Skip to content

Commit 803b93d

Browse files
TheAuditorToolTheAuditorTool
committed
fix: add unmapped CWE/finding warnings to all parsers
Closes #7 18 parser files updated to print a console message when they encounter an unmapped vulnerability type or CWE number. No changes to scoring logic or return values — only console output added. Parsers that silently dropped findings now print WARNING. Parsers that silently passed CWEs through now print INFO. ShiftLeftReader: changed RuntimeException to warning + continue. HCLAppScanSourceReader: removed -DDEBUG gate on warnings. VisualCodeGrepperReader: uncommented existing warning println.
1 parent ee31e2d commit 803b93d

18 files changed

Lines changed: 42 additions & 9 deletions

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AppScanDynamicReader.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,8 @@ private int translate(int id) {
198198
// case "Weak Encryption" : return 327;
199199
// case "XPath Injection" : return 643;
200200
}
201+
System.out.println(
202+
"INFO: AppScan Dynamic - unmapped CWE: " + id + ". Passing through as-is.");
201203
return id;
202204
}
203205
}

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/AppScanSourceReader.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -178,6 +178,7 @@ private int cweLookup(String vtype) {
178178
case "Vulnerability.Validation.Required":
179179
return CweNumber.TRUST_BOUNDARY_VIOLATION;
180180
}
181+
System.out.println("WARNING: AppScan Source-Unmapped finding type: " + vtype);
181182
return 0;
182183
}
183184

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/BearerReader.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,8 @@ private int translate(int cwe) {
6060
case 327:
6161
return CweNumber.WEAK_HASH_ALGO;
6262
default:
63+
System.out.println(
64+
"INFO: Bearer - unmapped CWE: " + cwe + ". Passing through as-is.");
6365
return cwe;
6466
}
6567
}

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxESReader.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,8 @@ private int translate(int cwe) {
127127
case 338:
128128
return CweNumber.WEAK_RANDOM;
129129
}
130+
System.out.println(
131+
"INFO: Checkmarx ES - unmapped CWE: " + cwe + ". Passing through as-is.");
130132
return cwe;
131133
}
132134

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CheckmarxReader.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -214,6 +214,8 @@ private int translate(int cwe) {
214214
case 338:
215215
return CweNumber.WEAK_RANDOM;
216216
}
217+
System.out.println(
218+
"INFO: Checkmarx - unmapped CWE: " + cwe + ". Passing through as-is.");
217219
return cwe;
218220
}
219221
}

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CoverityReader.java

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -176,6 +176,12 @@ private TestCaseResult parseCoverityFindingV2(JSONObject finding) {
176176
cwe_string = "89";
177177
} else if (checker_name.equals("ldap_injection")) {
178178
cwe_string = "90";
179+
} else {
180+
System.out.println(
181+
"WARNING: Coverity-Unmapped checker: "
182+
+ checker_name
183+
+ " / "
184+
+ subcategory);
179185
}
180186
int cwe = fixCWE(cwe_string);
181187
if (cwe <= 0) {

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/FluidAttacksReader.java

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,7 @@ private static Integer categoryToExpectedCwe(String cwe) {
100100
case "xpathi":
101101
return 643;
102102
default:
103+
System.out.println("WARNING: Fluid Attacks-Unmapped category: " + cwe);
103104
return 0;
104105
}
105106
}
@@ -131,6 +132,8 @@ private static String cweToCategory(String cwe) {
131132
case "643":
132133
return "xpathi";
133134
default:
135+
System.out.println(
136+
"INFO: Fluid Attacks - unmapped CWE: " + cwe + ". Categorized as other.");
134137
return "other";
135138
}
136139
}

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -167,8 +167,6 @@ private int cweLookup(String vtype) {
167167
}
168168

169169
private void reportWarning(String message) {
170-
if (System.getProperty("DEBUG") != null) {
171-
System.out.println(message);
172-
}
170+
System.out.println(message);
173171
}
174172
}

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanStandardReader.java

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,12 @@ private int cweLookup(String vtype, int xmlCwe) {
138138
return CweNumber.DONTCARE;
139139
}
140140

141+
System.out.println(
142+
"INFO: HCL AppScan Standard - unmapped finding type: "
143+
+ vtype
144+
+ " (CWE "
145+
+ xmlCwe
146+
+ "). Passing through as-is.");
141147
return xmlCwe;
142148
}
143149
}

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/KiuwanReader.java

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -125,10 +125,11 @@ private int fixCWE(String cweNumber) {
125125

126126
if (cwe == 564) {
127127
cwe = CweNumber.SQL_INJECTION;
128-
}
129-
130-
if (cwe == 77) {
128+
} else if (cwe == 77) {
131129
cwe = CweNumber.COMMAND_INJECTION;
130+
} else {
131+
System.out.println(
132+
"INFO: Kiuwan - unmapped CWE: " + cwe + ". Passing through as-is.");
132133
}
133134
return cwe;
134135
}

0 commit comments

Comments
 (0)