diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java index fd38ccbf..b5a5c947 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/Reader.java @@ -31,6 +31,7 @@ import org.owasp.benchmarkutils.score.parsers.csv.SemgrepCSVReader; import org.owasp.benchmarkutils.score.parsers.csv.WhiteHatDynamicReader; import org.owasp.benchmarkutils.score.parsers.sarif.BanditReader; +import org.owasp.benchmarkutils.score.parsers.sarif.CogniumReader; import org.owasp.benchmarkutils.score.parsers.sarif.CodeQLReader; import org.owasp.benchmarkutils.score.parsers.sarif.ContrastScanReader; import org.owasp.benchmarkutils.score.parsers.sarif.DatadogSastReader; @@ -67,6 +68,7 @@ public static List allReaders() { new CheckmarxIASTReader(), new CheckmarxReader(), new CodeQLReader(), + new CogniumReader(), new ContrastAssessReader(), new ContrastScanReader(), new CoverityReader(), diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CogniumReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CogniumReader.java new file mode 100644 index 00000000..accbbe59 --- /dev/null +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CogniumReader.java @@ -0,0 +1,59 @@ +/** + * OWASP Benchmark Project + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details + * + * @author Cognium Labs + * @created 2026 + */ +package org.owasp.benchmarkutils.score.parsers.sarif; + +import java.util.HashMap; +import java.util.Map; +import org.json.JSONObject; +import org.owasp.benchmarkutils.score.CweNumber; + +/** + * Reader for Cognium SARIF results generated via: + * + * 

cognium scan <path> --format sarif --output results.sarif
+ * + *

Cognium embeds the CWE in each result's {@code properties.cwe} field (e.g. {@code "CWE-79"}) + * rather than in the rules section, so CWE resolution uses a static ruleId-to-CWE mapping. + * Non-security findings (reliability, performance, etc.) have no entry in the map and are silently + * skipped by the base class. + */ +public class CogniumReader extends SarifReader { + + public CogniumReader() { + super("cognium", false, CweSourceType.CUSTOM); + } + + @Override + public Map customRuleCweMappings(JSONObject tool) { + Map mappings = new HashMap<>(); + mappings.put("sql_injection", CweNumber.SQL_INJECTION); + mappings.put("command_injection", CweNumber.COMMAND_INJECTION); + mappings.put("path_traversal", CweNumber.PATH_TRAVERSAL); + mappings.put("xss", CweNumber.XSS); + mappings.put("ldap_injection", CweNumber.LDAP_INJECTION); + mappings.put("xpath_injection", CweNumber.XPATH_INJECTION); + mappings.put("weak_random", CweNumber.WEAK_RANDOM); + mappings.put("weak_hash", CweNumber.WEAK_HASH_ALGO); + mappings.put("weak_crypto", CweNumber.WEAK_CRYPTO_ALGO); + mappings.put("insecure_cookie", CweNumber.INSECURE_COOKIE); + mappings.put("trust_boundary", CweNumber.TRUST_BOUNDARY_VIOLATION); + mappings.put("xxe", CweNumber.XXE); + mappings.put("deserialization", CweNumber.INSECURE_DESERIALIZATION); + return mappings; + } +} diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/CogniumReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/CogniumReaderTest.java new file mode 100644 index 00000000..ec1b626c --- /dev/null +++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/CogniumReaderTest.java @@ -0,0 +1,62 @@ +/** + * OWASP Benchmark Project + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Cognium Labs + * @created 2026 + */ +package org.owasp.benchmarkutils.score.parsers.sarif; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.owasp.benchmarkutils.score.BenchmarkScore; +import org.owasp.benchmarkutils.score.CweNumber; +import org.owasp.benchmarkutils.score.ResultFile; +import org.owasp.benchmarkutils.score.TestHelper; +import org.owasp.benchmarkutils.score.TestSuiteResults; +import org.owasp.benchmarkutils.score.parsers.ReaderTestBase; + +public class CogniumReaderTest extends ReaderTestBase { + + private ResultFile resultFile; + + @BeforeEach + void setUp() { + resultFile = TestHelper.resultFileOf("testfiles/Benchmark_Cognium.sarif"); + BenchmarkScore.TESTCASENAME = "BenchmarkTest"; + } + + @Test + public void onlyCogniumReaderReportsCanReadAsTrue() { + assertOnlyMatcherClassIs(this.resultFile, CogniumReader.class); + } + + @Test + void readerHandlesGivenResultFile() throws Exception { + CogniumReader reader = new CogniumReader(); + TestSuiteResults result = reader.parse(resultFile); + + assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType()); + assertFalse(result.isCommercial()); + assertEquals("cognium", result.getToolName()); + assertEquals("1.4.2", result.getToolVersion()); + + assertEquals(2, result.getTotalResults()); + + assertEquals(CweNumber.XSS, result.get(1).get(0).getCWE()); + assertEquals(CweNumber.SQL_INJECTION, result.get(2).get(0).getCWE()); + } +} diff --git a/plugin/src/test/resources/testfiles/Benchmark_Cognium.sarif b/plugin/src/test/resources/testfiles/Benchmark_Cognium.sarif new file mode 100644 index 00000000..28ab9302 --- /dev/null +++ b/plugin/src/test/resources/testfiles/Benchmark_Cognium.sarif @@ -0,0 +1,61 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "cognium", + "version": "1.4.2", + "informationUri": "https://cognium.dev", + "rules": [ + { + "id": "xss", + "name": "xss", + "shortDescription": { "text": "xss" }, + "defaultConfiguration": { "level": "error" }, + "properties": { "security-severity": "7.0" } + }, + { + "id": "sql_injection", + "name": "sql_injection", + "shortDescription": { "text": "sql_injection" }, + "defaultConfiguration": { "level": "error" }, + "properties": { "security-severity": "9.0" } + } + ] + } + }, + "results": [ + { + "ruleId": "xss", + "level": "error", + "message": { "text": "xss vulnerability: tainted data flows from line 41 to line 86" }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { "uri": "BenchmarkTest00001.java" }, + "region": { "startLine": 86 } + } + } + ], + "properties": { "cwe": "CWE-79", "severity": "high" } + }, + { + "ruleId": "sql_injection", + "level": "error", + "message": { "text": "sql_injection vulnerability: tainted data flows from line 38 to line 55" }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { "uri": "BenchmarkTest00002.java" }, + "region": { "startLine": 55 } + } + } + ], + "properties": { "cwe": "CWE-89", "severity": "critical" } + } + ] + } + ] +}