SecurityReports.SecurityStandardCategoryStatistics.Builder catBuilder = SecurityReports.SecurityStandardCategoryStatistics.newBuilder(); catBuilder .setCategory(cat.getCategory()) .setVulnerabilities(cat.getVulnerabilities()); cat.getVulnerabiliyRating().ifPresent(catBuilder::setVulnerabilityRating); catBuilder .setOpenSecurityHotspots(cat.getOpenSecurityHotspots()) .setToReviewSecurityHotspots(cat.getToReviewSecurityHotspots()) .setWontFixSecurityHotspots(cat.getWontFixSecurityHotspots()) .setTotalRules(cat.getTotalRules()) .setActiveRules(cat.getActiveRules()); if (cat.getChildren() != null) { cat.getChildren().stream() .sorted(comparing(cweIndex())) .forEach(cwe -> { SecurityReports.CweStatistics.Builder cweBuilder = SecurityReports.CweStatistics.newBuilder(); cweBuilder .setCwe(cwe.getCategory()) .setVulnerabilities(cwe.getVulnerabilities()); cwe.getVulnerabiliyRating().ifPresent(cweBuilder::setVulnerabilityRating); cweBuilder .setOpenSecurityHotspots(cwe.getOpenSecurityHotspots()) .setToReviewSecurityHotspots(cwe.getToReviewSecurityHotspots()) .setWontFixSecurityHotspots(cwe.getWontFixSecurityHotspots()) .setActiveRules(cwe.getActiveRules()) .setTotalRules(cwe.getTotalRules()); catBuilder.addDistribution(cweBuilder); });
c.setTotalRules(rulesByCategory.get(c.getCategory()).size()); c.setActiveRules(activeRulesByCategory.get(c.getCategory()).size()); c.getChildren().forEach(child -> { child.setTotalRules(rulesByCategory.get(child.getCategory()).size()); child.setActiveRules(activeRulesByCategory.get(child.getCategory()).size()); }); });
@Test public void getOwaspTop10Report_aggregation_no_cwe() { List<SecurityStandardCategoryStatistics> owaspTop10Report = indexIssuesAndAssertOwaspReport(false); assertThat(owaspTop10Report).allMatch(category -> category.getChildren().isEmpty()); }
private static Function<SecurityStandardCategoryStatistics, Integer> cweIndex() { return securityStandardCategoryStatistics -> { String category = securityStandardCategoryStatistics.getCategory(); return category.equals(UNKNOWN_STANDARD) ? Integer.MAX_VALUE : parseInt(category); }; }
private static SecurityStandardCategoryStatistics processSecurityReportCategorySearchResults(HasAggregations categoryBucket, String categoryName, @Nullable List<SecurityStandardCategoryStatistics> children) { List<StringTerms.Bucket> severityBuckets = ((StringTerms) ((InternalFilter) categoryBucket.getAggregations().get("vulnerabilities")).getAggregations().get("severity")) .getBuckets(); long vulnerabilities = severityBuckets.stream().mapToLong(b -> ((InternalValueCount) b.getAggregations().get(COUNT)).getValue()).sum(); // Worst severity having at least one issue OptionalInt severityRating = severityBuckets.stream() .filter(b -> ((InternalValueCount) b.getAggregations().get(COUNT)).getValue() != 0) .mapToInt(b -> Severity.ALL.indexOf(b.getKeyAsString()) + 1) .max(); long openSecurityHotspots = ((InternalValueCount) ((InternalFilter) categoryBucket.getAggregations().get("openSecurityHotspots")).getAggregations().get(COUNT)) .getValue(); long toReviewSecurityHotspots = ((InternalValueCount) ((InternalFilter) categoryBucket.getAggregations().get("toReviewSecurityHotspots")).getAggregations().get(COUNT)) .getValue(); long wontFixSecurityHotspots = ((InternalValueCount) ((InternalFilter) categoryBucket.getAggregations().get("wontFixSecurityHotspots")).getAggregations().get(COUNT)) .getValue(); return new SecurityStandardCategoryStatistics(categoryName, vulnerabilities, severityRating, toReviewSecurityHotspots, openSecurityHotspots, wontFixSecurityHotspots, children); }
assertThat(sansTop25Report).allMatch(category -> category.getChildren().isEmpty());
private static Integer index(SecurityStandardCategoryStatistics owaspCat) { if (owaspCat.getCategory().startsWith(OWASP_CAT_PREFIX)) { return parseInt(owaspCat.getCategory().substring(OWASP_CAT_PREFIX.length())); } // unknown return 11; }
tuple(SANS_TOP_25_POROUS_DEFENSES, 0L, OptionalInt.empty(), 0L, 0L, 0L)); assertThat(sansTop25Report).allMatch(category -> category.getChildren().isEmpty());