.setTags("one", "two") .setScope(RuleScope.ALL) .addOwaspTop10(RulesDefinition.OwaspTop10.A1, RulesDefinition.OwaspTop10.A3) .addCwe(1, 2, 123) .addTags("two", "three", "four");
.setTags("one", "two") .setScope(RuleScope.ALL) .addOwaspTop10(RulesDefinition.OwaspTop10.A1, RulesDefinition.OwaspTop10.A3) .addCwe(1, 2, 123) .addTags("two", "three", "four");
@Test public void add_new_security_standards() { execute((RulesDefinition) context -> { NewRepository repo = context.createRepository("fake", "java"); repo.createRule("rule1") .setName("Rule One") .setHtmlDescription("Description of Rule One") .addOwaspTop10(RulesDefinition.OwaspTop10.A1) .addCwe(123); repo.done(); }); OrganizationDto defaultOrganization = db.getDefaultOrganization(); RuleDto rule = dbClient.ruleDao().selectOrFailByKey(db.getSession(), defaultOrganization, RULE_KEY1); assertThat(rule.getSecurityStandards()).containsOnly("cwe:123", "owaspTop10:a1"); execute((RulesDefinition) context -> { NewRepository repo = context.createRepository("fake", "java"); repo.createRule("rule1") .setName("Rule One") .setHtmlDescription("Description of Rule One") .addOwaspTop10(RulesDefinition.OwaspTop10.A1, RulesDefinition.OwaspTop10.A3) .addCwe(1, 123, 863); repo.done(); }); rule = dbClient.ruleDao().selectOrFailByKey(db.getSession(), defaultOrganization, RULE_KEY1); assertThat(rule.getSecurityStandards()).containsOnly("cwe:1", "cwe:123", "cwe:863", "owaspTop10:a1", "owaspTop10:a3"); }
.addOwaspTop10(OwaspTop10.A1, OwaspTop10.A3) .addCwe(1, 123, 863);
@Override @ParametersAreNonnullByDefault public void define(Context context) { NewRepository repo = context.createRepository(DependencyCheckPlugin.REPOSITORY_KEY, DependencyCheckPlugin.LANGUAGE_KEY); repo.setName("OWASP"); NewRule rule = repo.createRule(DependencyCheckPlugin.RULE_KEY); rule.addTags("cwe-937", "cwe", "cve", "owasp-a9", "security", "vulnerability"); rule.setName("Using Components with Known Vulnerabilities"); rule.setSeverity(Severity.MAJOR); rule.setStatus(RuleStatus.READY); rule.addOwaspTop10(OwaspTop10.A9); rule.addCwe(CWE_937); String description = "<p>Components, such as libraries, frameworks, and other software modules, " + "almost always run with full privileges. If a vulnerable component is exploited, such " + "an attack can facilitate serious data loss or server takeover. Applications using " + "components with known vulnerabilities may undermine application defenses and enable " + "a range of possible attacks and impacts.</p>" + "<h3>References:</h3>" + "<ul><li>OWASP Top 10 2013-A9: <a href=\"https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities\">Using Components with Known Vulnerabilities</a></li>" + "<li><a href=\"https://cwe.mitre.org/data/definitions/937.html\">Common Weakness Enumeration CWE-937</a></li>" + "<p>This issue was generated by <a href=\"https://www.owasp.org/index.php/OWASP_Dependency_Check\">Dependency-Check</a>"; rule.setHtmlDescription(description); // There's simply no way to know how much effort will be involved in updating/replacing a vulnerable component repo.done(); }
private static void addSecurityStandards(NewRule rule, SecurityStandards securityStandards) { for (String s : securityStandards.OWASP) { rule.addOwaspTop10(OwaspTop10.valueOf(s)); } rule.addCwe(securityStandards.CWE); }
private static void setSecurityStandardsFromJson(NewRule rule, Map<String, Object> securityStandards) { if (securityStandards.get("OWASP") != null) { for (String standard : getStringArray(securityStandards, "OWASP")) { rule.addOwaspTop10(RulesDefinition.OwaspTop10.valueOf(standard)); } } if (securityStandards.get("CWE") != null) { rule.addCwe(getIntArray(securityStandards, "CWE")); } }
.addOwaspTop10(OwaspTop10.A1, OwaspTop10.A3) .addCwe(1, 123, 863);
@Override public void define(Context context) { NewRepository repo = context.createRepository("fake", "java"); NewRule rule1 = repo.createRule(RULE_KEY1.rule()) .setName("One") .setHtmlDescription("Description of One") .setSeverity(BLOCKER) .setInternalKey("config1") .setTags("tag1", "tag2", "tag3") .setScope(RuleScope.ALL) .setType(RuleType.CODE_SMELL) .setStatus(RuleStatus.BETA) .setGapDescription("squid.S115.effortToFix"); rule1.setDebtRemediationFunction(rule1.debtRemediationFunctions().linearWithOffset("5d", "10h")); rule1.createParam("param1").setDescription("parameter one").setDefaultValue("default1"); rule1.createParam("param2").setDescription("parameter two").setDefaultValue("default2"); repo.createRule(HOTSPOT_RULE_KEY.rule()) .setName("Hotspot") .setHtmlDescription("Minimal hotspot") .setType(RuleType.SECURITY_HOTSPOT) .addOwaspTop10(OwaspTop10.A1, OwaspTop10.A3) .addCwe(1, 123, 863); repo.createRule(RULE_KEY2.rule()) .setName("Two") .setHtmlDescription("Minimal rule"); repo.done(); } }
@Override public void define(Context context) { NewRepository repo = context.createExternalRepository("eslint", "js"); repo.createRule(RULE_KEY1.rule()) .setName("One") .setHtmlDescription("Description of One") .setSeverity(BLOCKER) .setInternalKey("config1") .setTags("tag1", "tag2", "tag3") .setScope(RuleScope.ALL) .setType(RuleType.CODE_SMELL) .setStatus(RuleStatus.BETA); repo.createRule(EXTERNAL_HOTSPOT_RULE_KEY.rule()) .setName("Hotspot") .setHtmlDescription("Minimal hotspot") .setType(RuleType.SECURITY_HOTSPOT) .addOwaspTop10(OwaspTop10.A1, OwaspTop10.A3) .addCwe(1, 123, 863); repo.done(); } }