def test_detailed_parse_file_with_no_vulnerabilities_has_no_findings(self): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/no_finding.xml") parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(0, len(findings))
def test_detailed_parse_file_with_false_positive_is_false_positive(self): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/single_finding_false_positive.xml") parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_false_positive_is_false_positive(findings)
def test_detailed_parse_file_with_same_sourceFilename_different_sinkFilename_is_not_aggregated(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/multiple_findings_same_sourceFilename_different_sinkFilename.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(2, len(findings)) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/multiple_findings.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(3, len(findings)) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_no_vulnerabilities_has_no_findings(self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/no_finding.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(0, len(findings)) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_false_positive_is_false_positive(self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/single_finding_false_positive.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_false_positive_is_false_positive(findings) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_different_sourceFilename_same_sinkFilename_is_not_aggregated( self, ): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/multiple_findings_different_sourceFilename_same_sinkFilename.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(2, len(findings)) self.assertIsNone(findings[0].nb_occurences) self.assertIsNone(findings[1].nb_occurences)
def test_detailed_parse_file_with_multiple_vulnerabilities_has_multiple_findings( self, mock): my_file_handle, product, engagement, test = self.init( get_unit_tests_path() + "/scans/checkmarx/multiple_findings.xml") parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(3, len(findings)) mock.assert_called_with(product, 'Java', files=3) with self.subTest(i=0): finding = findings[0] self.assertEqual("SQL Injection (Assignment5.java)", finding.title) self.assertEqual("High", finding.severity) self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52), finding.date) self.assertEqual(True, finding.static_finding) self.assertEqual( "WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java", finding.file_path) self.assertEqual(50, finding.line)
def test_detailed_parse_file_with_single_vulnerability_has_single_finding(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/single_finding.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_single_vulnerability_has_single_finding(findings) # Fields that differ from aggregated scanner item = findings[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual( "**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) {\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" '**Code:** userMap.put("loginCOunt",Integer.toString(results.getInt(6)));\n' "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description, ) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line) # Added field for detailed scanner self.assertEqual(str, type(item.unique_id_from_tool)) # unique_id_from_tool update from PathId to SimilarityId+PathId self.assertEqual("157422106028", item.unique_id_from_tool) self.assertEqual(str, type(item.sast_source_object)) self.assertEqual("executeQuery", item.sast_source_object) self.assertEqual(str, type(item.sast_sink_object)) self.assertEqual("allUsersMap", item.sast_sink_object) self.assertEqual(str, type(item.sast_source_line)) self.assertEqual("39", item.sast_source_line) self.assertEqual(str, type(item.sast_source_file_path)) self.assertEqual( "WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java", item.sast_source_file_path, ) self.assertIsNone(item.nb_occurences) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_utf8_various_non_ascii_char(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/utf8_various_non_ascii_char.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_utf8_various_non_ascii_char(findings) # Fields that differ from aggregated scanner item = findings[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual( "**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);//all latins non ascii with extended: U+00A1 to U+017F (ref https://www.utf8-chartable.de/unicode-utf8-table.pl): ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) { // other: ƒ\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" '**Code:** userMap.put("loginCOunt",Integer.toString(results.getInt(6)));\n' "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description, ) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line) mock.assert_called_with(product, 'Java')
def test_detailed_parse_file_with_utf8_replacement_char(self, mock): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/utf8_replacement_char.xml" ) parser = CheckmarxParser() parser.set_mode('detailed') findings = parser.get_findings(my_file_handle, test) self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_utf8_replacement_char(findings) # Fields that differ from aggregated scanner item = findings[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual( "**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery�\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);//�\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) {\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" '**Code:** userMap.put("cookie", results.getString(5));\n' "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" '**Code:** userMap.put("loginCOunt",Integer.toString(results.getInt(6)));\n' "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap�\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description, ) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line) mock.assert_called_with(product, 'Java')