From 759ac1894c0d909878f7b1af3b693022bd154c2b Mon Sep 17 00:00:00 2001 From: DELBARRE Matheo Date: Sat, 9 May 2026 03:58:25 +0200 Subject: [PATCH 1/5] remediate: fix SAST scanner mappings and add validation test --- scanner/sast/expectedIssues.csv | 65 +++++++++--------- .../sast/ExpectedIssuesCSVTest.java | 67 +++++++++++++++++++ 2 files changed, 98 insertions(+), 34 deletions(-) create mode 100644 src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java diff --git a/scanner/sast/expectedIssues.csv b/scanner/sast/expectedIssues.csv index 63fa7f57c..2b15eba1e 100644 --- a/scanner/sast/expectedIssues.csv +++ b/scanner/sast/expectedIssues.csv @@ -1,36 +1,33 @@ CWE,Vulnerability Type,File,Line,Number of Sources -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java,56,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java,82,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,68,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,115,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,165,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,218,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,50,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,77,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,102,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,45,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,72,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,101,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/UrlParamBasedImgTagAttrInjection.java,60,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/UrlParamBasedImgTagAttrInjection.java,82,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,101,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,119,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,141,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,165,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,196,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,226,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,257,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,276,1 -CWE-22,Path Traversal,src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java,65,12 -CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,66,6 -CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,214,1 -CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,244,1 -CWE-77,Command Injection,src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java,46,5 -CWE-77,Command Injection,src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java,51,5 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java,55,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java,79,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,64,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,109,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,157,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,206,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,66,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,81,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,96,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,39,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,61,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,86,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,98,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,112,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,130,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,159,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,182,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,206,1 +CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,66,1 +CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,197,1 +CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,219,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,54,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,68,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,87,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,110,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,142,1 +CWE-22,Path Traversal,src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java,49,12 CWE-434,Unrestricted File Upload,src/main/java/org/sasanlabs/service/vulnerability/fileupload/UnrestrictedFileUpload.java,117,9 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,88,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,108,1 -CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,60,1 -CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,85,1 -CWE-330,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,110,1 -CWE-326,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,145,1 +CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,89,1 +CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,131,1 +CWE-326,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,169,1 +CWE-326,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,209,1 diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java new file mode 100644 index 000000000..34c934e17 --- /dev/null +++ b/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java @@ -0,0 +1,67 @@ +package org.sasanlabs.service.vulnerability.sast; + +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileReader; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.List; +import org.junit.jupiter.api.Test; + +/** + * Validates that all entries in scanner/sast/expectedIssues.csv point to existing files + * and valid line numbers. + * + * This ensures that SAST scanner mappings stay accurate as the codebase evolves. + */ +public class ExpectedIssuesCSVTest { + + private static final String CSV_PATH = "scanner/sast/expectedIssues.csv"; + + @Test + public void testExpectedIssuesCSV() throws IOException { + Path csvPath = Paths.get(CSV_PATH); + + if (!Files.exists(csvPath)) { + csvPath = Paths.get(System.getProperty("user.dir"), CSV_PATH); + } + + assertTrue(Files.exists(csvPath), "expectedIssues.csv not found at " + csvPath.toAbsolutePath()); + + try (BufferedReader br = new BufferedReader(new FileReader(csvPath.toFile()))) { + String line; + int csvLineNumber = 0; + while ((line = br.readLine()) != null) { + csvLineNumber++; + if (csvLineNumber == 1) continue; // Skip header + if (line.trim().isEmpty()) continue; + + String[] parts = line.split(","); + if (parts.length < 4) { + fail("Malformed line at CSV line " + csvLineNumber + ": " + line); + } + + String filePath = parts[2]; + int targetLine; + try { + targetLine = Integer.parseInt(parts[3]); + } catch (NumberFormatException e) { + fail("Invalid line number at CSV line " + csvLineNumber + ": " + parts[3]); + return; + } + + File file = new File(filePath); + assertTrue(file.exists(), "Source file not found: " + filePath + " (referenced at CSV line " + csvLineNumber + ")"); + + List fileLines = Files.readAllLines(file.toPath()); + assertTrue(targetLine > 0 && targetLine <= fileLines.size(), + "Target line " + targetLine + " out of bounds for file " + filePath + " (file has " + fileLines.size() + " lines, referenced at CSV line " + csvLineNumber + ")"); + } + } + } +} From 29b04d76fe704b350d1bd337f0a34820449192d3 Mon Sep 17 00:00:00 2001 From: DELBARRE Matheo Date: Sat, 9 May 2026 04:00:22 +0200 Subject: [PATCH 2/5] style: fix formatting for ExpectedIssuesCSVTest --- .../sast/ExpectedIssuesCSVTest.java | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java index 34c934e17..fc090d6d6 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java @@ -14,10 +14,10 @@ import org.junit.jupiter.api.Test; /** - * Validates that all entries in scanner/sast/expectedIssues.csv point to existing files - * and valid line numbers. - * - * This ensures that SAST scanner mappings stay accurate as the codebase evolves. + * Validates that all entries in scanner/sast/expectedIssues.csv point to existing files and valid + * line numbers. + * + *

This ensures that SAST scanner mappings stay accurate as the codebase evolves. */ public class ExpectedIssuesCSVTest { @@ -26,12 +26,14 @@ public class ExpectedIssuesCSVTest { @Test public void testExpectedIssuesCSV() throws IOException { Path csvPath = Paths.get(CSV_PATH); - + if (!Files.exists(csvPath)) { csvPath = Paths.get(System.getProperty("user.dir"), CSV_PATH); } - - assertTrue(Files.exists(csvPath), "expectedIssues.csv not found at " + csvPath.toAbsolutePath()); + + assertTrue( + Files.exists(csvPath), + "expectedIssues.csv not found at " + csvPath.toAbsolutePath()); try (BufferedReader br = new BufferedReader(new FileReader(csvPath.toFile()))) { String line; @@ -56,11 +58,26 @@ public void testExpectedIssuesCSV() throws IOException { } File file = new File(filePath); - assertTrue(file.exists(), "Source file not found: " + filePath + " (referenced at CSV line " + csvLineNumber + ")"); + assertTrue( + file.exists(), + "Source file not found: " + + filePath + + " (referenced at CSV line " + + csvLineNumber + + ")"); List fileLines = Files.readAllLines(file.toPath()); - assertTrue(targetLine > 0 && targetLine <= fileLines.size(), - "Target line " + targetLine + " out of bounds for file " + filePath + " (file has " + fileLines.size() + " lines, referenced at CSV line " + csvLineNumber + ")"); + assertTrue( + targetLine > 0 && targetLine <= fileLines.size(), + "Target line " + + targetLine + + " out of bounds for file " + + filePath + + " (file has " + + fileLines.size() + + " lines, referenced at CSV line " + + csvLineNumber + + ")"); } } } From 838bfc1f197fe6bd02613c628a2f27a1505df557 Mon Sep 17 00:00:00 2001 From: DELBARRE Matheo Date: Sat, 9 May 2026 04:04:06 +0200 Subject: [PATCH 3/5] remediate: add missing mappings for Command Injection, SSRF, XXE, and LDAP --- scanner/sast/expectedIssues.csv | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scanner/sast/expectedIssues.csv b/scanner/sast/expectedIssues.csv index 2b15eba1e..8f1594aa6 100644 --- a/scanner/sast/expectedIssues.csv +++ b/scanner/sast/expectedIssues.csv @@ -31,3 +31,10 @@ CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,131,1 CWE-326,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,169,1 CWE-326,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,209,1 +CWE-77,Command Injection,src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java,45,1 +CWE-77,Command Injection,src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java,50,1 +CWE-918,SSRF,src/main/java/org/sasanlabs/service/vulnerability/ssrf/SSRFVulnerability.java,82,1 +CWE-611,XXE,src/main/java/org/sasanlabs/service/vulnerability/xxe/XXEVulnerability.java,75,1 +CWE-611,XXE,src/main/java/org/sasanlabs/service/vulnerability/xxe/XXEVulnerability.java,108,1 +CWE-90,LDAP Injection,src/main/java/org/sasanlabs/service/vulnerability/ldapInjection/LDAPInjectionVulnerability.java,40,1 +CWE-90,LDAP Injection,src/main/java/org/sasanlabs/service/vulnerability/ldapInjection/LDAPInjectionVulnerability.java,68,1 From 1be83b75b034bf634cf778c3737040ec59b44857 Mon Sep 17 00:00:00 2001 From: DELBARRE Matheo Date: Sat, 9 May 2026 04:29:12 +0200 Subject: [PATCH 4/5] fix: expectedIssues.csv --- scanner/sast/expectedIssues.csv | 80 ++++----- .../sast/ExpectedIssuesCSVTest.java | 168 +++++++++--------- 2 files changed, 124 insertions(+), 124 deletions(-) diff --git a/scanner/sast/expectedIssues.csv b/scanner/sast/expectedIssues.csv index 8f1594aa6..dd77f8c50 100644 --- a/scanner/sast/expectedIssues.csv +++ b/scanner/sast/expectedIssues.csv @@ -1,40 +1,40 @@ -CWE,Vulnerability Type,File,Line,Number of Sources -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java,55,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java,79,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,64,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,109,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,157,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,206,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,66,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,81,1 -CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,96,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,39,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,61,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,86,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,98,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,112,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,130,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,159,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,182,1 -CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,206,1 -CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,66,1 -CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,197,1 -CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,219,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,54,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,68,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,87,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,110,1 -CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,142,1 -CWE-22,Path Traversal,src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java,49,12 -CWE-434,Unrestricted File Upload,src/main/java/org/sasanlabs/service/vulnerability/fileupload/UnrestrictedFileUpload.java,117,9 -CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,89,1 -CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,131,1 -CWE-326,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,169,1 -CWE-326,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,209,1 -CWE-77,Command Injection,src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java,45,1 -CWE-77,Command Injection,src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java,50,1 -CWE-918,SSRF,src/main/java/org/sasanlabs/service/vulnerability/ssrf/SSRFVulnerability.java,82,1 -CWE-611,XXE,src/main/java/org/sasanlabs/service/vulnerability/xxe/XXEVulnerability.java,75,1 -CWE-611,XXE,src/main/java/org/sasanlabs/service/vulnerability/xxe/XXEVulnerability.java,108,1 -CWE-90,LDAP Injection,src/main/java/org/sasanlabs/service/vulnerability/ldapInjection/LDAPInjectionVulnerability.java,40,1 -CWE-90,LDAP Injection,src/main/java/org/sasanlabs/service/vulnerability/ldapInjection/LDAPInjectionVulnerability.java,68,1 +CWE,Vulnerability Type,File,Line,Number of Sources +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java,55,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java,79,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,64,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,109,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,157,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java,206,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,66,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,81,1 +CWE-89,SQL Injection,src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java,96,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,39,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,61,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,86,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,98,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,112,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,130,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,159,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,182,1 +CWE-79,Persistent XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/PersistentXSSInHTMLTagVulnerability.java,206,1 +CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,66,1 +CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,197,1 +CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java,219,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,54,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,68,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,87,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,110,1 +CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java,142,1 +CWE-22,Path Traversal,src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java,49,12 +CWE-434,Unrestricted File Upload,src/main/java/org/sasanlabs/service/vulnerability/fileupload/UnrestrictedFileUpload.java,117,9 +CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,89,1 +CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,131,1 +CWE-326,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,169,1 +CWE-326,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,209,1 +CWE-77,Command Injection,src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java,45,1 +CWE-77,Command Injection,src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java,50,1 +CWE-918,SSRF,src/main/java/org/sasanlabs/service/vulnerability/ssrf/SSRFVulnerability.java,82,1 +CWE-611,XXE,src/main/java/org/sasanlabs/service/vulnerability/xxe/XXEVulnerability.java,75,1 +CWE-611,XXE,src/main/java/org/sasanlabs/service/vulnerability/xxe/XXEVulnerability.java,108,1 +CWE-90,LDAP Injection,src/main/java/org/sasanlabs/service/vulnerability/ldapInjection/LDAPInjectionVulnerability.java,40,1 +CWE-90,LDAP Injection,src/main/java/org/sasanlabs/service/vulnerability/ldapInjection/LDAPInjectionVulnerability.java,68,1 diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java index fc090d6d6..189983894 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java @@ -1,84 +1,84 @@ -package org.sasanlabs.service.vulnerability.sast; - -import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.junit.jupiter.api.Assertions.fail; - -import java.io.BufferedReader; -import java.io.File; -import java.io.FileReader; -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.util.List; -import org.junit.jupiter.api.Test; - -/** - * Validates that all entries in scanner/sast/expectedIssues.csv point to existing files and valid - * line numbers. - * - *

This ensures that SAST scanner mappings stay accurate as the codebase evolves. - */ -public class ExpectedIssuesCSVTest { - - private static final String CSV_PATH = "scanner/sast/expectedIssues.csv"; - - @Test - public void testExpectedIssuesCSV() throws IOException { - Path csvPath = Paths.get(CSV_PATH); - - if (!Files.exists(csvPath)) { - csvPath = Paths.get(System.getProperty("user.dir"), CSV_PATH); - } - - assertTrue( - Files.exists(csvPath), - "expectedIssues.csv not found at " + csvPath.toAbsolutePath()); - - try (BufferedReader br = new BufferedReader(new FileReader(csvPath.toFile()))) { - String line; - int csvLineNumber = 0; - while ((line = br.readLine()) != null) { - csvLineNumber++; - if (csvLineNumber == 1) continue; // Skip header - if (line.trim().isEmpty()) continue; - - String[] parts = line.split(","); - if (parts.length < 4) { - fail("Malformed line at CSV line " + csvLineNumber + ": " + line); - } - - String filePath = parts[2]; - int targetLine; - try { - targetLine = Integer.parseInt(parts[3]); - } catch (NumberFormatException e) { - fail("Invalid line number at CSV line " + csvLineNumber + ": " + parts[3]); - return; - } - - File file = new File(filePath); - assertTrue( - file.exists(), - "Source file not found: " - + filePath - + " (referenced at CSV line " - + csvLineNumber - + ")"); - - List fileLines = Files.readAllLines(file.toPath()); - assertTrue( - targetLine > 0 && targetLine <= fileLines.size(), - "Target line " - + targetLine - + " out of bounds for file " - + filePath - + " (file has " - + fileLines.size() - + " lines, referenced at CSV line " - + csvLineNumber - + ")"); - } - } - } -} +package org.sasanlabs.service.vulnerability.sast; + +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileReader; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.List; +import org.junit.jupiter.api.Test; + +/** + * Validates that all entries in scanner/sast/expectedIssues.csv point to existing files and valid + * line numbers. + * + *

This ensures that SAST scanner mappings stay accurate as the codebase evolves. + */ +public class ExpectedIssuesCSVTest { + + private static final String CSV_PATH = "scanner/sast/expectedIssues.csv"; + + @Test + public void testExpectedIssuesCSV() throws IOException { + Path csvPath = Paths.get(CSV_PATH); + + if (!Files.exists(csvPath)) { + csvPath = Paths.get(System.getProperty("user.dir"), CSV_PATH); + } + + assertTrue( + Files.exists(csvPath), + "expectedIssues.csv not found at " + csvPath.toAbsolutePath()); + + try (BufferedReader br = new BufferedReader(new FileReader(csvPath.toFile()))) { + String line; + int csvLineNumber = 0; + while ((line = br.readLine()) != null) { + csvLineNumber++; + if (csvLineNumber == 1) continue; + if (line.trim().isEmpty()) continue; + + String[] parts = line.split(","); + if (parts.length < 4) { + fail("Malformed line at CSV line " + csvLineNumber + ": " + line); + } + + String filePath = parts[2]; + int targetLine; + try { + targetLine = Integer.parseInt(parts[3]); + } catch (NumberFormatException e) { + fail("Invalid line number at CSV line " + csvLineNumber + ": " + parts[3]); + return; + } + + File file = new File(filePath); + assertTrue( + file.exists(), + "Source file not found: " + + filePath + + " (referenced at CSV line " + + csvLineNumber + + ")"); + + List fileLines = Files.readAllLines(file.toPath()); + assertTrue( + targetLine > 0 && targetLine <= fileLines.size(), + "Target line " + + targetLine + + " out of bounds for file " + + filePath + + " (file has " + + fileLines.size() + + " lines, referenced at CSV line " + + csvLineNumber + + ")"); + } + } + } +} From 023183c7ceb23f789ab1c044697e2754769677e1 Mon Sep 17 00:00:00 2001 From: Matheo Delbarre Date: Sat, 9 May 2026 04:31:08 +0200 Subject: [PATCH 5/5] fix: spotless checker --- .../sast/ExpectedIssuesCSVTest.java | 168 +++++++++--------- 1 file changed, 84 insertions(+), 84 deletions(-) diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java index 189983894..0adcb3469 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sast/ExpectedIssuesCSVTest.java @@ -1,84 +1,84 @@ -package org.sasanlabs.service.vulnerability.sast; - -import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.junit.jupiter.api.Assertions.fail; - -import java.io.BufferedReader; -import java.io.File; -import java.io.FileReader; -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.util.List; -import org.junit.jupiter.api.Test; - -/** - * Validates that all entries in scanner/sast/expectedIssues.csv point to existing files and valid - * line numbers. - * - *

This ensures that SAST scanner mappings stay accurate as the codebase evolves. - */ -public class ExpectedIssuesCSVTest { - - private static final String CSV_PATH = "scanner/sast/expectedIssues.csv"; - - @Test - public void testExpectedIssuesCSV() throws IOException { - Path csvPath = Paths.get(CSV_PATH); - - if (!Files.exists(csvPath)) { - csvPath = Paths.get(System.getProperty("user.dir"), CSV_PATH); - } - - assertTrue( - Files.exists(csvPath), - "expectedIssues.csv not found at " + csvPath.toAbsolutePath()); - - try (BufferedReader br = new BufferedReader(new FileReader(csvPath.toFile()))) { - String line; - int csvLineNumber = 0; - while ((line = br.readLine()) != null) { - csvLineNumber++; - if (csvLineNumber == 1) continue; - if (line.trim().isEmpty()) continue; - - String[] parts = line.split(","); - if (parts.length < 4) { - fail("Malformed line at CSV line " + csvLineNumber + ": " + line); - } - - String filePath = parts[2]; - int targetLine; - try { - targetLine = Integer.parseInt(parts[3]); - } catch (NumberFormatException e) { - fail("Invalid line number at CSV line " + csvLineNumber + ": " + parts[3]); - return; - } - - File file = new File(filePath); - assertTrue( - file.exists(), - "Source file not found: " - + filePath - + " (referenced at CSV line " - + csvLineNumber - + ")"); - - List fileLines = Files.readAllLines(file.toPath()); - assertTrue( - targetLine > 0 && targetLine <= fileLines.size(), - "Target line " - + targetLine - + " out of bounds for file " - + filePath - + " (file has " - + fileLines.size() - + " lines, referenced at CSV line " - + csvLineNumber - + ")"); - } - } - } -} +package org.sasanlabs.service.vulnerability.sast; + +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileReader; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.List; +import org.junit.jupiter.api.Test; + +/** + * Validates that all entries in scanner/sast/expectedIssues.csv point to existing files and valid + * line numbers. + * + *

This ensures that SAST scanner mappings stay accurate as the codebase evolves. + */ +public class ExpectedIssuesCSVTest { + + private static final String CSV_PATH = "scanner/sast/expectedIssues.csv"; + + @Test + public void testExpectedIssuesCSV() throws IOException { + Path csvPath = Paths.get(CSV_PATH); + + if (!Files.exists(csvPath)) { + csvPath = Paths.get(System.getProperty("user.dir"), CSV_PATH); + } + + assertTrue( + Files.exists(csvPath), + "expectedIssues.csv not found at " + csvPath.toAbsolutePath()); + + try (BufferedReader br = new BufferedReader(new FileReader(csvPath.toFile()))) { + String line; + int csvLineNumber = 0; + while ((line = br.readLine()) != null) { + csvLineNumber++; + if (csvLineNumber == 1) continue; + if (line.trim().isEmpty()) continue; + + String[] parts = line.split(","); + if (parts.length < 4) { + fail("Malformed line at CSV line " + csvLineNumber + ": " + line); + } + + String filePath = parts[2]; + int targetLine; + try { + targetLine = Integer.parseInt(parts[3]); + } catch (NumberFormatException e) { + fail("Invalid line number at CSV line " + csvLineNumber + ": " + parts[3]); + return; + } + + File file = new File(filePath); + assertTrue( + file.exists(), + "Source file not found: " + + filePath + + " (referenced at CSV line " + + csvLineNumber + + ")"); + + List fileLines = Files.readAllLines(file.toPath()); + assertTrue( + targetLine > 0 && targetLine <= fileLines.size(), + "Target line " + + targetLine + + " out of bounds for file " + + filePath + + " (file has " + + fileLines.size() + + " lines, referenced at CSV line " + + csvLineNumber + + ")"); + } + } + } +}