsslCSVParser(file, test)
elif scan_type == 'Hadolint Dockerfile check':
parser = HadolintParser(file, test)
elif scan_type == 'Aqua Scan':
parser = AquaJSONParser(file, test)
elif scan_type == 'HackerOne Cases':
parser = HackerOneJSONParser(file, test)
elif scan_type == 'Xanitizer Scan':
parser = XanitizerXMLParser(file, test)
elif scan_type == 'Trivy Scan':
parser = TrivyParser(file, test)
elif scan_type == 'Outpost24 Scan':
parser = Outpost24Parser(file, test)
elif scan_type == 'DSOP Scan':
parser = DsopParser(file, test)
elif scan_type == 'Anchore Enterprise Policy Check':
parser = AnchoreEnterprisePolicyCheckParser(file, test)
elif scan_type == 'Gitleaks Scan':
parser = GitleaksJSONParser(file, test)
elif scan_type == 'Harbor Vulnerability Scan':
parser = HarborVulnerabilityParser(file, test)
elif scan_type == 'Github Vulnerability Scan':
parser = GithubVulnerabilityParser(file, test)
elif scan_type == 'Choctaw Hog Scan':
parser = ChoctawhogParser(file, test)
elif scan_type == 'GitLab SAST Report':
parser = GitlabSastReportParser(file, test)
elif scan_type == 'Yarn Audit Scan':
parser = YarnAuditParser(file, test)
elif scan_type == 'BugCrowd Scan':
parser = BugCrowdCSVParser(file, test)
elif scan_type == 'HuskyCI Report':
parser = HuskyCIReportParser(file, test)
elif scan_type == 'CCVS Report':
parser = CCVSReportParser(file, test)
else:
raise ValueError('Unknown Test Type')
return parser
def test_detailed_parse_file_with_table_in_table(self):
my_file_handle, product, engagement, test = self.init(
"dojo/unittests/scans/sonarqube/sonar-table-in-table.html")
self.parser = SonarQubeHtmlParser(my_file_handle, test, 'detailed')
self.teardown(my_file_handle)
self.assertEqual(1, len(self.parser.items))
# check content
item = self.parser.items[0]
self.assertEqual(str, type(self.parser.items[0].title))
self.assertEqual("\"clone\" should not be overridden", item.title)
self.assertEqual(int, type(item.cwe))
self.assertEqual(0, item.cwe)
self.assertEqual(bool, type(item.active))
self.assertEqual(False, item.active)
self.assertEqual(bool, type(item.verified))
self.assertEqual(False, item.verified)
self.assertEqual(str, type(item.description))
self.assertMultiLineEqual(
"Many consider clone and Cloneable broken in Java, largely because the rules for overriding clone are tricky\n"
"and difficult to get right, according to Joshua Bloch:\n"
"\n"
" Object's clone method is very tricky. It's based on field copies, and it's \"extra-linguistic.\" It creates an object without calling a constructor.\n"
" There are no guarantees that it preserves the invariants established by the constructors. There have been lots of bugs over the years, both in and\n"
" outside Sun, stemming from the fact that if you just call super.clone repeatedly up the chain until you have cloned an object, you have a shallow\n"
" copy of the object. The clone generally shares state with the object being cloned. If that state is mutable, you don't have two independent objects.\n"
" If you modify one, the other changes as well. And all of a sudden, you get random behavior.\n"
"\n"
"A copy constructor or copy factory should be used instead.\n"
"This rule raises an issue when clone is overridden, whether or not Cloneable is implemented.\n"
"**Noncompliant Code Example**\n"
"\n"
"public class MyClass {\n"
" // ...\n"
"\n"
" public Object clone() { // Noncompliant\n"
" //...\n"
" }\n"
"}\n"
"\n"
"**Compliant Solution**\n"
"\n"
"public class MyClass {\n"
" // ...\n"
"\n"
" MyClass (MyClass source) {\n"
" //...\n"
" }\n"
"}", item.description)
self.assertEqual(str, type(item.severity))
self.assertEqual("Critical", item.severity)
self.assertEqual(str, type(item.numerical_severity))
self.assertEqual("S0", item.numerical_severity)
self.assertEqual(str, type(item.mitigation))
self.assertEqual(
"Remove this \"clone\" implementation; use a copy constructor or copy factory instead.",
item.mitigation)
self.assertEqual(str, type(item.references))
self.assertMultiLineEqual(
"squid:S2975\n"
"Copy Constructor versus Cloning\n"
"S2157\n"
"S1182", item.references)
self.assertEqual(str, type(item.file_path))
self.assertEqual("java/org/apache/catalina/util/URLEncoder.java",
item.file_path)
self.assertEqual(str, type(item.line))
self.assertEqual("190", item.line)
self.assertEqual(str, type(item.unique_id_from_tool))
self.assertEqual("AWK40IMu-pl6AHs22MnV", item.unique_id_from_tool)
self.assertEqual(bool, type(item.static_finding))
self.assertEqual(True, item.static_finding)
self.assertEqual(bool, type(item.dynamic_finding))
self.assertEqual(False, item.dynamic_finding)
def import_parser_factory(file, test, active, verified, scan_type=None):
if scan_type is None:
scan_type = test.test_type.name
if scan_type == "Burp Scan":
parser = BurpXmlParser(file, test)
elif scan_type == "Nessus Scan":
filename = file.name.lower()
if filename.endswith("csv"):
parser = NessusCSVParser(file, test)
elif filename.endswith("xml") or filename.endswith("nessus"):
parser = NessusXMLParser(file, test)
elif scan_type == "Clair Scan":
parser = ClairParser(file, test)
elif scan_type == "Nmap Scan":
parser = NmapXMLParser(file, test)
elif scan_type == "Nikto Scan":
parser = NiktoXMLParser(file, test)
elif scan_type == "Nexpose Scan":
parser = NexposeFullXmlParser(file, test)
elif scan_type == "Veracode Scan":
parser = VeracodeXMLParser(file, test)
elif scan_type == "Checkmarx Scan":
parser = CheckmarxXMLParser(file, test)
elif scan_type == "Contrast Scan":
parser = ContrastCSVParser(file, test)
elif scan_type == "Crashtest Security Scan":
parser = CrashtestSecurityXmlParser(file, test)
elif scan_type == "Bandit Scan":
parser = BanditParser(file, test)
elif scan_type == "ZAP Scan":
parser = ZapXmlParser(file, test)
elif scan_type == "AppSpider Scan":
parser = AppSpiderXMLParser(file, test)
elif scan_type == "Arachni Scan":
parser = ArachniJSONParser(file, test)
elif scan_type == 'VCG Scan':
parser = VCGParser(file, test)
elif scan_type == 'Dependency Check Scan':
parser = DependencyCheckParser(file, test)
elif scan_type == 'Retire.js Scan':
parser = RetireJsParser(file, test)
elif scan_type == 'Node Security Platform Scan':
parser = NspParser(file, test)
elif scan_type == 'NPM Audit Scan':
parser = NpmAuditParser(file, test)
elif scan_type == 'Symfony Security Check':
parser = PhpSymfonySecurityCheckParser(file, test)
elif scan_type == 'Generic Findings Import':
parser = GenericFindingUploadCsvParser(file, test, active, verified)
elif scan_type == 'Qualys Scan':
parser = QualysParser(file, test)
elif scan_type == 'Qualys Webapp Scan':
parser = QualysWebAppParser(file, test)
elif scan_type == "OpenVAS CSV":
parser = OpenVASUploadCsvParser(file, test)
elif scan_type == 'Snyk Scan':
parser = SnykParser(file, test)
elif scan_type == 'SKF Scan':
parser = SKFCsvParser(file, test)
elif scan_type == 'SSL Labs Scan':
parser = SSLlabsParser(file, test)
elif scan_type == 'Trufflehog Scan':
parser = TruffleHogJSONParser(file, test)
elif scan_type == 'Clair Klar Scan':
parser = ClairKlarParser(file, test)
elif scan_type == 'Gosec Scanner':
parser = GosecScannerParser(file, test)
elif scan_type == 'Trustwave Scan (CSV)':
parser = TrustwaveUploadCsvParser(file, test)
elif scan_type == 'Netsparker Scan':
parser = NetsparkerParser(file, test)
elif scan_type == 'PHP Security Audit v2':
parser = PhpSecurityAuditV2(file, test)
elif scan_type == 'Acunetix Scan':
parser = AcunetixScannerParser(file, test)
elif scan_type == 'Fortify Scan':
parser = FortifyXMLParser(file, test)
elif scan_type == 'SonarQube Scan':
parser = SonarQubeHtmlParser(file, test)
elif scan_type == 'MobSF Scan':
parser = MobSFParser(file, test)
elif scan_type == 'AWS Scout2 Scan':
parser = AWSScout2Parser(file, test)
elif scan_type == 'AWS Prowler Scan':
parser = AWSProwlerParser(file, test)
elif scan_type == 'Brakeman Scan':
parser = BrakemanScanParser(file, test)
elif scan_type == 'SpotBugs Scan':
parser = SpotbugsXMLParser(file, test)
elif scan_type == 'Safety Scan':
parser = SafetyParser(file, test)
elif scan_type == 'DawnScanner Scan':
parser = DawnScannerParser(file, test)
elif scan_type == 'Anchore Engine Scan':
parser = AnchoreEngineScanParser(file, test)
elif scan_type == 'Bundler-Audit Scan':
parser = BundlerAuditParser(file, test)
elif scan_type == 'Twistlock Image Scan':
parser = TwistlockParser(file, test)
elif scan_type == 'IBM AppScan DAST':
parser = IbmAppScanDASTXMLParser(file, test)
elif scan_type == 'Kiuwan Scan':
parser = KiuwanCSVParser(file, test)
elif scan_type == 'Blackduck Hub Scan':
parser = BlackduckHubCSVParser(file, test)
elif scan_type == 'Sonatype Application Scan':
parser = SonatypeJSONParser(file, test)
elif scan_type == 'Openscap Vulnerability Scan':
parser = OpenscapXMLParser(file, test)
elif scan_type == 'Immuniweb Scan':
parser = ImmuniwebXMLParser(file, test)
elif scan_type == 'Wapiti Scan':
parser = WapitiXMLParser(file, test)
elif scan_type == 'Cobalt.io Scan':
parser = CobaltCSVParser(file, test)
elif scan_type == 'Mozilla Observatory Scan':
parser = MozillaObservatoryJSONParser(file, test)
elif scan_type == 'Whitesource Scan':
parser = WhitesourceJSONParser(file, test)
elif scan_type == 'Microfocus Webinspect Scan':
parser = MicrofocusWebinspectXMLParser(file, test)
elif scan_type == 'Wpscan':
parser = WpscanJSONParser(file, test)
elif scan_type == 'Sslscan':
parser = SslscanXMLParser(file, test)
elif scan_type == 'JFrog Xray Scan':
parser = XrayJSONParser(file, test)
elif scan_type == 'Sslyze Scan':
parser = SslyzeXmlParser(file, test)
elif scan_type == 'Testssl Scan':
parser = TestsslCSVParser(file, test)
elif scan_type == 'Hadolint Dockerfile check':
parser = HadolintParser(file, test)
else:
raise ValueError('Unknown Test Type')
return parser
def test_parse_file_with_single_vulnerability_has_single_finding(self):
my_file_handle = open(
"dojo/unittests/scans/sonarqube/sonar-single-finding.html")
product = Product()
engagement = Engagement()
test = Test()
engagement.product = product
test.engagement = engagement
self.parser = SonarQubeHtmlParser(my_file_handle, test)
my_file_handle.close()
self.assertEqual(1, len(self.parser.items))
# check content
item = self.parser.items[0]
self.assertEqual(str, type(self.parser.items[0].title))
self.assertEqual("Credentials should not be hard-coded", item.title)
self.assertEqual(int, type(item.cwe))
# This is only the first CWE in the list!
self.assertEqual(798, item.cwe)
self.assertEqual(bool, type(item.active))
self.assertEqual(False, item.active)
self.assertEqual(bool, type(item.verified))
self.assertEqual(False, item.verified)
self.assertEqual(str, type(item.description))
self.assertMultiLineEqual(
"Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to\n"
"end up in the hands of an attacker. This is particularly true for applications that are distributed.\n"
"Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.\n"
"It's recommended to customize the configuration of this rule with additional credential words such as \"oauthToken\", \"secret\", ...\n"
"**Noncompliant Code Example**\n"
"\n"
"Connection conn = null;\n"
"try {\n"
" conn = DriverManager.getConnection(\"jdbc:mysql://localhost/test?\" +\n"
" \"user=steve&password=blue\"); // Noncompliant\n"
" String uname = \"steve\";\n"
" String password = \"blue\";\n"
" conn = DriverManager.getConnection(\"jdbc:mysql://localhost/test?\" +\n"
" \"user=\" + uname + \"&password=\" + password); // Noncompliant\n"
"\n"
" java.net.PasswordAuthentication pa = new java.net.PasswordAuthentication(\"userName\", \"1234\".toCharArray()); // Noncompliant\n"
"\n"
"**Compliant Solution**\n"
"\n"
"Connection conn = null;\n"
"try {\n"
" String uname = getEncryptedUser();\n"
" String password = getEncryptedPass();\n"
" conn = DriverManager.getConnection(\"jdbc:mysql://localhost/test?\" +\n"
" \"user=\" + uname + \"&password=\" + password);",
item.description)
self.assertEqual(str, type(item.severity))
self.assertEqual("Critical", item.severity)
self.assertEqual(str, type(item.numerical_severity))
self.assertEqual("S0", item.numerical_severity)
self.assertEqual(str, type(item.mitigation))
self.assertEqual(
"'PASSWORD' detected in this expression, review this potentially hardcoded credential.",
item.mitigation)
self.assertEqual(str, type(item.references))
self.assertMultiLineEqual(
"squid:S2068\n"
"OWASP Top 10 2017 Category A2\n"
"MITRE, CWE-798\n"
"MITRE, CWE-259\n"
"CERT, MSC03-J.\n"
"SANS Top 25\n"
"Hard Coded Password", item.references)
self.assertEqual(str, type(item.file_path))
self.assertEqual(
"tomcat_180410:modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/DataSourceFactory.java",
item.file_path)
self.assertEqual(str, type(item.line))
self.assertEqual("66", item.line)
self.assertEqual(bool, type(item.static_finding))
self.assertEqual(True, item.static_finding)
self.assertEqual(bool, type(item.dynamic_finding))
self.assertEqual(False, item.dynamic_finding)
