From 9bdd4425ae2b269e54338a7e33eb0f85f65b9605 Mon Sep 17 00:00:00 2001 From: akash-sahai Date: Tue, 24 Mar 2026 11:55:46 +0530 Subject: [PATCH 1/8] Added more CWE mappings for HCL AppScan Added more CWE mappings for HCL AppScan --- .../main/java/org/owasp/benchmarkutils/score/CweNumber.java | 3 +++ .../benchmarkutils/score/parsers/HCLAppScanIASTReader.java | 2 ++ .../benchmarkutils/score/parsers/HCLAppScanSourceReader.java | 4 ++++ 3 files changed, 9 insertions(+) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java index 4e338299..74436868 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java @@ -64,6 +64,9 @@ public class CweNumber { /** CWE-134: Use of Externally-Controlled Format String */ public static final int EXTERNALLY_CONTROLLED_STRING = 134; + /** CWE-200: Missing Referrer Policy Header */ + public static final int MISSING_REFERRER_POLICY_HEADER = 200; + /** CWE-284: Improper Access Control */ public static final int IMPROPER_ACCESS_CONTROL = 284; diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java index f0620c69..0130fd63 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java @@ -77,6 +77,8 @@ private void createVulnerabilitiesMap() { vulnerabilityToCweNumber.put("passParamGET", CweNumber.UNPROTECTED_CREDENTIALS_TRANSPORT); vulnerabilityToCweNumber.put("attJavaDeserCodeExec", CweNumber.COMMAND_INJECTION); vulnerabilityToCweNumber.put("GV_JSONXSS", CweNumber.XSS); + vulnerabilityToCweNumber.put("attRedirectInURL", CweNumber.OPEN_REDIRECT); + vulnerabilityToCweNumber.put("attReferrerPolicyHeaderExist", CweNumber.MISSING_REFERRER_POLICY_HEADER); } @Override diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java index ec07c863..93958338 100755 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java @@ -160,6 +160,10 @@ private int cweLookup(String vtype) { return CweNumber.INSECURE_DESERIALIZATION; case "ErrorHandling.RevealDetails.StackTrace": return CweNumber.SENSITIVE_LOGFILE; + case "attRedirectInURL": + return CweNumber.OPEN_REDIRECT; + case "attReferrerPolicyHeaderExist": + return CweNumber.MISSING_REFERRER_POLICY_HEADER; default: reportWarning("WARNING: HCL AppScan Source-Unrecognized finding type: " + vtype); } From 267c933c326dbcdd5f8d7fa7923e491263adeb9f Mon Sep 17 00:00:00 2001 From: akash-sahai Date: Tue, 24 Mar 2026 14:02:39 +0530 Subject: [PATCH 2/8] Modified mapping of attJavaDeserCodeExec Modified mapping of attJavaDeserCodeExec for HCL AppScan IAST --- .../benchmarkutils/score/parsers/HCLAppScanIASTReader.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java index 0130fd63..1f17f02a 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java @@ -75,7 +75,7 @@ private void createVulnerabilitiesMap() { vulnerabilityToCweNumber.put("attFileUploadXXE", CweNumber.XXE); vulnerabilityToCweNumber.put("attCrossSiteRequestForgery", CweNumber.CSRF); vulnerabilityToCweNumber.put("passParamGET", CweNumber.UNPROTECTED_CREDENTIALS_TRANSPORT); - vulnerabilityToCweNumber.put("attJavaDeserCodeExec", CweNumber.COMMAND_INJECTION); + vulnerabilityToCweNumber.put("attJavaDeserCodeExec", CweNumber.INSECURE_DESERIALIZATION); vulnerabilityToCweNumber.put("GV_JSONXSS", CweNumber.XSS); vulnerabilityToCweNumber.put("attRedirectInURL", CweNumber.OPEN_REDIRECT); vulnerabilityToCweNumber.put("attReferrerPolicyHeaderExist", CweNumber.MISSING_REFERRER_POLICY_HEADER); From 6cb1a4a24c2c53e83bd438e9b9f44bba31ca4920 Mon Sep 17 00:00:00 2001 From: akash-sahai Date: Fri, 27 Mar 2026 18:08:20 +0530 Subject: [PATCH 3/8] Modified IAST related vulnerability mappings Modified IAST related vulnerability mappings --- .../benchmarkutils/score/parsers/HCLAppScanIASTReader.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java index 1f17f02a..02d8c844 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java @@ -78,7 +78,8 @@ private void createVulnerabilitiesMap() { vulnerabilityToCweNumber.put("attJavaDeserCodeExec", CweNumber.INSECURE_DESERIALIZATION); vulnerabilityToCweNumber.put("GV_JSONXSS", CweNumber.XSS); vulnerabilityToCweNumber.put("attRedirectInURL", CweNumber.OPEN_REDIRECT); - vulnerabilityToCweNumber.put("attReferrerPolicyHeaderExist", CweNumber.MISSING_REFERRER_POLICY_HEADER); + vulnerabilityToCweNumber.put("attReferrerPolicyHeaderExist", CweNumber.DONTCARE); + vulnerabilityToCweNumber.put("DetectedAPIs", CweNumber.DONTCARE); } @Override From 07472f1af82c1ff2cc607ba95421d0856e0cda83 Mon Sep 17 00:00:00 2001 From: akash-sahai Date: Tue, 31 Mar 2026 09:01:49 +0530 Subject: [PATCH 4/8] Added CodeInjection mapping for IAST Added CodeInjection mapping for IAST --- .../owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java | 1 + 1 file changed, 1 insertion(+) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java index 02d8c844..b43062f9 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java @@ -80,6 +80,7 @@ private void createVulnerabilitiesMap() { vulnerabilityToCweNumber.put("attRedirectInURL", CweNumber.OPEN_REDIRECT); vulnerabilityToCweNumber.put("attReferrerPolicyHeaderExist", CweNumber.DONTCARE); vulnerabilityToCweNumber.put("DetectedAPIs", CweNumber.DONTCARE); + vulnerabilityToCweNumber.put("attBlindCodeInjection", 94); } @Override From 8d32154d8400bb77efa1422fd87aeee896f31708 Mon Sep 17 00:00:00 2001 From: akash-sahai Date: Tue, 14 Apr 2026 12:11:03 +0530 Subject: [PATCH 5/8] added DeserializationOfUntrustedData as another option for 502 Vulnerability added DeserializationOfUntrustedData as another option for 502 Vulnerability --- .../owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java | 1 + 1 file changed, 1 insertion(+) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java index b43062f9..30f25db6 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanIASTReader.java @@ -76,6 +76,7 @@ private void createVulnerabilitiesMap() { vulnerabilityToCweNumber.put("attCrossSiteRequestForgery", CweNumber.CSRF); vulnerabilityToCweNumber.put("passParamGET", CweNumber.UNPROTECTED_CREDENTIALS_TRANSPORT); vulnerabilityToCweNumber.put("attJavaDeserCodeExec", CweNumber.INSECURE_DESERIALIZATION); + vulnerabilityToCweNumber.put("DeserializationOfUntrustedData", CweNumber.INSECURE_DESERIALIZATION); vulnerabilityToCweNumber.put("GV_JSONXSS", CweNumber.XSS); vulnerabilityToCweNumber.put("attRedirectInURL", CweNumber.OPEN_REDIRECT); vulnerabilityToCweNumber.put("attReferrerPolicyHeaderExist", CweNumber.DONTCARE); From 8427c95a3887f2b6c92f97fa90750dcc818b1826 Mon Sep 17 00:00:00 2001 From: akash-sahai Date: Wed, 6 May 2026 08:23:35 +0530 Subject: [PATCH 6/8] Removed added MISSING_REFERRER_POLICY_HEADER Removed added MISSING_REFERRER_POLICY_HEADER as this was handled using CweNumber.DONTCARE --- .../main/java/org/owasp/benchmarkutils/score/CweNumber.java | 3 --- .../benchmarkutils/score/parsers/HCLAppScanSourceReader.java | 4 +--- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java index aabd8efd..103c2696 100644 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/CweNumber.java @@ -67,9 +67,6 @@ public class CweNumber { /** CWE-134: Use of Externally-Controlled Format String */ public static final int EXTERNALLY_CONTROLLED_STRING = 134; - /** CWE-200: Missing Referrer Policy Header */ - public static final int MISSING_REFERRER_POLICY_HEADER = 200; - /** CWE-284: Improper Access Control */ public static final int IMPROPER_ACCESS_CONTROL = 284; diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java index 93958338..63ffe710 100755 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java @@ -161,9 +161,7 @@ private int cweLookup(String vtype) { case "ErrorHandling.RevealDetails.StackTrace": return CweNumber.SENSITIVE_LOGFILE; case "attRedirectInURL": - return CweNumber.OPEN_REDIRECT; - case "attReferrerPolicyHeaderExist": - return CweNumber.MISSING_REFERRER_POLICY_HEADER; + return CweNumber.OPEN_REDIRECT; default: reportWarning("WARNING: HCL AppScan Source-Unrecognized finding type: " + vtype); } From d0dd0802441b234b8a405b4b6042ac0f76a48a13 Mon Sep 17 00:00:00 2001 From: akash-sahai Date: Wed, 6 May 2026 08:34:40 +0530 Subject: [PATCH 7/8] removed not required code removed not required code --- .../benchmarkutils/score/parsers/HCLAppScanSourceReader.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java index 63ffe710..e64fc6db 100755 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java @@ -159,9 +159,7 @@ private int cweLookup(String vtype) { case "Validation.Required.WriteToStream": return CweNumber.INSECURE_DESERIALIZATION; case "ErrorHandling.RevealDetails.StackTrace": - return CweNumber.SENSITIVE_LOGFILE; - case "attRedirectInURL": - return CweNumber.OPEN_REDIRECT; + return CweNumber.SENSITIVE_LOGFILE; default: reportWarning("WARNING: HCL AppScan Source-Unrecognized finding type: " + vtype); } From 45578ac82e825ea6c045c3cb94b0504aa98cf9b0 Mon Sep 17 00:00:00 2001 From: akash-sahai Date: Wed, 6 May 2026 08:35:34 +0530 Subject: [PATCH 8/8] removed whitespace removed whitespace --- .../benchmarkutils/score/parsers/HCLAppScanSourceReader.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java index e64fc6db..ec07c863 100755 --- a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java +++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/HCLAppScanSourceReader.java @@ -159,7 +159,7 @@ private int cweLookup(String vtype) { case "Validation.Required.WriteToStream": return CweNumber.INSECURE_DESERIALIZATION; case "ErrorHandling.RevealDetails.StackTrace": - return CweNumber.SENSITIVE_LOGFILE; + return CweNumber.SENSITIVE_LOGFILE; default: reportWarning("WARNING: HCL AppScan Source-Unrecognized finding type: " + vtype); }