@Test public void facet_on_severities_return_5_entries_max() { ComponentDto project = newPrivateProjectDto(newOrganizationDto()); ComponentDto file = newFileDto(project, null); indexIssues( newDoc("I2", file).setSeverity(INFO), newDoc("I1", file).setSeverity(MINOR), newDoc("I3", file).setSeverity(MAJOR), newDoc("I4", file).setSeverity(CRITICAL), newDoc("I5", file).setSeverity(BLOCKER), newDoc("I6", file).setSeverity(MAJOR)); assertThatFacetHasSize(IssueQuery.builder().build(), "severities", 5); }
@Test public void facets_on_severities() { ComponentDto project = newPrivateProjectDto(newOrganizationDto()); ComponentDto file = newFileDto(project, null); indexIssues( newDoc("I1", file).setSeverity(INFO), newDoc("I2", file).setSeverity(INFO), newDoc("I3", file).setSeverity(MAJOR)); assertThatFacetHasOnly(IssueQuery.builder(), "severities", entry("INFO", 2L), entry("MAJOR", 1L)); }
@Test public void sort_by_severity() { ComponentDto project = newPrivateProjectDto(newOrganizationDto()); ComponentDto file = newFileDto(project, null); indexIssues( newDoc("I1", file).setSeverity(Severity.BLOCKER), newDoc("I2", file).setSeverity(Severity.INFO), newDoc("I3", file).setSeverity(Severity.MINOR), newDoc("I4", file).setSeverity(Severity.CRITICAL), newDoc("I5", file).setSeverity(Severity.MAJOR)); IssueQuery.Builder query = IssueQuery.builder().sort(IssueQuery.SORT_BY_SEVERITY).asc(true); assertThatSearchReturnsOnly(query, "I2", "I3", "I5", "I4", "I1"); query = IssueQuery.builder().sort(IssueQuery.SORT_BY_SEVERITY).asc(false); assertThatSearchReturnsOnly(query, "I1", "I4", "I5", "I3", "I2"); }
@Test public void facets_on_severities() { ComponentDto project = newPrivateProjectDto(newOrganizationDto()); ComponentDto file = newFileDto(project, null); indexIssues( newDoc("I1", file).setSeverity(Severity.INFO), newDoc("I2", file).setSeverity(Severity.INFO), newDoc("I3", file).setSeverity(Severity.MAJOR)); assertThatFacetHasOnly(IssueQuery.builder(), "severities", entry("INFO", 2L), entry("MAJOR", 1L)); }
doc.setLine(DatabaseUtils.getInt(rs, 3)); doc.setResolution(rs.getString(4)); doc.setSeverity(rs.getString(5)); doc.setStatus(rs.getString(6)); doc.setEffort(getLong(rs, 7));
@Test public void filter_by_severities() { ComponentDto project = newPrivateProjectDto(newOrganizationDto()); ComponentDto file = newFileDto(project, null); indexIssues( newDoc("I1", file).setSeverity(Severity.INFO), newDoc("I2", file).setSeverity(Severity.MAJOR)); assertThatSearchReturnsOnly(IssueQuery.builder().severities(asList(Severity.INFO, Severity.MAJOR)), "I1", "I2"); assertThatSearchReturnsOnly(IssueQuery.builder().severities(singletonList(Severity.INFO)), "I1"); assertThatSearchReturnsEmpty(IssueQuery.builder().severities(singletonList(Severity.BLOCKER))); }
@Test public void facets_on_severities() { ComponentDto project = ComponentTesting.newPrivateProjectDto(newOrganizationDto()); ComponentDto file = ComponentTesting.newFileDto(project, null); indexIssues( IssueDocTesting.newDoc("I1", file).setSeverity(Severity.INFO).setEffort(10L), IssueDocTesting.newDoc("I2", file).setSeverity(Severity.INFO).setEffort(10L), IssueDocTesting.newDoc("I3", file).setSeverity(Severity.MAJOR).setEffort(10L)); Facets facets = search("severities"); assertThat(facets.getNames()).containsOnly("severities", FACET_MODE_EFFORT); assertThat(facets.get("severities")).containsOnly(entry("INFO", 20L), entry("MAJOR", 10L)); assertThat(facets.get(FACET_MODE_EFFORT)).containsOnly(entry("total", 30L)); }
@Test public void getOwaspTop10Report_dont_count_closed_vulnerabilities() { OrganizationDto org = newOrganizationDto(); ComponentDto project = newPrivateProjectDto(org); indexIssues( newDoc("openvul1", project).setOwaspTop10(asList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR), newDoc("notopenvul", project).setOwaspTop10(asList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED).setResolution(Issue.RESOLUTION_FIXED) .setSeverity(Severity.BLOCKER)); List<SecurityStandardCategoryStatistics> owaspTop10Report = underTest.getOwaspTop10Report(project.uuid(), false, false); assertThat(owaspTop10Report) .extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities, SecurityStandardCategoryStatistics::getVulnerabiliyRating) .contains( tuple("a1", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */)); }
@Test public void getOwaspTop10Report_dont_count_vulnerabilities_from_other_projects() { OrganizationDto org = newOrganizationDto(); ComponentDto project = newPrivateProjectDto(org); ComponentDto another = newPrivateProjectDto(org); indexIssues( newDoc("anotherProject", another).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.CRITICAL), newDoc("openvul1", project).setOwaspTop10(singletonList("a1")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR)); List<SecurityStandardCategoryStatistics> owaspTop10Report = underTest.getOwaspTop10Report(project.uuid(), false, false); assertThat(owaspTop10Report) .extracting(SecurityStandardCategoryStatistics::getCategory, SecurityStandardCategoryStatistics::getVulnerabilities, SecurityStandardCategoryStatistics::getVulnerabiliyRating) .contains( tuple("a1", 1L /* openvul1 */, OptionalInt.of(3)/* MAJOR = C */)); }
@Test public void getOwaspTop10Report_dont_count_old_vulnerabilities() { OrganizationDto org = newOrganizationDto(); ComponentDto project = newPrivateProjectDto(org); indexIssues( // Previous vulnerabilities in projects that are not reanalyzed will have no owasp nor cwe attributes (not even 'unknown') newDoc("openvulNotReindexed", project).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN).setSeverity(Severity.MAJOR)); List<SecurityStandardCategoryStatistics> owaspTop10Report = underTest.getOwaspTop10Report(project.uuid(), false, false); assertThat(owaspTop10Report) .extracting(SecurityStandardCategoryStatistics::getVulnerabilities, SecurityStandardCategoryStatistics::getVulnerabiliyRating) .containsOnly( tuple(0L, OptionalInt.empty())); }
indexIssues( newDoc("openvul1", project).setOwaspTop10(asList("a1", "a3")).setCwe(asList("123", "456")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) .setSeverity(Severity.MAJOR), newDoc("openvul2", project).setOwaspTop10(asList("a3", "a6")).setCwe(asList("123")).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) .setSeverity(Severity.MINOR), newDoc("notowaspvul", project).setOwaspTop10(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) .setSeverity(Severity.CRITICAL), newDoc("openhotspot1", project).setOwaspTop10(asList("a1", "a3")).setCwe(singletonList(UNKNOWN_STANDARD)).setType(RuleType.SECURITY_HOTSPOT) .setStatus(Issue.STATUS_OPEN),
indexIssues( newDoc("openvul1", project).setSansTop25(asList(SANS_TOP_25_INSECURE_INTERACTION, SANS_TOP_25_RISKY_RESOURCE)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) .setSeverity(Severity.MAJOR), newDoc("openvul2", project).setSansTop25(asList(SANS_TOP_25_RISKY_RESOURCE, SANS_TOP_25_POROUS_DEFENSES)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) .setSeverity(Severity.MINOR), newDoc("notopenvul", project).setSansTop25(asList(SANS_TOP_25_RISKY_RESOURCE, SANS_TOP_25_POROUS_DEFENSES)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED) .setResolution(Issue.RESOLUTION_FIXED) .setSeverity(Severity.BLOCKER), newDoc("notsansvul", project).setSansTop25(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) .setSeverity(Severity.CRITICAL), newDoc("openhotspot1", project).setSansTop25(asList(SANS_TOP_25_INSECURE_INTERACTION, SANS_TOP_25_RISKY_RESOURCE)).setType(RuleType.SECURITY_HOTSPOT) .setStatus(Issue.STATUS_OPEN),
.setSeverity(Severity.MAJOR), newDoc("openvul2", project2).setSansTop25(asList(SANS_TOP_25_RISKY_RESOURCE, SANS_TOP_25_POROUS_DEFENSES)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_REOPENED) .setSeverity(Severity.MINOR), newDoc("notopenvul", project1).setSansTop25(asList(SANS_TOP_25_RISKY_RESOURCE, SANS_TOP_25_POROUS_DEFENSES)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_CLOSED) .setResolution(Issue.RESOLUTION_FIXED) .setSeverity(Severity.BLOCKER), newDoc("notsansvul", project2).setSansTop25(singletonList(UNKNOWN_STANDARD)).setType(RuleType.VULNERABILITY).setStatus(Issue.STATUS_OPEN) .setSeverity(Severity.CRITICAL), newDoc("openhotspot1", project1).setSansTop25(asList(SANS_TOP_25_INSECURE_INTERACTION, SANS_TOP_25_RISKY_RESOURCE)).setType(RuleType.SECURITY_HOTSPOT) .setStatus(Issue.STATUS_OPEN),
doc.setLine(DatabaseUtils.getInt(rs, 3)); doc.setResolution(rs.getString(4)); doc.setSeverity(rs.getString(5)); doc.setStatus(rs.getString(6)); doc.setEffort(getLong(rs, 7));