From b7932c50d863de403d47e2a1297d7df3e63f921a Mon Sep 17 00:00:00 2001 From: seqradev Date: Thu, 29 Jan 2026 18:38:09 +0300 Subject: [PATCH 1/4] Add Seqra SARIF reader support Add support for Seqra security static analysis tool: - SeqraReader.java: SARIF reader using CweSourceType.TAG - SeqraReaderTest.java: Unit tests for the reader - Benchmark_Seqra.sarif: Test data file - Register reader in Reader.java --- .../benchmarkutils/score/parsers/Reader.java | 2 + .../score/parsers/sarif/SeqraReader.java | 60 ++++ .../score/parsers/sarif/SeqraReaderTest.java | 74 +++++ .../resources/testfiles/Benchmark_Seqra.sarif | 306 ++++++++++++++++++ 4 files changed, 442 insertions(+) create mode 100644 plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java create mode 100644 plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReaderTest.java create mode 100644 plugin/src/test/resources/testfiles/Benchmark_Seqra.sarif diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java index fd38ccbf..62c3c9d1 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java @@ -38,6 +38,7 @@ import org.owasp.benchmarkutils.score.parsers.sarif.PTAIReader; import org.owasp.benchmarkutils.score.parsers.sarif.PrecautionReader; import org.owasp.benchmarkutils.score.parsers.sarif.SemgrepSarifReader; +import org.owasp.benchmarkutils.score.parsers.sarif.SeqraReader; import org.owasp.benchmarkutils.score.parsers.sarif.SnykReader; import org.w3c.dom.NamedNodeMap; import org.w3c.dom.Node; @@ -103,6 +104,7 @@ public static List allReaders() { new SemgrepReader(), new SemgrepCSVReader(), new SemgrepSarifReader(), + new SeqraReader(), new ShiftLeftReader(), new ShiftLeftScanReader(), new SnappyTickReader(), diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java new file mode 100644 index 00000000..891306c2 --- /dev/null +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java @@ -0,0 +1,60 @@ +/** + * OWASP Benchmark Project + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Seqra Team + * @created 2026 + */ +package org.owasp.benchmarkutils.score.parsers.sarif; + +import org.owasp.benchmarkutils.score.CweNumber; +import org.owasp.benchmarkutils.score.ResultFile; + +/** + * This reader is made for Seqra, a security static analysis tool. It uses the SARIF file produced + * by the tool. + */ +public class SeqraReader extends SarifReader { + + public SeqraReader() { + super("Seqra", false, CweSourceType.TAG); + } + + @Override + public String toolName(ResultFile resultFile) { + return "Seqra"; + } + + /** + * Maps Seqra CWE numbers to Benchmark expected CWEs. + * + *

The SarifReader base class only uses the first CWE tag from each rule. Some Seqra rules + * have multiple CWE tags where the first one doesn't match Benchmark's expected CWE. This + * method provides ad-hoc mappings for such cases. + * + *

Example: The rule "java.security.cookie-issecure-false" has tags [CWE-319, CWE-614]. The + * parser picks CWE-319 (Cleartext Transmission), but Benchmark expects CWE-614 (Insecure + * Cookie) for the "securecookie" category. + */ + @Override + public int mapCwe(int cwe) { + switch (cwe) { + case 319: + // cookie-issecure-false rule has [CWE-319, CWE-614] + // Benchmark expects CWE-614 for securecookie category + return CweNumber.INSECURE_COOKIE; + default: + return cwe; + } + } +} diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReaderTest.java new file mode 100644 index 00000000..547a5339 --- /dev/null +++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReaderTest.java @@ -0,0 +1,74 @@ +/** + * OWASP Benchmark Project + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Seqra Team + * @created 2026 + */ +package org.owasp.benchmarkutils.score.parsers.sarif; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.owasp.benchmarkutils.score.BenchmarkScore; +import org.owasp.benchmarkutils.score.CweNumber; +import org.owasp.benchmarkutils.score.ResultFile; +import org.owasp.benchmarkutils.score.TestHelper; +import org.owasp.benchmarkutils.score.TestSuiteResults; +import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; + +public class SeqraReaderTest extends ReaderTestBase { + + private ResultFile resultFile; + + @BeforeEach + void setUp() { + resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Seqra.sarif"); + BenchmarkScore.TESTCASENAME = "BenchmarkTest"; + } + + @Test + public void onlySeqraReaderTestReportsCanReadAsTrue() { + assertOnlyMatcherClassIs(this.resultFile, SeqraReader.class); + } + + @Test + void readerHandlesGivenResultFile() throws Exception { + SeqraReader reader = new SeqraReader(); + TestSuiteResults result = reader.parse(resultFile); + + assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); + assertEquals("Seqra", result.getToolName()); + assertEquals("v2.2.0", result.getToolVersion()); + assertFalse(result.isCommercial()); + + assertEquals(2, result.getTotalResults()); + + assertEquals(CweNumber.WEAK_HASH_ALGO, result.get(2670).get(0).getCWE()); + assertEquals(CweNumber.INSECURE_COOKIE, result.get(2710).get(0).getCWE()); + } + + @Test + void mapCweMapsInsecureCookieCwe() { + SeqraReader reader = new SeqraReader(); + + // CWE-319 (Cleartext Transmission) should map to CWE-614 (Insecure Cookie) + assertEquals(CweNumber.INSECURE_COOKIE, reader.mapCwe(319)); + + // Other CWEs should pass through unchanged + assertEquals(328, reader.mapCwe(328)); + assertEquals(327, reader.mapCwe(327)); + } +} diff --git a/plugin/src/test/resources/testfiles/Benchmark_Seqra.sarif b/plugin/src/test/resources/testfiles/Benchmark_Seqra.sarif new file mode 100644 index 00000000..286961d2 --- /dev/null +++ b/plugin/src/test/resources/testfiles/Benchmark_Seqra.sarif @@ -0,0 +1,306 @@ +{ + "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "Seqra", + "organization": "Seqra", + "semanticVersion": "v2.2.0", + "rules": [ + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.", + "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." + }, + "id": "java.security.use-of-sha1", + "name": "java.security.use-of-sha1", + "properties": { + "tags": [ + "CWE-328" + ] + }, + "shortDescription": { + "text": "SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "markdown": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.", + "text": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks." + }, + "id": "java.security.cookie-issecure-false", + "name": "java.security.cookie-issecure-false", + "properties": { + "tags": [ + "CWE-319", + "CWE-614" + ] + }, + "shortDescription": { + "text": "Cleartext transmission of sensitive cookie value" + } + } + ] + } + }, + "results": [ + { + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "executionOrder": 0, + "kinds": [ + "taint" + ], + "location": { + "logicalLocations": [ + { + "decoratedName": "(id:69)org.owasp.benchmark.testcode.BenchmarkTest02670#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse):12:(md = java.security.MessageDigest.getInstance(\"SHA1\", \"SUN\"))", + "fullyQualifiedName": "org.owasp.benchmark.testcode.BenchmarkTest02670#doPost" + } + ], + "message": { + "text": "Call to \"getInstance\" puts marked data to \"md\"" + }, + "physicalLocation": { + "artifactLocation": { + "uri": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02670.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 75, + "endLine": 57, + "startColumn": 17, + "startLine": 57 + } + } + } + }, + { + "executionOrder": 1, + "kinds": [ + "taint" + ], + "location": { + "logicalLocations": [ + { + "decoratedName": "(id:69)org.owasp.benchmark.testcode.BenchmarkTest02670#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse):34:(result = %14.digest())", + "fullyQualifiedName": "org.owasp.benchmark.testcode.BenchmarkTest02670#doPost" + } + ], + "message": { + "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." + }, + "physicalLocation": { + "artifactLocation": { + "uri": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02670.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 39, + "endLine": 75, + "startColumn": 13, + "startLine": 75 + } + } + } + } + ] + } + ] + } + ], + "level": "warning", + "locations": [ + { + "logicalLocations": [ + { + "decoratedName": "(id:69)org.owasp.benchmark.testcode.BenchmarkTest02670#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse):34:(result = %14.digest())", + "fullyQualifiedName": "org.owasp.benchmark.testcode.BenchmarkTest02670#doPost" + } + ], + "physicalLocation": { + "artifactLocation": { + "uri": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02670.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 39, + "endLine": 75, + "startColumn": 13, + "startLine": 75 + } + } + } + ], + "message": { + "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." + }, + "partialFingerprints": { + "vulnerabilityWithTraceHash/v1": "tfBwQtesKkMFhW295OGNEEh/V97jj1YDkiI3YLQh794=" + }, + "relatedLocations": [ + { + "logicalLocations": [ + { + "fullyQualifiedName": "POST /hash-02/BenchmarkTest02670", + "index": 0, + "kind": "function", + "name": "org.owasp.benchmark.testcode.BenchmarkTest02670#doPost" + } + ], + "message": { + "text": "Related Spring controller" + }, + "physicalLocation": { + "artifactLocation": { + "uri": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02670.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41 + } + } + } + ], + "ruleId": "java.security.use-of-sha1" + }, + { + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "executionOrder": 0, + "kinds": [ + "taint" + ], + "location": { + "logicalLocations": [ + { + "decoratedName": "(id:69)org.owasp.benchmark.testcode.BenchmarkTest02710#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse):28:(cookie.(\"SomeCookie\", str))", + "fullyQualifiedName": "org.owasp.benchmark.testcode.BenchmarkTest02710#doPost" + } + ], + "message": { + "text": "Call to \"Cookie\" initializer puts $COOKIE data to \"cookie\"" + }, + "physicalLocation": { + "artifactLocation": { + "uri": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02710.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 91, + "endLine": 64, + "startColumn": 9, + "startLine": 64 + } + } + } + }, + { + "executionOrder": 1, + "kinds": [ + "taint" + ], + "location": { + "logicalLocations": [ + { + "decoratedName": "(id:69)org.owasp.benchmark.testcode.BenchmarkTest02710#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse):33:(response.addCookie(cookie))", + "fullyQualifiedName": "org.owasp.benchmark.testcode.BenchmarkTest02710#doPost" + } + ], + "message": { + "text": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks." + }, + "physicalLocation": { + "artifactLocation": { + "uri": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02710.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 34, + "endLine": 70, + "startColumn": 9, + "startLine": 70 + } + } + } + } + ] + } + ] + } + ], + "level": "warning", + "locations": [ + { + "logicalLocations": [ + { + "decoratedName": "(id:69)org.owasp.benchmark.testcode.BenchmarkTest02710#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse):33:(response.addCookie(cookie))", + "fullyQualifiedName": "org.owasp.benchmark.testcode.BenchmarkTest02710#doPost" + } + ], + "physicalLocation": { + "artifactLocation": { + "uri": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02710.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 34, + "endLine": 70, + "startColumn": 9, + "startLine": 70 + } + } + } + ], + "message": { + "text": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks." + }, + "partialFingerprints": { + "vulnerabilityWithTraceHash/v1": "JXUVBFuoUt6kGO3e63JNgeg2K9+YxegTsw0mIuCu548=" + }, + "relatedLocations": [ + { + "logicalLocations": [ + { + "fullyQualifiedName": "POST /securecookie-00/BenchmarkTest02710", + "index": 0, + "kind": "function", + "name": "org.owasp.benchmark.testcode.BenchmarkTest02710#doPost" + } + ], + "message": { + "text": "Related Spring controller" + }, + "physicalLocation": { + "artifactLocation": { + "uri": "src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02710.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41 + } + } + } + ], + "ruleId": "java.security.cookie-issecure-false" + } + ] + } + ] +} \ No newline at end of file From e3f150881781da2015525958b90fa6c1b27fee36 Mon Sep 17 00:00:00 2001 From: seqradev Date: Sun, 8 Feb 2026 23:48:33 +0300 Subject: [PATCH 2/4] Remove an unnecessary method override --- .../benchmarkutils/score/parsers/sarif/SeqraReader.java | 6 ------ 1 file changed, 6 deletions(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java index 891306c2..c48f8cc4 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java @@ -18,7 +18,6 @@ package org.owasp.benchmarkutils.score.parsers.sarif; import org.owasp.benchmarkutils.score.CweNumber; -import org.owasp.benchmarkutils.score.ResultFile; /** * This reader is made for Seqra, a security static analysis tool. It uses the SARIF file produced @@ -30,11 +29,6 @@ public SeqraReader() { super("Seqra", false, CweSourceType.TAG); } - @Override - public String toolName(ResultFile resultFile) { - return "Seqra"; - } - /** * Maps Seqra CWE numbers to Benchmark expected CWEs. * From 0f94428acc4b385c84258de8f92384eff42f4315 Mon Sep 17 00:00:00 2001 From: seqradev Date: Tue, 31 Mar 2026 00:47:20 +0300 Subject: [PATCH 3/4] Rename Seqra to OpenTaint across reader, tests, and SARIF fixtures --- .../benchmarkutils/score/parsers/Reader.java | 4 ++-- .../{SeqraReader.java => OpenTaintReader.java} | 16 ++++++++-------- ...aReaderTest.java => OpenTaintReaderTest.java} | 14 +++++++------- ...ark_Seqra.sarif => Benchmark_OpenTaint.sarif} | 6 +++--- 4 files changed, 20 insertions(+), 20 deletions(-) rename plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/{SeqraReader.java => OpenTaintReader.java} (78%) rename plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/{SeqraReaderTest.java => OpenTaintReaderTest.java} (86%) rename plugin/src/test/resources/testfiles/{Benchmark_Seqra.sarif => Benchmark_OpenTaint.sarif} (99%) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java index 62c3c9d1..04a15ef7 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java @@ -35,10 +35,10 @@ import org.owasp.benchmarkutils.score.parsers.sarif.ContrastScanReader; import org.owasp.benchmarkutils.score.parsers.sarif.DatadogSastReader; import org.owasp.benchmarkutils.score.parsers.sarif.FortifySarifReader; +import org.owasp.benchmarkutils.score.parsers.sarif.OpenTaintReader; import org.owasp.benchmarkutils.score.parsers.sarif.PTAIReader; import org.owasp.benchmarkutils.score.parsers.sarif.PrecautionReader; import org.owasp.benchmarkutils.score.parsers.sarif.SemgrepSarifReader; -import org.owasp.benchmarkutils.score.parsers.sarif.SeqraReader; import org.owasp.benchmarkutils.score.parsers.sarif.SnykReader; import org.w3c.dom.NamedNodeMap; import org.w3c.dom.Node; @@ -104,7 +104,7 @@ public static List allReaders() { new SemgrepReader(), new SemgrepCSVReader(), new SemgrepSarifReader(), - new SeqraReader(), + new OpenTaintReader(), new ShiftLeftReader(), new ShiftLeftScanReader(), new SnappyTickReader(), diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/OpenTaintReader.java similarity index 78% rename from plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java rename to plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/OpenTaintReader.java index c48f8cc4..0a01a63c 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/OpenTaintReader.java @@ -20,20 +20,20 @@ import org.owasp.benchmarkutils.score.CweNumber; /** - * This reader is made for Seqra, a security static analysis tool. It uses the SARIF file produced - * by the tool. + * This reader is made for OpenTaint, a security static analysis tool. It uses the SARIF file + * produced by the tool. */ -public class SeqraReader extends SarifReader { +public class OpenTaintReader extends SarifReader { - public SeqraReader() { - super("Seqra", false, CweSourceType.TAG); + public OpenTaintReader() { + super("OpenTaint", false, CweSourceType.TAG); } /** - * Maps Seqra CWE numbers to Benchmark expected CWEs. + * Maps OpenTaint CWE numbers to Benchmark expected CWEs. * - *

The SarifReader base class only uses the first CWE tag from each rule. Some Seqra rules - * have multiple CWE tags where the first one doesn't match Benchmark's expected CWE. This + *

The SarifReader base class only uses the first CWE tag from each rule. Some OpenTaint + * rules have multiple CWE tags where the first one doesn't match Benchmark's expected CWE. This * method provides ad-hoc mappings for such cases. * *

Example: The rule "java.security.cookie-issecure-false" has tags [CWE-319, CWE-614]. The diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/OpenTaintReaderTest.java similarity index 86% rename from plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReaderTest.java rename to plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/OpenTaintReaderTest.java index 547a5339..72b0eb95 100644 --- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReaderTest.java +++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/OpenTaintReaderTest.java @@ -29,28 +29,28 @@ import org.owasp.benchmarkutils.score.TestSuiteResults; import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; -public class SeqraReaderTest extends ReaderTestBase { +public class OpenTaintReaderTest extends ReaderTestBase { private ResultFile resultFile; @BeforeEach void setUp() { - resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Seqra.sarif"); + resultFile = TestHelper.resultFileOf("testfiles/Benchmark_OpenTaint.sarif"); BenchmarkScore.TESTCASENAME = "BenchmarkTest"; } @Test - public void onlySeqraReaderTestReportsCanReadAsTrue() { - assertOnlyMatcherClassIs(this.resultFile, SeqraReader.class); + public void onlyOpenTaintReaderTestReportsCanReadAsTrue() { + assertOnlyMatcherClassIs(this.resultFile, OpenTaintReader.class); } @Test void readerHandlesGivenResultFile() throws Exception { - SeqraReader reader = new SeqraReader(); + OpenTaintReader reader = new OpenTaintReader(); TestSuiteResults result = reader.parse(resultFile); assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); - assertEquals("Seqra", result.getToolName()); + assertEquals("OpenTaint", result.getToolName()); assertEquals("v2.2.0", result.getToolVersion()); assertFalse(result.isCommercial()); @@ -62,7 +62,7 @@ void readerHandlesGivenResultFile() throws Exception { @Test void mapCweMapsInsecureCookieCwe() { - SeqraReader reader = new SeqraReader(); + OpenTaintReader reader = new OpenTaintReader(); // CWE-319 (Cleartext Transmission) should map to CWE-614 (Insecure Cookie) assertEquals(CweNumber.INSECURE_COOKIE, reader.mapCwe(319)); diff --git a/plugin/src/test/resources/testfiles/Benchmark_Seqra.sarif b/plugin/src/test/resources/testfiles/Benchmark_OpenTaint.sarif similarity index 99% rename from plugin/src/test/resources/testfiles/Benchmark_Seqra.sarif rename to plugin/src/test/resources/testfiles/Benchmark_OpenTaint.sarif index 286961d2..77c6a980 100644 --- a/plugin/src/test/resources/testfiles/Benchmark_Seqra.sarif +++ b/plugin/src/test/resources/testfiles/Benchmark_OpenTaint.sarif @@ -5,9 +5,9 @@ { "tool": { "driver": { - "name": "Seqra", + "name": "OpenTaint", "organization": "Seqra", - "semanticVersion": "v2.2.0", + "semanticVersion": "v0.1.0", "rules": [ { "defaultConfiguration": { @@ -303,4 +303,4 @@ ] } ] -} \ No newline at end of file +} From 51e26f580077b22fba18adb217664acf999e5ce7 Mon Sep 17 00:00:00 2001 From: seqradev Date: Tue, 31 Mar 2026 16:43:30 +0300 Subject: [PATCH 4/4] Fix expected tool version in OpenTaintReaderTest to match SARIF fixture --- .../benchmarkutils/score/parsers/sarif/OpenTaintReaderTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/OpenTaintReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/OpenTaintReaderTest.java index 72b0eb95..ae686953 100644 --- a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/OpenTaintReaderTest.java +++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/OpenTaintReaderTest.java @@ -51,7 +51,7 @@ void readerHandlesGivenResultFile() throws Exception { assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); assertEquals("OpenTaint", result.getToolName()); - assertEquals("v2.2.0", result.getToolVersion()); + assertEquals("v0.1.0", result.getToolVersion()); assertFalse(result.isCommercial()); assertEquals(2, result.getTotalResults());