@@ -96,9 +96,9 @@ private HashMap<String, Integer> parseLGTMRules(JSONArray rulesJSON) {
9696 for (int i = 0 ; i < tags .length (); i ++) {
9797 String val = tags .getString (i );
9898 if (val .startsWith (LGTMCWEPREFIX )) {
99- // System.out.println("Rule found for CWE: " +
100- // Integer.parseInt(val.substring(LGTMCWEPREFIXLENGTH)));
101- // int cwe = fixCWE( cweNumber );
99+ // NOTE: If you try to map the rules here, you have to map EVERY rule in the
100+ // current ruleset, even though many of those rules won't have results. So
101+ // instead we map them later when there is actually a finding by that rule.
102102 rulesUsed .put (
103103 ruleName , Integer .parseInt (val .substring (LGTMCWEPREFIXLENGTH )));
104104 break ; // Break out of for loop because we only want to use the first CWE it
@@ -127,26 +127,40 @@ private TestCaseResult parseLGTMFinding(
127127 .getJSONObject ("physicalLocation" )
128128 .getJSONObject ("artifactLocation" )
129129 .getString ("uri" );
130- filename = filename .substring (filename .lastIndexOf ('/' ));
131- if (filename .contains (BenchmarkScore .TESTCASENAME )) {
130+ filename = filename .substring (filename .lastIndexOf ('/' ) + 1 );
131+ if (filename .startsWith (BenchmarkScore .TESTCASENAME )) {
132132 String testNumber =
133133 filename .substring (
134- BenchmarkScore .TESTCASENAME .length () + 1 ,
135- filename .length () - BenchmarkScore .TESTIDLENGTH );
134+ BenchmarkScore .TESTCASENAME .length (), filename .lastIndexOf ('.' ));
136135 tcr .setNumber (Integer .parseInt (testNumber ));
137136 String ruleId = finding .getString ("ruleId" );
138137 Integer cweForRule = rulesUsed .get (ruleId );
139138 // System.out.println("Found finding in: " + testNumber + " of type: " + ruleId +
140139 // " CWE: " + cweForRule);
141140 if (cweForRule == null ) {
141+ switch (ruleId ) {
142+ case "java/inefficient-empty-string-test" :
143+ case "java/missing-override-annotation" :
144+ case "java/non-static-nested-class" :
145+ break ; // We've seen these before and they're OK, so don't print warning
146+
147+ default :
148+
149+ // The parseLGTMRules() method strips out rules that don't have a CWE.
150+ // So this error can happen. As such, we filter out the ones we've seen.
151+ System .out .println (
152+ "WARNING: finding found for ruleId: "
153+ + ruleId
154+ + " with no CWE mapping" );
155+ }
142156 return null ;
143157 }
144158 if (locations .length () > 1 ) {
145159 System .out .println (
146- "Unexpectedly found more than one location for finding against rule: "
160+ "WARNING: Unexpectedly found more than one location for finding against rule: "
147161 + ruleId );
148162 }
149- int cwe = cweForRule . intValue ( );
163+ int cwe = mapCWE ( cweForRule );
150164 tcr .setCWE (cwe );
151165 // tcr.setCategory( props.getString( "subcategoryShortDescription" ) ); //
152166 // Couldn't find any Category info in results file
@@ -159,13 +173,65 @@ private TestCaseResult parseLGTMFinding(
159173 return null ;
160174 }
161175
162- /*
163- private int fixCWE( String cweNumber ) {
164- int cwe = Integer.parseInt( cweNumber );
165- if ( cwe == 94 ) cwe = 643;
166- if ( cwe == 36 ) cwe = 22;
167- if ( cwe == 23 ) cwe = 22;
168- return cwe;
169- }
170- */
176+ private int mapCWE (Integer cweNumber ) {
177+
178+ switch (cweNumber ) {
179+ // These are properly mapped by default
180+ case 22 : // java/path-injection and zipslip
181+ case 78 : // java/command-line-injection
182+ case 79 : // java/xss
183+ case 89 : // java/sql-injection and similar sqli rules
184+ case 90 : // java/ldap-injection
185+ case 327 : // java/weak-cryptographic-algorithm
186+ case 611 : // java/xxe
187+ case 614 : // java/insecure-cookie
188+ case 643 : // java/xml/xpath-injection
189+ return cweNumber .intValue (); // Return CWE as is
190+
191+ // These rules we care about, but have to map to the CWE we expect
192+ case 335 : // java/predictable-seed - This mapping improves the tool's score
193+ return 330 ; // Weak Random
194+
195+ /*
196+ * These rules exist in the java-code-scanning.qls query set, but we don't see findings
197+ * for them in Benchmark currently. They are left here in case we do see them in the
198+ * future to make it easier to support them.
199+ // These rules we care about, but have to map to the CWE we expect
200+ case 338: // java/jhipster-prng
201+ return 330; // Weak Random
202+ case 347: // java/missing-jwt-signature-check - TODO - Does this affect score?
203+ return 327; // Weak Crypto
204+
205+ // These rules we don't care about now, but we return their CWE value anyway in case
206+ // we care in the future
207+ case 94: // java/insecure-bean-validation and many others
208+ case 190: // java/implicit-cast-in-compound-assignment
209+ case 197: // java/tainted-numeric-cast
210+ case 297: // java/unsafe-hostname-verification
211+ case 300: // java/maven/non-https-url
212+ case 315: // java/cleartext-storage-in-cookie
213+ case 352: // java/spring-disabled-csrf-protection
214+ case 502: // java/unsafe-deserialization
215+ case 601: // java/unvalidated-url-redirection
216+ case 732: // java/world-writable-file-read
217+ case 807: // java/tainted-permissions-check
218+ case 917: // java/ognl-injection
219+ case 918: // java/ssrf
220+ case 1104: // java/maven/dependency-upon-bintray
221+ */
222+
223+ case 113 : // java/http-response-splitting
224+ case 134 : // java/tainted-format-string
225+ case 209 : // java/stack-trace-exposure
226+ case 404 : // java/TODO
227+ case 561 : // java/TODO
228+ case 570 : // java/TODO
229+ case 685 : // java/TODO
230+ return cweNumber .intValue (); // Return CWE as is
231+ default :
232+ System .out .println (
233+ "CodeQL parser encountered new unmapped vulnerability type: " + cweNumber );
234+ }
235+ return 0 ; // Not mapped to anything
236+ }
171237}
0 commit comments