diff --git a/pom.xml b/pom.xml index db93fa0da9..a036d85202 100644 --- a/pom.xml +++ b/pom.xml @@ -868,6 +868,19 @@ jackson-databind 2.21.2 + + + org.junit.jupiter + junit-jupiter-api + 5.12.2 + test + + + org.junit.jupiter + junit-jupiter-params + 5.12.2 + test + diff --git a/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java b/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java index c9fb1459f9..8eb6f438de 100644 --- a/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java +++ b/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java @@ -35,16 +35,19 @@ public class SonarReport { private static final ObjectMapper objectMapper = new ObjectMapper(); public static void main(String[] args) throws Exception { - String allJavaRules = String.join(",", allJavaRules()); + Set allJavaRules = allJavaRules(); List issues = new ArrayList<>(); List hotspots = new ArrayList<>(); - forAllPagesAt( - "issues/search?componentKeys=" - + SONAR_PROJECT - + "&types=VULNERABILITY&&rules=" - + allJavaRules, - (result -> issues.addAll(result.issues))); + for (String rule : allJavaRules) { + forAllPagesAt( + "issues/search?componentKeys=" + + SONAR_PROJECT + + "&types=VULNERABILITY&rules=" + + rule, + (result -> issues.addAll(result.issues))); + } + forAllPagesAt( "hotspots/search?projectKey=" + SONAR_PROJECT, (result -> hotspots.addAll(result.hotspots))); @@ -91,7 +94,9 @@ private static void forAllPagesAt(String apiPath, Consumer page objectMapper.readValue( apiCall(apiPath + pagingSuffix(page, apiPath)), SonarQubeResult.class); - pages = (result.paging.resultCount / PAGE_SIZE) + 1; + pages = + (result.paging.resultCount / PAGE_SIZE) + + (result.paging.resultCount % PAGE_SIZE == 0 ? 0 : 1); pageHandlerCallback.accept(result); @@ -110,6 +115,11 @@ private static String apiCall(String apiPath) throws IOException { connection.setDoOutput(true); connection.setRequestProperty("Authorization", "Basic " + sonarAuth); + int status = connection.getResponseCode(); + if (status != 200) { + throw new IOException("SonarQube API returned HTTP " + status + " for " + apiPath); + } + return join("\n", readLines(connection.getInputStream(), defaultCharset())); } diff --git a/src/test/java/org/owasp/benchmark/report/sonarqube/SonarReportTest.java b/src/test/java/org/owasp/benchmark/report/sonarqube/SonarReportTest.java new file mode 100644 index 0000000000..6ba26343c2 --- /dev/null +++ b/src/test/java/org/owasp/benchmark/report/sonarqube/SonarReportTest.java @@ -0,0 +1,95 @@ +/** + * OWASP Benchmark Project + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + */ +package org.owasp.benchmark.report.sonarqube; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; + +public class SonarReportTest { + + private static final int PAGE_SIZE = 500; + + /** + * Replicates the fixed paging formula from SonarReport.forAllPagesAt(). The old formula was + * {@code (resultCount / PAGE_SIZE) + 1}, which over-counts by 1 when resultCount is an exact + * multiple of PAGE_SIZE. + */ + private static int calculatePages(int resultCount) { + return (resultCount / PAGE_SIZE) + (resultCount % PAGE_SIZE == 0 ? 0 : 1); + } + + @ParameterizedTest(name = "resultCount={0} => pages={1}") + @CsvSource({ + "0, 0", + "1, 1", + "499, 1", + "500, 1", + "501, 2", + "999, 2", + "1000, 2", + "1001, 3", + "10000, 20", + "10001, 21" + }) + void pageCalculationProducesCorrectCeiling(int resultCount, int expectedPages) { + assertEquals( + expectedPages, + calculatePages(resultCount), + "Paging for " + resultCount + " results at page size " + PAGE_SIZE); + } + + @Test + void oldFormulaOvercountsOnExactMultiple() { + int resultCount = 1000; + int oldFormula = (resultCount / PAGE_SIZE) + 1; + int fixedFormula = calculatePages(resultCount); + + assertEquals(3, oldFormula, "Old formula produces 3 pages for 1000 results (wrong)"); + assertEquals(2, fixedFormula, "Fixed formula produces 2 pages for 1000 results (correct)"); + } + + @Test + void issueSearchUrlHasNoDoubleAmpersand() { + String sonarProject = "benchmark"; + String rule = "java:S1234"; + + String fixedUrl = + "issues/search?componentKeys=" + + sonarProject + + "&types=VULNERABILITY&rules=" + + rule; + + assertFalse(fixedUrl.contains("&&"), "URL must not contain double ampersand"); + } + + @Test + void oldIssueSearchUrlHadDoubleAmpersand() { + String sonarProject = "benchmark"; + String allJavaRules = "java:S1234,java:S5678"; + + String oldUrl = + "issues/search?componentKeys=" + + sonarProject + + "&types=VULNERABILITY&&rules=" + + allJavaRules; + + assertEquals( + true, oldUrl.contains("&&"), "Old URL construction had double ampersand (the bug)"); + } +}