• Home
• org.sonarsource.owasp
• sonar-zap-plugin
• 1.1.0
• source code
• ZapSensor.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.zaproxy.ZapSensor Maven / Gradle / Ivy

/*
 * ZAP Plugin for SonarQube
 * Copyright (C) 2015-2017 Gene Gotimer
 * [email protected]
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 3 of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 */
package org.sonar.zaproxy;

import java.io.IOException;
import java.io.InputStream;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.commons.lang.StringUtils;
import org.sonar.api.batch.fs.FileSystem;
import org.sonar.api.batch.rule.Rules;
import org.sonar.api.batch.rule.Severity;
import org.sonar.api.batch.sensor.Sensor;
import org.sonar.api.batch.sensor.SensorContext;
import org.sonar.api.batch.sensor.SensorDescriptor;
import org.sonar.api.batch.sensor.issue.internal.DefaultIssueLocation;
import org.sonar.api.rule.RuleKey;
import org.sonar.api.scan.filesystem.PathResolver;
import org.sonar.api.utils.log.Logger;
import org.sonar.api.utils.log.Loggers;
import org.sonar.api.utils.log.Profiler;
import org.sonar.zaproxy.base.ZapMetrics;
import org.sonar.zaproxy.base.ZapUtils;
import org.sonar.zaproxy.parser.ReportParser;
import org.sonar.zaproxy.parser.XmlReportFile;
import org.sonar.zaproxy.parser.element.AlertItem;
import org.sonar.zaproxy.parser.element.Instance;
import org.sonar.zaproxy.parser.element.Site;
import org.sonar.zaproxy.parser.element.ZapReport;
import org.xml.sax.SAXException;

public class ZapSensor implements Sensor {

  private static final String SENSOR_NAME = "OWASP Zap-Check";
  private static final Logger LOGGER = Loggers.get(ZapSensor.class);

  private final Rules rules;
  private final XmlReportFile report;

  private int totalAlerts;
  private int criticalIssuesCount;
  private int majorIssuesCount;
  private int minorIssuesCount;
  private int infoIssuesCount;

  public ZapSensor(
      ZapSensorConfiguration configuration,
      FileSystem fileSystem,
      PathResolver pathResolver,
      Rules rules) {
    this.rules = rules;
    this.report = new XmlReportFile(configuration, fileSystem, pathResolver);
  }

  private void addIssue(org.sonar.api.batch.sensor.SensorContext context, AlertItem alert) {
    Severity severity = ZapUtils.riskCodeToSonarQubeSeverity(alert.getRiskcode());
    context.newIssue()
        .forRule(RuleKey.of(ZapPlugin.REPOSITORY_KEY, String.valueOf(alert.getPluginid())))
        .at(new DefaultIssueLocation().on(context.module()).message(formatDescription(alert)))
        .overrideSeverity(severity)
        .save();

    incrementCount(severity);
  }

  /**
   * todo: Add Markdown formatting if and when Sonar supports it https://jira.codehaus.org/browse/SONAR-4161
   */
  private String formatDescription(AlertItem alert) {
    StringBuilder sb = new StringBuilder();

    if (null == alert.getInstances() || alert.getInstances().size() == 0) {
      sb.append(addValueToDescription("URI", alert.getUri(), false));
      sb.append(addValueToDescription("Param", alert.getParam(), false));
      sb.append(addValueToDescription("Attack", alert.getAttack(), false));
      sb.append(addValueToDescription("Evidence", alert.getEvidence(), true));
      sb.append(addValueToDescription("Method", alert.getMethod(), false));
    } else {
      for (Instance instance : alert.getInstances()) {
        sb.append(addValueToDescription("URI", instance.getUri(), false));
        sb.append(addValueToDescription("Method", instance.getMethod(), false));
        sb.append(addValueToDescription("Param", instance.getParam(), false));
        sb.append(addValueToDescription("Attack", instance.getAttack(), false));
        sb.append(addValueToDescription("Evidence", instance.getEvidence(), false));
      }
    }

    sb.append(addValueToDescription("Confidence", String.valueOf(alert.getConfidence()), false));
    sb.append(addValueToDescription("Description", alert.getDesc(), false));

    return sb.toString();
  }

  private String addValueToDescription(String name, String value, boolean isEnd) {
    StringBuilder sb = new StringBuilder();
    if (!StringUtils.isBlank(value)) {
      sb.append(name).append(": ").append(value);
      if (!isEnd) {
        sb.append(" | ");
      }
    }
    return sb.toString();
  }

  private void incrementCount(Severity severity) {
    switch (severity) {
      case BLOCKER:
        // treat blockers the same as criticals
      case CRITICAL:
        this.criticalIssuesCount++;
        break;
      case MAJOR:
        this.majorIssuesCount++;
        break;
      case MINOR:
        this.minorIssuesCount++;
        break;
      case INFO:
        this.infoIssuesCount++;
        break;
    }
  }

  private void addIssues(org.sonar.api.batch.sensor.SensorContext context, ZapReport zapReport) {
    for (Site site : zapReport.getSites()) {
      if (site.getAlerts() == null) {
        return;
      }
      for (AlertItem alert : site.getAlerts()) {
        addIssue(context, alert);
      }
    }
  }

  private ZapReport parseZapReport()
      throws IOException, ParserConfigurationException, SAXException {
    InputStream stream = this.report.getInputStream();
    if (stream == null) {
      return null;
    }
    try {
      return new ReportParser().parse(stream);
    } finally {
      stream.close();
    }

  }

  @Override
  public void execute(org.sonar.api.batch.sensor.SensorContext context) {
    Profiler profiler = Profiler.create(LOGGER);
    profiler.startInfo("Process ZAP report");
    try {
      ZapReport zapReport = parseZapReport();
      if (zapReport != null) {

        //totalAlerts = zapReport.getSite().getAlerts().size();
        totalAlerts = zapReport.getIssueCount();
        addIssues(context, zapReport);
      }
    } catch (Exception e) {
      throw new RuntimeException(
          "Can not process ZAP report. Ensure the report are located within the project workspace and that sonar.sources is set to reflect these paths (or set sonar.sources=.)",
          e);
    } finally {
      profiler.stopInfo();
    }
    saveMeasures(context);
  }

  private void saveMeasures(SensorContext context) {
    context.newMeasure().forMetric(ZapMetrics.HIGH_RISK_ALERTS)
        .withValue((double) criticalIssuesCount);
    context.newMeasure().forMetric(ZapMetrics.MEDIUM_RISK_ALERTS)
        .withValue((double) majorIssuesCount);
    context.newMeasure().forMetric(ZapMetrics.LOW_RISK_ALERTS).withValue((double) minorIssuesCount);
    context.newMeasure().forMetric(ZapMetrics.INFO_RISK_ALERTS).withValue((double) infoIssuesCount);
    context.newMeasure().forMetric(ZapMetrics.TOTAL_ALERTS).withValue((double) totalAlerts);

    context.newMeasure().forMetric(ZapMetrics.IDENTIFIED_RISK_SCORE).withValue(
        ZapMetrics.inheritedRiskScore(criticalIssuesCount, majorIssuesCount, minorIssuesCount));
  }

  @Override
  public String toString() {
    return "OWASP Zed Attack Proxy";
  }

  @Override
  public void describe(SensorDescriptor sensorDescriptor) {
    sensorDescriptor.name(SENSOR_NAME);
  }
}