def test_file_name_aggregated_parse_file_with_different_sourceFilename_same_sinkFilename_is_aggregated( self): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/multiple_findings_different_sourceFilename_same_sinkFilename.xml" ) self.parser = CheckmarxXMLParser(my_file_handle, test) self.teardown(my_file_handle) # aggregation is on sink filename so all vuln with different source filenames are aggregated self.assertEqual(1, len(self.parser.items)) item = self.parser.items[0] # nb_occurences counts the number of aggregated vulnerabilities from tool self.assertEqual(2, self.parser.items[0].nb_occurences)
def import_parser_factory(file, test): scan_type = test.test_type.name if scan_type == "Burp Scan": parser = BurpXmlParser(file, test) elif scan_type == "Nessus Scan": filename = file.name.lower() if filename.endswith("csv"): parser = NessusCSVParser(file, test) elif filename.endswith("xml") or filename.endswith("nessus"): parser = NessusXMLParser(file, test) elif scan_type == "Nmap Scan": parser = NmapXMLParser(file, test) elif scan_type == "Nexpose Scan": parser = NexposeFullXmlParser(file, test) elif scan_type == "Veracode Scan": parser = VeracodeXMLParser(file, test) elif scan_type == "Checkmarx Scan": parser = CheckmarxXMLParser(file, test) elif scan_type == "Bandit Scan": parser = BanditParser(file, test) elif scan_type == "ZAP Scan": parser = ZapXmlParser(file, test) elif scan_type == "AppSpider Scan": parser = AppSpiderXMLParser(file, test) elif scan_type == "Arachni Scan": parser = ArachniJSONParser(file, test) elif scan_type == 'VCG Scan': parser = VCGParser(file, test) elif scan_type == 'Dependency Check Scan': parser = DependencyCheckParser(file, test) elif scan_type == 'Retire.js Scan': parser = RetireJsParser(file, test) elif scan_type == 'Node Security Platform Scan': parser = NspParser(file, test) elif scan_type == 'Generic Findings Import': parser = GenericFindingUploadCsvParser(file, test) elif scan_type == 'Qualys Scan': parser = QualysParser(file, test) elif scan_type == 'Qualys Webapp Scan': parser = QualysWebAppParser(file, test) elif scan_type == "OpenVAS CSV": parser = OpenVASUploadCsvParser(file, test) elif scan_type == 'Snyk Scan': parser = SnykParser(file, test) elif scan_type == 'SKF Scan': parser = SKFCsvParser(file, test) elif scan_type == 'SSL Labs Scan': parser = SSLlabsParser(file, test) else: raise ValueError('Unknown Test Type') return parser
def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings( self): my_file_handle = open( "dojo/unittests/scans/checkmarx/multiple_findings.xml") product = Product() engagement = Engagement() test = Test() engagement.product = product test.engagement = engagement self.parser = CheckmarxXMLParser(my_file_handle, test) my_file_handle.close() # checkmarx says 3 but we're down to 2 due to the aggregation on sink filename rather than source filename + source line number + sink filename + sink line number self.assertEqual(2, len(self.parser.items))
def test_file_name_aggregated_parse_file_with_two_aggregated_findings_one_is_false_p( self): my_file_handle, product, engagement, test = self.init( "dojo/unittests/scans/checkmarx/two_aggregated_findings_one_is_false_positive.xml" ) self.parser = CheckmarxXMLParser(my_file_handle, test) self.teardown(my_file_handle) self.assertEqual(1, len(self.parser.items)) # check content for aggregated finding item = self.parser.items[0] # finding is never active/verified yet at this time self.assertEqual(bool, type(item.active)) self.assertEqual(False, item.active) self.assertEqual(bool, type(item.verified)) self.assertEqual(False, item.verified) self.assertEqual(bool, type(item.false_p)) self.assertEqual(False, item.false_p)
def import_parser_factory(file, test): scan_type = test.test_type.name if scan_type == "Burp Scan": parser = BurpXmlParser(file, test) elif scan_type == "Nessus Scan": filename = file.name.lower() if filename.endswith("csv"): parser = NessusCSVParser(file, test) elif filename.endswith("xml") or filename.endswith("nessus"): parser = NessusXMLParser(file, test) elif scan_type == "Nexpose Scan": parser = NexposeFullXmlParser(file, test) elif scan_type == "Veracode Scan": parser = VeracodeXMLParser(file, test) elif scan_type == "Checkmarx Scan": parser = CheckmarxXMLParser(file, test) elif scan_type == "ZAP Scan": parser = ZapXmlParser(file, test) elif scan_type == "AppSpider Scan": parser = AppSpiderXMLParser(file, test) else: raise ValueError('Unknown Test Type') return parser
def import_parser_factory(file, test, active, verified, scan_type=None): if scan_type is None: scan_type = test.test_type.name if scan_type == "Burp Scan": parser = BurpXmlParser(file, test) elif scan_type == "Nessus Scan": filename = file.name.lower() if filename.endswith("csv"): parser = NessusCSVParser(file, test) elif filename.endswith("xml") or filename.endswith("nessus"): parser = NessusXMLParser(file, test) elif scan_type == "Clair Scan": parser = ClairParser(file, test) elif scan_type == "Nmap Scan": parser = NmapXMLParser(file, test) elif scan_type == "Nikto Scan": parser = NiktoXMLParser(file, test) elif scan_type == "Nexpose Scan": parser = NexposeFullXmlParser(file, test) elif scan_type == "Veracode Scan": parser = VeracodeXMLParser(file, test) elif scan_type == "Checkmarx Scan": parser = CheckmarxXMLParser(file, test) elif scan_type == "Contrast Scan": parser = ContrastCSVParser(file, test) elif scan_type == "Crashtest Security Scan": parser = CrashtestSecurityXmlParser(file, test) elif scan_type == "Bandit Scan": parser = BanditParser(file, test) elif scan_type == "ZAP Scan": parser = ZapXmlParser(file, test) elif scan_type == "AppSpider Scan": parser = AppSpiderXMLParser(file, test) elif scan_type == "Arachni Scan": parser = ArachniJSONParser(file, test) elif scan_type == 'VCG Scan': parser = VCGParser(file, test) elif scan_type == 'Dependency Check Scan': parser = DependencyCheckParser(file, test) elif scan_type == 'Retire.js Scan': parser = RetireJsParser(file, test) elif scan_type == 'Node Security Platform Scan': parser = NspParser(file, test) elif scan_type == 'NPM Audit Scan': parser = NpmAuditParser(file, test) elif scan_type == 'Symfony Security Check': parser = PhpSymfonySecurityCheckParser(file, test) elif scan_type == 'Generic Findings Import': parser = GenericFindingUploadCsvParser(file, test, active, verified) elif scan_type == 'Qualys Scan': parser = QualysParser(file, test) elif scan_type == 'Qualys Webapp Scan': parser = QualysWebAppParser(file, test) elif scan_type == "OpenVAS CSV": parser = OpenVASUploadCsvParser(file, test) elif scan_type == 'Snyk Scan': parser = SnykParser(file, test) elif scan_type == 'SKF Scan': parser = SKFCsvParser(file, test) elif scan_type == 'SSL Labs Scan': parser = SSLlabsParser(file, test) elif scan_type == 'Trufflehog Scan': parser = TruffleHogJSONParser(file, test) elif scan_type == 'Clair Klar Scan': parser = ClairKlarParser(file, test) elif scan_type == 'Gosec Scanner': parser = GosecScannerParser(file, test) elif scan_type == 'Trustwave Scan (CSV)': parser = TrustwaveUploadCsvParser(file, test) elif scan_type == 'Netsparker Scan': parser = NetsparkerParser(file, test) elif scan_type == 'PHP Security Audit v2': parser = PhpSecurityAuditV2(file, test) elif scan_type == 'Acunetix Scan': parser = AcunetixScannerParser(file, test) elif scan_type == 'Fortify Scan': parser = FortifyXMLParser(file, test) elif scan_type == 'SonarQube Scan': parser = SonarQubeHtmlParser(file, test) elif scan_type == 'MobSF Scan': parser = MobSFParser(file, test) elif scan_type == 'AWS Scout2 Scan': parser = AWSScout2Parser(file, test) elif scan_type == 'AWS Prowler Scan': parser = AWSProwlerParser(file, test) elif scan_type == 'Brakeman Scan': parser = BrakemanScanParser(file, test) elif scan_type == 'SpotBugs Scan': parser = SpotbugsXMLParser(file, test) elif scan_type == 'Safety Scan': parser = SafetyParser(file, test) elif scan_type == 'DawnScanner Scan': parser = DawnScannerParser(file, test) elif scan_type == 'Anchore Engine Scan': parser = AnchoreEngineScanParser(file, test) elif scan_type == 'Bundler-Audit Scan': parser = BundlerAuditParser(file, test) elif scan_type == 'Twistlock Image Scan': parser = TwistlockParser(file, test) elif scan_type == 'IBM AppScan DAST': parser = IbmAppScanDASTXMLParser(file, test) elif scan_type == 'Kiuwan Scan': parser = KiuwanCSVParser(file, test) elif scan_type == 'Blackduck Hub Scan': parser = BlackduckHubCSVParser(file, test) elif scan_type == 'Sonatype Application Scan': parser = SonatypeJSONParser(file, test) elif scan_type == 'Openscap Vulnerability Scan': parser = OpenscapXMLParser(file, test) elif scan_type == 'Immuniweb Scan': parser = ImmuniwebXMLParser(file, test) elif scan_type == 'Wapiti Scan': parser = WapitiXMLParser(file, test) elif scan_type == 'Cobalt.io Scan': parser = CobaltCSVParser(file, test) elif scan_type == 'Mozilla Observatory Scan': parser = MozillaObservatoryJSONParser(file, test) elif scan_type == 'Whitesource Scan': parser = WhitesourceJSONParser(file, test) elif scan_type == 'Microfocus Webinspect Scan': parser = MicrofocusWebinspectXMLParser(file, test) elif scan_type == 'Wpscan': parser = WpscanJSONParser(file, test) elif scan_type == 'Sslscan': parser = SslscanXMLParser(file, test) elif scan_type == 'JFrog Xray Scan': parser = XrayJSONParser(file, test) elif scan_type == 'Sslyze Scan': parser = SslyzeXmlParser(file, test) elif scan_type == 'Testssl Scan': parser = TestsslCSVParser(file, test) elif scan_type == 'Hadolint Dockerfile check': parser = HadolintParser(file, test) else: raise ValueError('Unknown Test Type') return parser
def test_detailed_parse_file_with_single_vulnerability_has_single_finding(self): my_file_handle, product, engagement, test = self.init("dojo/unittests/scans/checkmarx/single_finding.xml") self.parser = CheckmarxXMLParser(my_file_handle, test, 'detailed') self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_single_vulnerability_has_single_finding(self.parser) # Fields that differ from aggregated scanner item = self.parser.items[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual("**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) {\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" "**Code:** userMap.put(\"cookie\", results.getString(5));\n" "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" "**Code:** userMap.put(\"cookie\", results.getString(5));\n" "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" "**Code:** userMap.put(\"loginCOunt\",Integer.toString(results.getInt(6)));\n" "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line) # Added field for detailed scanner self.assertEqual(str, type(item.unique_id_from_tool)) self.assertEqual("28", item.unique_id_from_tool) self.assertEqual(str, type(item.sast_source_object)) self.assertEqual("executeQuery", item.sast_source_object) self.assertEqual(str, type(item.sast_sink_object)) self.assertEqual("allUsersMap", item.sast_sink_object) self.assertEqual(str, type(item.sast_source_line)) self.assertEqual("39", item.sast_source_line) self.assertEqual(str, type(item.sast_source_file_path)) self.assertEqual("WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java", item.sast_source_file_path) self.assertIsNone(item.nb_occurences)
def test_detailed_parse_file_with_utf8_various_non_ascii_char(self): my_file_handle, product, engagement, test = self.init("dojo/unittests/scans/checkmarx/utf8_various_non_ascii_char.xml") self.parser = CheckmarxXMLParser(my_file_handle, test, 'detailed') self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_utf8_various_non_ascii_char(self.parser) # Fields that differ from aggregated scanner item = self.parser.items[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual("**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);//all latins non ascii with extended: U+00A1 to U+017F (ref https://www.utf8-chartable.de/unicode-utf8-table.pl): ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) { // other: ƒ\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" "**Code:** userMap.put(\"cookie\", results.getString(5));\n" "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" "**Code:** userMap.put(\"cookie\", results.getString(5));\n" "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" "**Code:** userMap.put(\"loginCOunt\",Integer.toString(results.getInt(6)));\n" "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line)
def test_detailed_parse_file_with_utf8_replacement_char(self): my_file_handle, product, engagement, test = self.init("dojo/unittests/scans/checkmarx/utf8_replacement_char.xml") self.parser = CheckmarxXMLParser(my_file_handle, test, 'detailed') self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_utf8_replacement_char(self.parser) # Fields that differ from aggregated scanner item = self.parser.items[0] self.assertEqual(str, type(item.description)) self.assertMultiLineEqual("**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "-----\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery�\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);//�\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) {\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" "**Code:** userMap.put(\"cookie\", results.getString(5));\n" "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" "**Code:** userMap.put(\"cookie\", results.getString(5));\n" "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" "**Code:** userMap.put(\"loginCOunt\",Integer.toString(results.getInt(6)));\n" "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap�\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line)
def test_detailed_parse_file_with_same_sourceFilename_different_sinkFilename_is_not_aggregated(self): my_file_handle, product, engagement, test = self.init("dojo/unittests/scans/checkmarx/multiple_findings_same_sourceFilename_different_sinkFilename.xml") self.parser = CheckmarxXMLParser(my_file_handle, test, 'detailed') self.teardown(my_file_handle) self.assertEqual(2, len(self.parser.items))
def test_detailed_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self): my_file_handle, product, engagement, test = self.init("dojo/unittests/scans/checkmarx/multiple_findings.xml") self.parser = CheckmarxXMLParser(my_file_handle, test, 'detailed') self.teardown(my_file_handle) self.assertEqual(3, len(self.parser.items))
def test_file_name_aggregated_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self): my_file_handle, product, engagement, test = self.init("dojo/unittests/scans/checkmarx/multiple_findings.xml") self.parser = CheckmarxXMLParser(my_file_handle, test) self.teardown(my_file_handle) # checkmarx says 3 but we're down to 2 due to the aggregation on sink filename rather than source filename + source line number + sink filename + sink line number self.assertEqual(2, len(self.parser.items))
def test_detailed_parse_file_with_false_positive_is_false_positive(self): my_file_handle, product, engagement, test = self.init("dojo/unittests/scans/checkmarx/single_finding_false_positive.xml") self.parser = CheckmarxXMLParser(my_file_handle, test, 'detailed') self.teardown(my_file_handle) # Verifications common to both parsers self.check_parse_file_with_false_positive_is_false_positive(self.parser)
def test_parse_file_with_utf8_various_non_ascii_char(self): my_file_handle = open( "dojo/unittests/scans/checkmarx/utf8_various_non_ascii_char.xml") product = Product() engagement = Engagement() test = Test() engagement.product = product test.engagement = engagement self.parser = CheckmarxXMLParser(my_file_handle, test) my_file_handle.close() self.assertEqual(1, len(self.parser.items)) # check content item = self.parser.items[0] self.assertEqual(str, type(self.parser.items[0].title)) self.assertEqual("Stored XSS (Users.java)", item.title) self.assertEqual(int, type(item.cwe)) self.assertEqual(79, item.cwe) self.assertEqual(bool, type(item.active)) self.assertEqual(False, item.active) self.assertEqual(bool, type(item.verified)) self.assertEqual(False, item.verified) self.assertEqual(str, type(item.description)) self.assertMultiLineEqual( "**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);//all latins non ascii with extended: U+00A1 to U+017F (ref https://www.utf8-chartable.de/unicode-utf8-table.pl): ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) { // other: ƒ\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" "**Code:** userMap.put(\"cookie\", results.getString(5));\n" "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" "**Code:** userMap.put(\"cookie\", results.getString(5));\n" "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" "**Code:** userMap.put(\"loginCOunt\",Integer.toString(results.getInt(6)));\n" "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description) self.assertEqual(str, type(item.severity)) self.assertEqual("High", item.severity) self.assertEqual(str, type(item.numerical_severity)) self.assertEqual("S1", item.numerical_severity) self.assertEqual(str, type(item.mitigation)) self.assertEqual("N/A", item.mitigation) self.assertEqual(str, type(item.references)) self.assertEqual("", item.references) self.assertEqual(str, type(item.file_path)) self.assertEqual( "WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂ㥹ĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠġĢģĤĥĦħĨĩĪīĬĭĮįİıIJijĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňʼnŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠšŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ/Users.java", item.file_path) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line) self.assertEqual(str, type(item.url)) self.assertEqual("N/A", item.url) # ScanStart self.assertEqual(datetime.datetime, type(item.date)) self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52), item.date) self.assertEqual(bool, type(item.static_finding)) self.assertEqual(True, item.static_finding)
def test_parse_file_with_single_vulnerability_has_single_finding(self): my_file_handle = open( "dojo/unittests/scans/checkmarx/single_finding.xml") product = Product() engagement = Engagement() test = Test() engagement.product = product test.engagement = engagement self.parser = CheckmarxXMLParser(my_file_handle, test) my_file_handle.close() self.assertEqual(1, len(self.parser.items)) # check content item = self.parser.items[0] self.assertEqual(str, type(self.parser.items[0].title)) self.assertEqual("Stored XSS (Users.java)", item.title) self.assertEqual(int, type(item.cwe)) self.assertEqual(79, item.cwe) self.assertEqual(bool, type(item.active)) self.assertEqual(False, item.active) self.assertEqual(bool, type(item.verified)) self.assertEqual(False, item.verified) self.assertEqual(str, type(item.description)) self.assertMultiLineEqual( "**Category:** PCI DSS v3.2;PCI DSS (3.2) - 6.5.7 - Cross-site scripting (XSS),OWASP Top 10 2013;A3-Cross-Site Scripting (XSS),FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-15 Information Output Filtering (P0),OWASP Top 10 2017;A7-Cross-Site Scripting (XSS)\n" "**Language:** Java\n" "**Group:** Java High Risk\n" "**Status:** New\n" "**Finding Link:** [https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28](https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&projectid=121&pathid=28)\n" "\n" "**Line Number:** 39\n" "**Column:** 59\n" "**Source Object:** executeQuery\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 39\n" "**Column:** 27\n" "**Source Object:** results\n" "**Number:** 39\n" "**Code:** ResultSet results = statement.executeQuery(query);\n" "-----\n" "**Line Number:** 46\n" "**Column:** 28\n" "**Source Object:** results\n" "**Number:** 46\n" "**Code:** while (results.next()) {\n" "-----\n" "**Line Number:** 47\n" "**Column:** 34\n" "**Source Object:** results\n" "**Number:** 47\n" "**Code:** int id = results.getInt(0);\n" "-----\n" "**Line Number:** 53\n" "**Column:** 64\n" "**Source Object:** getString\n" "**Number:** 53\n" "**Code:** userMap.put(\"cookie\", results.getString(5));\n" "-----\n" "**Line Number:** 53\n" "**Column:** 36\n" "**Source Object:** put\n" "**Number:** 53\n" "**Code:** userMap.put(\"cookie\", results.getString(5));\n" "-----\n" "**Line Number:** 54\n" "**Column:** 25\n" "**Source Object:** userMap\n" "**Number:** 54\n" "**Code:** userMap.put(\"loginCOunt\",Integer.toString(results.getInt(6)));\n" "-----\n" "**Line Number:** 55\n" "**Column:** 44\n" "**Source Object:** userMap\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 55\n" "**Column:** 40\n" "**Source Object:** put\n" "**Number:** 55\n" "**Code:** allUsersMap.put(id,userMap);\n" "-----\n" "**Line Number:** 58\n" "**Column:** 28\n" "**Source Object:** allUsersMap\n" "**Number:** 58\n" "**Code:** return allUsersMap;\n" "-----\n", item.description) self.assertEqual(str, type(item.severity)) self.assertEqual("High", item.severity) self.assertEqual(str, type(item.numerical_severity)) self.assertEqual("S1", item.numerical_severity) self.assertEqual(str, type(item.mitigation)) self.assertEqual("N/A", item.mitigation) self.assertEqual(str, type(item.references)) self.assertEqual("", item.references) self.assertEqual(str, type(item.file_path)) self.assertEqual( "WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java", item.file_path) self.assertEqual(str, type(item.line)) self.assertEqual("58", item.line) self.assertEqual(str, type(item.url)) self.assertEqual("N/A", item.url) # ScanStart self.assertEqual(datetime.datetime, type(item.date)) self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52), item.date) self.assertEqual(bool, type(item.static_finding)) self.assertEqual(True, item.static_finding)
def import_parser_factory(file, test, active, verified, scan_type=None): if scan_type is None: scan_type = test.test_type.name if scan_type == "Burp Scan": parser = BurpXmlParser(file, test) elif scan_type == "Burp Enterprise Scan": parser = BurpEnterpriseHtmlParser(file, test) elif scan_type == "Nessus Scan": filename = file.name.lower() if filename.endswith("csv"): parser = NessusCSVParser(file, test) elif filename.endswith("xml") or filename.endswith("nessus"): parser = NessusXMLParser(file, test) elif scan_type == "Clair Scan": parser = ClairParser(file, test) elif scan_type == "Nmap Scan": parser = NmapXMLParser(file, test) elif scan_type == "Nikto Scan": parser = NiktoXMLParser(file, test) elif scan_type == "Nexpose Scan": parser = NexposeFullXmlParser(file, test) elif scan_type == "Veracode Scan": parser = VeracodeXMLParser(file, test) elif scan_type == "Checkmarx Scan": parser = CheckmarxXMLParser(file, test) elif scan_type == "Checkmarx Scan detailed": parser = CheckmarxXMLParser(file, test, 'detailed') elif scan_type == "Contrast Scan": parser = ContrastCSVParser(file, test) elif scan_type == "Crashtest Security JSON File": parser = CrashtestSecurityJsonParser(file, test) elif scan_type == "Crashtest Security XML File": parser = CrashtestSecurityXmlParser(file, test) elif scan_type == "Bandit Scan": parser = BanditParser(file, test) elif scan_type == "ESLint Scan": parser = ESLintParser(file, test) elif scan_type == "ZAP Scan": parser = ZapXmlParser(file, test) elif scan_type == "AppSpider Scan": parser = AppSpiderXMLParser(file, test) elif scan_type == "Arachni Scan": parser = ArachniJSONParser(file, test) elif scan_type == 'VCG Scan': parser = VCGParser(file, test) elif scan_type == 'Dependency Check Scan': parser = DependencyCheckParser(file, test) elif scan_type == 'Dependency Track Finding Packaging Format (FPF) Export': parser = DependencyTrackParser(file, test) elif scan_type == 'Retire.js Scan': parser = RetireJsParser(file, test) elif scan_type == 'Node Security Platform Scan': parser = NspParser(file, test) elif scan_type == 'NPM Audit Scan': parser = NpmAuditParser(file, test) elif scan_type == 'PHP Symfony Security Check': parser = PhpSymfonySecurityCheckParser(file, test) elif scan_type == 'Generic Findings Import': parser = GenericFindingUploadCsvParser(file, test, active, verified) elif scan_type == 'Qualys Scan': parser = QualysParser(file, test) elif scan_type == 'Qualys Infrastructure Scan (WebGUI XML)': parser = QualysInfraScanParser(file, test) elif scan_type == 'Qualys Webapp Scan': parser = QualysWebAppParser(file, test) elif scan_type == "OpenVAS CSV": parser = OpenVASUploadCsvParser(file, test) elif scan_type == 'Snyk Scan': parser = SnykParser(file, test) elif scan_type == 'SKF Scan': parser = SKFCsvParser(file, test) elif scan_type == 'SSL Labs Scan': parser = SSLlabsParser(file, test) elif scan_type == 'Trufflehog Scan': parser = TruffleHogJSONParser(file, test) elif scan_type == 'Clair Klar Scan': parser = ClairKlarParser(file, test) elif scan_type == 'Gosec Scanner': parser = GosecScannerParser(file, test) elif scan_type == 'Trustwave Scan (CSV)': parser = TrustwaveUploadCsvParser(file, test) elif scan_type == 'Netsparker Scan': parser = NetsparkerParser(file, test) elif scan_type == 'PHP Security Audit v2': parser = PhpSecurityAuditV2(file, test) elif scan_type == 'Acunetix Scan': parser = AcunetixScannerParser(file, test) elif scan_type == 'Fortify Scan': parser = FortifyXMLParser(file, test) elif scan_type == 'SonarQube Scan': parser = SonarQubeHtmlParser(file, test) elif scan_type == 'SonarQube Scan detailed': parser = SonarQubeHtmlParser(file, test, 'detailed') elif scan_type == SCAN_SONARQUBE_API: parser = SonarQubeApiImporter(test) elif scan_type == 'MobSF Scan': parser = MobSFParser(file, test) elif scan_type == 'AWS Scout2 Scan': parser = AWSScout2Parser(file, test) elif scan_type == 'AWS Prowler Scan': parser = AWSProwlerParser(file, test) elif scan_type == 'Brakeman Scan': parser = BrakemanScanParser(file, test) elif scan_type == 'SpotBugs Scan': parser = SpotbugsXMLParser(file, test) elif scan_type == 'Safety Scan': parser = SafetyParser(file, test) elif scan_type == 'DawnScanner Scan': parser = DawnScannerParser(file, test) elif scan_type == 'Anchore Engine Scan': parser = AnchoreEngineScanParser(file, test) elif scan_type == 'Bundler-Audit Scan': parser = BundlerAuditParser(file, test) elif scan_type == 'Twistlock Image Scan': parser = TwistlockParser(file, test) elif scan_type == 'IBM AppScan DAST': parser = IbmAppScanDASTXMLParser(file, test) elif scan_type == 'Kiuwan Scan': parser = KiuwanCSVParser(file, test) elif scan_type == 'Blackduck Hub Scan': parser = BlackduckHubCSVParser(file, test) elif scan_type == 'Blackduck Component Risk': parser = BlackduckHubParser(file, test) elif scan_type == 'Sonatype Application Scan': parser = SonatypeJSONParser(file, test) elif scan_type == 'Openscap Vulnerability Scan': parser = OpenscapXMLParser(file, test) elif scan_type == 'Immuniweb Scan': parser = ImmuniwebXMLParser(file, test) elif scan_type == 'Wapiti Scan': parser = WapitiXMLParser(file, test) elif scan_type == 'Cobalt.io Scan': parser = CobaltCSVParser(file, test) elif scan_type == 'Mozilla Observatory Scan': parser = MozillaObservatoryJSONParser(file, test) elif scan_type == 'Whitesource Scan': parser = WhitesourceJSONParser(file, test) elif scan_type == 'Microfocus Webinspect Scan': parser = MicrofocusWebinspectXMLParser(file, test) elif scan_type == 'Wpscan': parser = WpscanJSONParser(file, test) elif scan_type == 'Sslscan': parser = SslscanXMLParser(file, test) elif scan_type == 'JFrog Xray Scan': parser = XrayJSONParser(file, test) elif scan_type == 'Sslyze Scan': parser = SslyzeXmlParser(file, test) elif scan_type == 'Testssl Scan': parser = TestsslCSVParser(file, test) elif scan_type == 'Hadolint Dockerfile check': parser = HadolintParser(file, test) elif scan_type == 'Aqua Scan': parser = AquaJSONParser(file, test) elif scan_type == 'HackerOne Cases': parser = HackerOneJSONParser(file, test) elif scan_type == 'Xanitizer Scan': parser = XanitizerXMLParser(file, test) elif scan_type == 'Trivy Scan': parser = TrivyParser(file, test) elif scan_type == 'Outpost24 Scan': parser = Outpost24Parser(file, test) elif scan_type == 'DSOP Scan': parser = DsopParser(file, test) elif scan_type == 'Anchore Enterprise Policy Check': parser = AnchoreEnterprisePolicyCheckParser(file, test) elif scan_type == 'Gitleaks Scan': parser = GitleaksJSONParser(file, test) elif scan_type == 'Harbor Vulnerability Scan': parser = HarborVulnerabilityParser(file, test) elif scan_type == 'Github Vulnerability Scan': parser = GithubVulnerabilityParser(file, test) elif scan_type == 'Choctaw Hog Scan': parser = ChoctawhogParser(file, test) elif scan_type == 'GitLab SAST Report': parser = GitlabSastReportParser(file, test) elif scan_type == 'Yarn Audit Scan': parser = YarnAuditParser(file, test) elif scan_type == 'BugCrowd Scan': parser = BugCrowdCSVParser(file, test) elif scan_type == 'HuskyCI Report': parser = HuskyCIReportParser(file, test) elif scan_type == 'CCVS Report': parser = CCVSReportParser(file, test) else: raise ValueError('Unknown Test Type') return parser
def import_parser_factory(file, test, scan_type=None): if scan_type is None: scan_type = test.test_type.name if scan_type == "Burp Scan": parser = BurpXmlParser(file, test) elif scan_type == "Nessus Scan": filename = file.name.lower() if filename.endswith("csv"): parser = NessusCSVParser(file, test) elif filename.endswith("xml") or filename.endswith("nessus"): parser = NessusXMLParser(file, test) elif scan_type == "Clair Scan": parser = ClairParser(file, test) elif scan_type == "Nmap Scan": parser = NmapXMLParser(file, test) elif scan_type == "Nikto Scan": parser = NiktoXMLParser(file, test) elif scan_type == "Nexpose Scan": parser = NexposeFullXmlParser(file, test) elif scan_type == "Veracode Scan": parser = VeracodeXMLParser(file, test) elif scan_type == "Checkmarx Scan": parser = CheckmarxXMLParser(file, test) elif scan_type == "Contrast Scan": parser = ContrastCSVParser(file, test) elif scan_type == "Crashtest Security Scan": parser = CrashtestSecurityXmlParser(file, test) elif scan_type == "Bandit Scan": parser = BanditParser(file, test) elif scan_type == "ZAP Scan": parser = ZapXmlParser(file, test) elif scan_type == "AppSpider Scan": parser = AppSpiderXMLParser(file, test) elif scan_type == "Arachni Scan": parser = ArachniJSONParser(file, test) elif scan_type == 'VCG Scan': parser = VCGParser(file, test) elif scan_type == 'Dependency Check Scan': parser = DependencyCheckParser(file, test) elif scan_type == 'Retire.js Scan': parser = RetireJsParser(file, test) elif scan_type == 'Node Security Platform Scan': parser = NspParser(file, test) elif scan_type == 'NPM Audit Scan': parser = NpmAuditParser(file, test) elif scan_type == 'Generic Findings Import': parser = GenericFindingUploadCsvParser(file, test) elif scan_type == 'Qualys Scan': parser = QualysParser(file, test) elif scan_type == 'Qualys Webapp Scan': parser = QualysWebAppParser(file, test) elif scan_type == "OpenVAS CSV": parser = OpenVASUploadCsvParser(file, test) elif scan_type == 'Snyk Scan': parser = SnykParser(file, test) elif scan_type == 'SKF Scan': parser = SKFCsvParser(file, test) elif scan_type == 'SSL Labs Scan': parser = SSLlabsParser(file, test) elif scan_type == 'Trufflehog Scan': parser = TruffleHogJSONParser(file, test) elif scan_type == 'Clair Klar Scan': parser = ClairKlarParser(file, test) elif scan_type == 'Gosec Scanner': parser = GosecScannerParser(file, test) elif scan_type == 'Trustwave Scan (CSV)': parser = TrustwaveUploadCsvParser(file, test) elif scan_type == 'Netsparker Scan': parser = NetsparkerParser(file, test) elif scan_type == 'PHP Security Audit v2': parser = PhpSecurityAuditV2(file, test) elif scan_type == 'Acunetix Scan': parser = AcunetixScannerParser(file, test) elif scan_type == 'Fortify Scan': parser = FortifyXMLParser(file, test) elif scan_type == 'SonarQube Scan': parser = SonarQubeHtmlParser(file, test) elif scan_type == 'MobSF Scan': parser = MobSFParser(file, test) elif scan_type == 'AWS Scout2 Scan': parser = AWSScout2Parser(file, test) elif scan_type == 'AWS Prowler Scan': parser = AWSProwlerParser(file, test) elif scan_type == 'Brakeman Scan': parser = BrakemanScanParser(file, test) elif scan_type == 'SpotBugs Scan': parser = SpotbugsXMLParser(file, test) elif scan_type == 'Safety Scan': parser = SafetyParser(file, test) else: raise ValueError('Unknown Test Type') return parser
def test_detailed_parse_file_with_no_vulnerabilities_has_no_findings(self): my_file_handle, product, engagement, test = self.init("dojo/unittests/scans/checkmarx/no_finding.xml") self.parser = CheckmarxXMLParser(my_file_handle, test, 'detailed') self.teardown(my_file_handle) self.check_parse_file_with_no_vulnerabilities_has_no_findings(self.parser)