added CWE Names

Former-commit-id: 60803fba6071a09ae03a18410c103a587f5fd61d
2026-01-14 07:43:40 +01:00 · 2013-01-14 22:14:45 -05:00
parent a7e95c2a4d
commit 5da83517a8
6 changed files with 176808 additions and 1 deletions
--- a/src/main/java/org/codesecure/dependencycheck/data/cwe/CweDB.java
+++ b/src/main/java/org/codesecure/dependencycheck/data/cwe/CweDB.java
@@ -0,0 +1,56 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.codesecure.dependencycheck.data.cwe;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.util.HashMap;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class CweDB {
+
+    private CweDB() {
+        //empty contructor for utility class
+    }
+
+    private static final HashMap<String, String> cwe = loadData();
+
+    private static HashMap<String, String> loadData() {
+        ObjectInputStream oin = null;
+        try {
+            String filePath = "data/cwe.hashmap.serialized";
+            InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
+            oin = new ObjectInputStream(input);
+            @SuppressWarnings("unchecked")
+            HashMap<String,String> data = (HashMap<String,String>) oin.readObject();
+            return data;
+        } catch (ClassNotFoundException ex) {
+            Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (IOException ex) {
+            Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+        } finally {
+            try {
+                oin.close();
+            } catch (IOException ex) {
+                Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+            }
+        }
+        return null;
+    }
+
+    public static String getCweName(String cweId) {
+        if (cweId != null) {
+            return cwe.get(cweId);
+        }
+        return null;
+    }
+
+}
--- a/src/main/java/org/codesecure/dependencycheck/data/cwe/CweHandler.java
+++ b/src/main/java/org/codesecure/dependencycheck/data/cwe/CweHandler.java
@@ -0,0 +1,55 @@
+/*
+ * This file is part of DependencyCheck.
+ *
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.codesecure.dependencycheck.data.cwe;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import org.codesecure.dependencycheck.dependency.VulnerableSoftware;
+import org.xml.sax.Attributes;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotSupportedException;
+import org.xml.sax.helpers.DefaultHandler;
+
+/**
+ * A SAX Handler that will parse the CWE XML.
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class CweHandler extends DefaultHandler {
+
+    private HashMap<String,String> cwe = new HashMap<String,String>();
+
+    public HashMap<String,String> getCwe() {
+        return cwe;
+    }
+
+    @Override
+    public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
+
+        if ("Weakness".equals(qName) || "Category".equals(qName)) {
+            String id = "CWE-" + attributes.getValue("ID");
+            String name = attributes.getValue("Name");
+            cwe.put(id, name);
+        }
+    }
+}
--- a/src/main/java/org/codesecure/dependencycheck/data/nvdcve/CveDB.java
+++ b/src/main/java/org/codesecure/dependencycheck/data/nvdcve/CveDB.java
@@ -33,6 +33,7 @@ import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.codesecure.dependencycheck.data.cpe.Entry;
+import org.codesecure.dependencycheck.data.cwe.CweDB;
 import org.codesecure.dependencycheck.dependency.Reference;
 import org.codesecure.dependencycheck.dependency.Vulnerability;
 import org.codesecure.dependencycheck.dependency.VulnerableSoftware;
@@ -273,7 +274,14 @@ public class CveDB {
                vuln = new Vulnerability();
                vuln.setName(cve);
                vuln.setDescription(rsV.getString(2));
-                vuln.setCwe(rsV.getString(3));
+                String cwe = rsV.getString(3);
+                if (cwe != null) {
+                    String name = CweDB.getCweName(cwe);
+                    if (name != null) {
+                        cwe += " " + name;
+                    }
+                }
+                vuln.setCwe(cwe);
                vuln.setCvssScore(rsV.getFloat(4));
                vuln.setCvssAccessVector(rsV.getString(5));
                vuln.setCvssAccessComplexity(rsV.getString(6));
--- a/src/main/resources/data/cwe.hashmap.serialized
+++ b/src/main/resources/data/cwe.hashmap.serialized
--- a/src/test/java/org/codesecure/dependencycheck/data/cwe/CweDBTest.java
+++ b/src/test/java/org/codesecure/dependencycheck/data/cwe/CweDBTest.java
@@ -0,0 +1,78 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.codesecure.dependencycheck.data.cwe;
+
+import java.io.ObjectOutputStream;
+import java.io.FileOutputStream;
+import java.util.Map;
+import java.io.File;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class CweDBTest {
+
+    public CweDBTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() throws Exception {
+    }
+
+    @AfterClass
+    public static void tearDownClass() throws Exception {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    /**
+     * Method to serlize the CWE HashMap. This is not used in
+     * production; this is only used once during dev to create
+     * the serialized hashmap.
+     */
+//    @Test
+//    public void testUpdate() throws Exception {
+//        SAXParserFactory factory = SAXParserFactory.newInstance();
+//        SAXParser saxParser = factory.newSAXParser();
+//
+//        CweHandler handler = new CweHandler();
+//        File file = new File(this.getClass().getClassLoader().getResource("cwe.2000.xml").getPath());
+//
+//        saxParser.parse(file, handler);
+//        System.out.println("Found " + handler.getCwe().size() + " cwe entries.");
+//        Map<String,String> cwe = handler.getCwe();
+//        FileOutputStream fout = new FileOutputStream("src/main/resources/data/cwe.hashmap.serialized");
+//        ObjectOutputStream objOut = new ObjectOutputStream(fout);
+//        objOut.writeObject(cwe);
+//        objOut.close();
+//    }
+
+    /**
+     * Test of getCweName method, of class CweDB.
+     */
+    @Test
+    public void testGetCweName() {
+        System.out.println("getCweName");
+        String cweId = "CWE-16";
+        String expResult = "Configuration";
+        String result = CweDB.getCweName(cweId);
+        assertEquals(expResult, result);
+    }
+}
--- a/src/test/resources/cwe.2000.xml
+++ b/src/test/resources/cwe.2000.xml