Add support for PCI DSS 3.2 and 4.0, and ASVS 4.0

sonar-csharp-plugin/src/test/java/org/sonar/plugins/csharp/CSharpSonarRulesDefinitionTest.java

@@ -42,7 +42,7 @@ public class CSharpSonarRulesDefinitionTest {
   private static final String SINGLE_PARAM_RULE_KEY = "S1200";
   private static final String MULTI_PARAM_RULE_KEY = "S110";
 
-  private static final SonarRuntime SONAR_RUNTIME = SonarRuntimeImpl.forSonarQube(Version.create(9, 3), SonarQubeSide.SCANNER, SonarEdition.COMMUNITY);
+  private static final SonarRuntime SONAR_RUNTIME = SonarRuntimeImpl.forSonarQube(Version.create(9, 9), SonarQubeSide.SCANNER, SonarEdition.COMMUNITY);
 
   @Test
   public void test() {
@@ -87,7 +87,13 @@ public void test_security_hotspot_has_correct_type_and_security_standards() {
 
     RulesDefinition.Rule rule = repository.rule(SECURITY_HOTSPOT_RULE_KEY);
     assertThat(rule.type()).isEqualTo(RuleType.SECURITY_HOTSPOT);
-    assertThat(rule.securityStandards()).containsExactlyInAnyOrder("cwe:502", "owaspTop10:a8", "owaspTop10-2021:a8");
+    assertThat(rule.securityStandards()).containsExactlyInAnyOrder(
+      "cwe:502",
+      "owaspAsvs-4.0:1.5.2",
+      "owaspAsvs-4.0:5.5.1",
+      "owaspAsvs-4.0:5.5.3",
+      "owaspTop10-2021:a8",
+      "owaspTop10:a8");
   }
 
   @Test
@@ -99,7 +105,19 @@ public void test_security_standards_with_vulnerability() {
 
     RulesDefinition.Rule rule = repository.rule(VULNERABILITY_RULE_KEY);
     assertThat(rule.type()).isEqualTo(RuleType.VULNERABILITY);
-    assertThat(rule.securityStandards()).containsExactlyInAnyOrder("cwe:326", "owaspTop10:a3", "owaspTop10:a6", "owaspTop10-2021:a2");
+    assertThat(rule.securityStandards()).containsExactlyInAnyOrder(
+      "cwe:326",
+      "owaspAsvs-4.0:2.8.3",
+      "owaspAsvs-4.0:6.2.3",
+      "owaspAsvs-4.0:6.2.4",
+      "owaspAsvs-4.0:6.2.5",
+      "owaspAsvs-4.0:6.2.6",
+      "owaspAsvs-4.0:6.2.7",
+      "owaspAsvs-4.0:9.1.2",
+      "owaspAsvs-4.0:9.1.3",
+      "owaspTop10-2021:a2",
+      "owaspTop10:a3",
+      "owaspTop10:a6");
   }
 
   @Test

sonar-dotnet-shared-library/src/main/java/org/sonarsource/dotnet/shared/plugins/AbstractRulesDefinition.java

@@ -50,13 +50,17 @@ public abstract class AbstractRulesDefinition implements RulesDefinition {
   private final String resourcesDirectory;
   private final String metadataSuffix;
   private final boolean isOwaspByVersionSupported;
+  private final boolean isAddPciDssSupported;
+  private final boolean isASVSSupported;
 
   protected AbstractRulesDefinition(String repositoryKey, String languageKey, SonarRuntime sonarRuntime, String resourcesDirectory, String metadataSuffix) {
     this.repositoryKey = repositoryKey;
     this.languageKey = languageKey;
     this.resourcesDirectory = resourcesDirectory;
     this.metadataSuffix = metadataSuffix;
     this.isOwaspByVersionSupported = sonarRuntime.getApiVersion().isGreaterThanOrEqual(Version.create(9, 3));
+    this.isAddPciDssSupported = sonarRuntime.getApiVersion().isGreaterThanOrEqual(Version.create(9, 5));
+    this.isASVSSupported = sonarRuntime.getApiVersion().isGreaterThanOrEqual(Version.create(9, 9));
   }
 
   @Override
@@ -106,9 +110,37 @@ private void addSecurityStandards(NewRule rule, SecurityStandards securityStanda
         rule.addOwaspTop10(RulesDefinition.OwaspTop10Version.Y2021, RulesDefinition.OwaspTop10.valueOf(s));
       }
     }
+
+    addPciDss(rule, securityStandards);
+    addASVS(rule, securityStandards);
+
     rule.addCwe(securityStandards.cwe);
   }
 
+  private void addPciDss(NewRule rule, SecurityStandards securityStandards) {
+    if (!isAddPciDssSupported) {
+      return;
+    }
+
+    if (securityStandards.pciDss3_2.length > 0){
+      rule.addPciDss(PciDssVersion.V3_2, securityStandards.pciDss3_2);
+    }
+
+    if (securityStandards.pciDss4_0.length > 0){
+      rule.addPciDss(PciDssVersion.V4_0, securityStandards.pciDss4_0);
+    }
+  }
+
+  private void addASVS(NewRule rule, SecurityStandards securityStandards){
+    if (!isASVSSupported) {
+      return;
+    }
+
+    if (securityStandards.asvs4_0.length > 0){
+      rule.addOwaspAsvs(OwaspAsvsVersion.V4_0, securityStandards.asvs4_0);
+    }
+  }
+
   private RuleMetadata loadMetadata(String id) {
     return GSON.fromJson(readResource(id + metadataSuffix + ".json"), RuleMetadata.class);
   }
@@ -179,5 +211,14 @@ private static class SecurityStandards {
 
     @SerializedName("OWASP")
     String[] owasp2017 = {};
+
+    @SerializedName("PCI DSS 3.2")
+    String[] pciDss3_2 = {};
+
+    @SerializedName("PCI DSS 4.0")
+    String[] pciDss4_0 = {};
+
+    @SerializedName("ASVS 4.0")
+    String[] asvs4_0 = {};
   }
 }

sonar-dotnet-shared-library/src/test/java/org/sonarsource/dotnet/shared/plugins/AbstractRulesDefinitionTest.java

@@ -20,6 +20,8 @@
 package org.sonarsource.dotnet.shared.plugins;
 
 import java.io.InputStream;
+import java.util.Set;
+
 import org.junit.Test;
 import org.sonar.api.SonarEdition;
 import org.sonar.api.SonarQubeSide;
@@ -33,6 +35,9 @@
 
 public class AbstractRulesDefinitionTest {
 
+  private static final String PCI_DSS_RULE_KEY = "S1115";
+  private static final String OWASP_ASVS_RULE_KEY = "S1116";
+
   @Test
   public void test() {
     SonarRuntime sonarRuntime = SonarRuntimeImpl.forSonarQube(Version.create(9, 3), SonarQubeSide.SCANNER, SonarEdition.COMMUNITY);
@@ -51,17 +56,27 @@ public void test() {
 
   @Test
   public void test_before_9_3() {
-    SonarRuntime sonarRuntime = SonarRuntimeImpl.forSonarQube(Version.create(9, 2), SonarQubeSide.SCANNER, SonarEdition.COMMUNITY);
-    AbstractRulesDefinition sut = new TestRulesDefinition(sonarRuntime);
-    RulesDefinition.Context context = new RulesDefinition.Context();
-    sut.define(context);
+    assertThat(getSecurityStandards(Version.create(9, 2), "S1111")).containsExactlyInAnyOrder("cwe:117", "cwe:532", "owaspTop10:a10", "owaspTop10:a3");
+  }
 
-    RulesDefinition.Repository repository = context.repository("test");
-    assertThat(repository).isNotNull();
+  @Test
+  public void test_security_standards_9_4_PCI_DSS_is_not_available() {
+    assertThat(getSecurityStandards(Version.create(9, 4), PCI_DSS_RULE_KEY)).containsExactlyInAnyOrder();
+  }
 
-    RulesDefinition.Rule rule = repository.rule("S1111");
-    assertThat(rule).isNotNull();
-    assertThat(rule.securityStandards()).containsExactlyInAnyOrder("cwe:117", "cwe:532", "owaspTop10:a10", "owaspTop10:a3");
+  @Test
+  public void test_security_standards_9_5_PCI_DSS_is_available() {
+    assertThat(getSecurityStandards(Version.create(9, 5), PCI_DSS_RULE_KEY)).containsExactlyInAnyOrder("pciDss-3.2:6.5.10", "pciDss-4.0:6.2.4");
+  }
+
+  @Test
+  public void test_security_standards_9_8_ASVS_is_not_available() {
+    assertThat(getSecurityStandards(Version.create(9, 8), OWASP_ASVS_RULE_KEY)).containsExactlyInAnyOrder();
+  }
+
+  @Test
+  public void test_security_standards_9_9_ASVS_is_available() {
+    assertThat(getSecurityStandards(Version.create(9, 9), OWASP_ASVS_RULE_KEY)).containsExactlyInAnyOrder("owaspAsvs-4.0:2.10.4", "owaspAsvs-4.0:3.5.2", "owaspAsvs-4.0:6.4.1");
   }
 
   @Test
@@ -77,7 +92,6 @@ public void test_remediation_is_set() {
     assertThat(repository.rule("S1112").debtRemediationFunction()).hasToString("DebtRemediationFunction{type=LINEAR, gap multiplier=10min, base effort=null}");
     assertThat(repository.rule("S1113").debtRemediationFunction()).hasToString("DebtRemediationFunction{type=LINEAR_OFFSET, gap multiplier=30min, base effort=4h}");
     assertThat(repository.rule("S1114").debtRemediationFunction()).isNull();
-
   }
 
   @Test
@@ -92,6 +106,20 @@ public void test_missing_resource_throws() {
       .withMessage("Resource does not exist: Rules.json");
   }
 
+  private static Set<String> getSecurityStandards(Version version, String ruleId) {
+    SonarRuntime sonarRuntime = SonarRuntimeImpl.forSonarQube(version, SonarQubeSide.SCANNER, SonarEdition.COMMUNITY);
+    AbstractRulesDefinition sut = new TestRulesDefinition(sonarRuntime);
+    RulesDefinition.Context context = new RulesDefinition.Context();
+    sut.define(context);
+
+    RulesDefinition.Repository repository = context.repository("test");
+    assertThat(repository).isNotNull();
+
+    RulesDefinition.Rule rule = repository.rule(ruleId);
+    assertThat(rule).isNotNull();
+    return rule.securityStandards();
+  }
+
   private static class TestRulesDefinition extends AbstractRulesDefinition {
     TestRulesDefinition(SonarRuntime runtime) {
       super("test", "test", runtime, "/AbstractRulesDefinitionTest/", "");

sonar-dotnet-shared-library/src/test/resources/AbstractRulesDefinitionTest/Rules.json

@@ -21,5 +21,13 @@
   {
     "id": "S1114",
     "parameters": [ ]
+  },
+  {
+    "id": "S1115",
+    "parameters": [ ]
+  },
+  {
+    "id": "S1116",
+    "parameters": [ ]
   }
 ]

sonar-dotnet-shared-library/src/test/resources/AbstractRulesDefinitionTest/S1115.html

@@ -0,0 +1,2 @@
+Lorem ipsum
+<b>HTML</b>. <br /><br /><br />End

sonar-dotnet-shared-library/src/test/resources/AbstractRulesDefinitionTest/S1115.json

@@ -0,0 +1,17 @@
+{
+  "title": "No remediation",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "tags": [ ],
+  "defaultSeverity": "Critical",
+  "ruleSpecification": "RSPEC-1115",
+  "scope": "Main",
+  "securityStandards": {
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ]
+  }
+}

sonar-dotnet-shared-library/src/test/resources/AbstractRulesDefinitionTest/S1116.html

@@ -0,0 +1,2 @@
+Lorem ipsum
+<b>HTML</b>. <br /><br /><br />End

sonar-dotnet-shared-library/src/test/resources/AbstractRulesDefinitionTest/S1116.json

@@ -0,0 +1,16 @@
+{
+  "title": "No remediation",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "tags": [ ],
+  "defaultSeverity": "Critical",
+  "ruleSpecification": "RSPEC-1116",
+  "scope": "Main",
+  "securityStandards": {
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  }
+}