Add Cognium SARIF reader

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java

@@ -31,6 +31,7 @@
 import org.owasp.benchmarkutils.score.parsers.csv.SemgrepCSVReader;
 import org.owasp.benchmarkutils.score.parsers.csv.WhiteHatDynamicReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.BanditReader;
+import org.owasp.benchmarkutils.score.parsers.sarif.CogniumReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.CodeQLReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.ContrastScanReader;
 import org.owasp.benchmarkutils.score.parsers.sarif.DatadogSastReader;
@@ -67,6 +68,7 @@ public static List<Reader> allReaders() {
                 new CheckmarxIASTReader(),
                 new CheckmarxReader(),
                 new CodeQLReader(),
+                new CogniumReader(),
                 new ContrastAssessReader(),
                 new ContrastScanReader(),
                 new CoverityReader(),

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CogniumReader.java

@@ -0,0 +1,59 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details
+ *
+ * @author Cognium Labs
+ * @created 2026
+ */
+package org.owasp.benchmarkutils.score.parsers.sarif;
+
+import java.util.HashMap;
+import java.util.Map;
+import org.json.JSONObject;
+import org.owasp.benchmarkutils.score.CweNumber;
+
+/**
+ * Reader for <a href="https://cognium.dev">Cognium</a> SARIF results generated via:
+ *
+ * <pre>cognium scan &lt;path&gt; --format sarif --output results.sarif</pre>
+ *
+ * <p>Cognium embeds the CWE in each result's {@code properties.cwe} field (e.g. {@code "CWE-79"})
+ * rather than in the rules section, so CWE resolution uses a static ruleId-to-CWE mapping.
+ * Non-security findings (reliability, performance, etc.) have no entry in the map and are silently
+ * skipped by the base class.
+ */
+public class CogniumReader extends SarifReader {
+
+    public CogniumReader() {
+        super("cognium", false, CweSourceType.CUSTOM);
+    }
+
+    @Override
+    public Map<String, Integer> customRuleCweMappings(JSONObject tool) {
+        Map<String, Integer> mappings = new HashMap<>();
+        mappings.put("sql_injection",     CweNumber.SQL_INJECTION);
+        mappings.put("command_injection",  CweNumber.COMMAND_INJECTION);
+        mappings.put("path_traversal",     CweNumber.PATH_TRAVERSAL);
+        mappings.put("xss",                CweNumber.XSS);
+        mappings.put("ldap_injection",     CweNumber.LDAP_INJECTION);
+        mappings.put("xpath_injection",    CweNumber.XPATH_INJECTION);
+        mappings.put("weak_random",        CweNumber.WEAK_RANDOM);
+        mappings.put("weak_hash",          CweNumber.WEAK_HASH_ALGO);
+        mappings.put("weak_crypto",        CweNumber.WEAK_CRYPTO_ALGO);
+        mappings.put("insecure_cookie",    CweNumber.INSECURE_COOKIE);
+        mappings.put("trust_boundary",     CweNumber.TRUST_BOUNDARY_VIOLATION);
+        mappings.put("xxe",                CweNumber.XXE);
+        mappings.put("deserialization",    CweNumber.INSECURE_DESERIALIZATION);
+        return mappings;
+    }
+}

plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/CogniumReaderTest.java

@@ -0,0 +1,62 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author Cognium Labs
+ * @created 2026
+ */
+package org.owasp.benchmarkutils.score.parsers.sarif;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.benchmarkutils.score.BenchmarkScore;
+import org.owasp.benchmarkutils.score.CweNumber;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestHelper;
+import org.owasp.benchmarkutils.score.TestSuiteResults;
+import org.owasp.benchmarkutils.score.parsers.ReaderTestBase;
+
+public class CogniumReaderTest extends ReaderTestBase {
+
+    private ResultFile resultFile;
+
+    @BeforeEach
+    void setUp() {
+        resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Cognium.sarif");
+        BenchmarkScore.TESTCASENAME = "BenchmarkTest";
+    }
+
+    @Test
+    public void onlyCogniumReaderReportsCanReadAsTrue() {
+        assertOnlyMatcherClassIs(this.resultFile, CogniumReader.class);
+    }
+
+    @Test
+    void readerHandlesGivenResultFile() throws Exception {
+        CogniumReader reader = new CogniumReader();
+        TestSuiteResults result = reader.parse(resultFile);
+
+        assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
+        assertFalse(result.isCommercial());
+        assertEquals("cognium", result.getToolName());
+        assertEquals("1.4.2", result.getToolVersion());
+
+        assertEquals(2, result.getTotalResults());
+
+        assertEquals(CweNumber.XSS, result.get(1).get(0).getCWE());
+        assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE());
+    }
+}

plugin/src/test/resources/testfiles/Benchmark_Cognium.sarif

@@ -0,0 +1,61 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "cognium",
+          "version": "1.4.2",
+          "informationUri": "https://cognium.dev",
+          "rules": [
+            {
+              "id": "xss",
+              "name": "xss",
+              "shortDescription": { "text": "xss" },
+              "defaultConfiguration": { "level": "error" },
+              "properties": { "security-severity": "7.0" }
+            },
+            {
+              "id": "sql_injection",
+              "name": "sql_injection",
+              "shortDescription": { "text": "sql_injection" },
+              "defaultConfiguration": { "level": "error" },
+              "properties": { "security-severity": "9.0" }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "xss",
+          "level": "error",
+          "message": { "text": "xss vulnerability: tainted data flows from line 41 to line 86" },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": { "uri": "BenchmarkTest00001.java" },
+                "region": { "startLine": 86 }
+              }
+            }
+          ],
+          "properties": { "cwe": "CWE-79", "severity": "high" }
+        },
+        {
+          "ruleId": "sql_injection",
+          "level": "error",
+          "message": { "text": "sql_injection vulnerability: tainted data flows from line 38 to line 55" },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": { "uri": "BenchmarkTest00002.java" },
+                "region": { "startLine": 55 }
+              }
+            }
+          ],
+          "properties": { "cwe": "CWE-89", "severity": "critical" }
+        }
+      ]
+    }
+  ]
+}