Add OpenTaint SARIF reader support #266
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| /** | ||
| * OWASP Benchmark Project | ||
| * | ||
| * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For | ||
| * details, please see <a | ||
| * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>. | ||
| * | ||
| * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms | ||
| * of the GNU General Public License as published by the Free Software Foundation, version 2. | ||
| * | ||
| * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY | ||
| * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR | ||
| * PURPOSE. See the GNU General Public License for more details. | ||
| * | ||
| * @author Seqra Team | ||
| * @created 2026 | ||
| */ | ||
| package org.owasp.benchmarkutils.score.parsers.sarif; | ||
|
|
||
| import org.owasp.benchmarkutils.score.CweNumber; | ||
|
|
||
| /** | ||
| * This reader is made for OpenTaint, a security static analysis tool. It uses the SARIF file | ||
| * produced by the tool. | ||
| */ | ||
| public class OpenTaintReader extends SarifReader { | ||
|
|
||
| public OpenTaintReader() { | ||
| super("OpenTaint", false, CweSourceType.TAG); | ||
| } | ||
|
|
||
| /** | ||
| * Maps OpenTaint CWE numbers to Benchmark expected CWEs. | ||
| * | ||
| * <p>The SarifReader base class only uses the first CWE tag from each rule. Some OpenTaint | ||
| * rules have multiple CWE tags where the first one doesn't match Benchmark's expected CWE. This | ||
| * method provides ad-hoc mappings for such cases. | ||
| * | ||
| * <p>Example: The rule "java.security.cookie-issecure-false" has tags [CWE-319, CWE-614]. The | ||
| * parser picks CWE-319 (Cleartext Transmission), but Benchmark expects CWE-614 (Insecure | ||
| * Cookie) for the "securecookie" category. | ||
| */ | ||
| @Override | ||
| public int mapCwe(int cwe) { | ||
| switch (cwe) { | ||
| case 319: | ||
| // cookie-issecure-false rule has [CWE-319, CWE-614] | ||
| // Benchmark expects CWE-614 for securecookie category | ||
| return CweNumber.INSECURE_COOKIE; | ||
| default: | ||
| return cwe; | ||
| } | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| /** | ||
| * OWASP Benchmark Project | ||
| * | ||
| * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For | ||
| * details, please see <a | ||
| * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>. | ||
| * | ||
| * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms | ||
| * of the GNU General Public License as published by the Free Software Foundation, version 2. | ||
| * | ||
| * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY | ||
| * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR | ||
| * PURPOSE. See the GNU General Public License for more details. | ||
| * | ||
| * @author Seqra Team | ||
|
Contributor
There was a problem hiding this comment. You renamed it, but did not change it here. Intentional? |
||
| * @created 2026 | ||
| */ | ||
| package org.owasp.benchmarkutils.score.parsers.sarif; | ||
|
|
||
| import static org.junit.jupiter.api.Assertions.assertEquals; | ||
| import static org.junit.jupiter.api.Assertions.assertFalse; | ||
|
|
||
| import org.junit.jupiter.api.BeforeEach; | ||
| import org.junit.jupiter.api.Test; | ||
| import org.owasp.benchmarkutils.score.BenchmarkScore; | ||
| import org.owasp.benchmarkutils.score.CweNumber; | ||
| import org.owasp.benchmarkutils.score.ResultFile; | ||
| import org.owasp.benchmarkutils.score.TestHelper; | ||
| import org.owasp.benchmarkutils.score.TestSuiteResults; | ||
| import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; | ||
|
|
||
| public class OpenTaintReaderTest extends ReaderTestBase { | ||
|
|
||
| private ResultFile resultFile; | ||
|
|
||
| @BeforeEach | ||
| void setUp() { | ||
| resultFile = TestHelper.resultFileOf("testfiles/Benchmark_OpenTaint.sarif"); | ||
| BenchmarkScore.TESTCASENAME = "BenchmarkTest"; | ||
| } | ||
|
|
||
| @Test | ||
| public void onlyOpenTaintReaderTestReportsCanReadAsTrue() { | ||
| assertOnlyMatcherClassIs(this.resultFile, OpenTaintReader.class); | ||
| } | ||
|
|
||
| @Test | ||
| void readerHandlesGivenResultFile() throws Exception { | ||
| OpenTaintReader reader = new OpenTaintReader(); | ||
| TestSuiteResults result = reader.parse(resultFile); | ||
|
|
||
| assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); | ||
| assertEquals("OpenTaint", result.getToolName()); | ||
| assertEquals("v0.1.0", result.getToolVersion()); | ||
| assertFalse(result.isCommercial()); | ||
|
|
||
| assertEquals(2, result.getTotalResults()); | ||
|
|
||
| assertEquals(CweNumber.WEAK_HASH_ALGO, result.get(2670).get(0).getCWE()); | ||
| assertEquals(CweNumber.INSECURE_COOKIE, result.get(2710).get(0).getCWE()); | ||
| } | ||
|
|
||
| @Test | ||
| void mapCweMapsInsecureCookieCwe() { | ||
| OpenTaintReader reader = new OpenTaintReader(); | ||
|
|
||
| // CWE-319 (Cleartext Transmission) should map to CWE-614 (Insecure Cookie) | ||
| assertEquals(CweNumber.INSECURE_COOKIE, reader.mapCwe(319)); | ||
|
|
||
| // Other CWEs should pass through unchanged | ||
| assertEquals(328, reader.mapCwe(328)); | ||
| assertEquals(327, reader.mapCwe(327)); | ||
| } | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just for my OCD, please move it to the correct place.