cshtml --cwe-names: load CWE names from a CSV file

Author: kdudka

src/CMakeLists.txt

@@ -29,6 +29,7 @@ add_library(cs STATIC
     csv-parser.cc
     cswriter.cc
     cwe-mapper.cc
+    cwe-name-lookup.cc
     deflookup.cc
     gcc-parser.cc
     html-writer.cc

src/cshtml.cc

@@ -18,6 +18,7 @@
  */
 
 #include "abstract-parser.hh"
+#include "cwe-name-lookup.hh"
 #include "deflookup.hh"
 #include "html-writer.hh"
 #include "instream.hh"
@@ -26,6 +27,11 @@
 
 #include <boost/program_options.hpp>
 
+#ifndef DEFAULT_CWE_NAMES_FILE
+#   define DEFAULT_CWE_NAMES_FILE "/usr/share/csdiff/cwe-names.csv"
+#endif
+static const char fnCweNamesDefault[] = DEFAULT_CWE_NAMES_FILE;
+
 std::string titleFromFileName(const std::string &fileName)
 {
     if (!fileName.compare("-"))
@@ -57,9 +63,13 @@ int main(int argc, char *argv[])
 
     typedef std::vector<string> TStringList;
     string defUrlTemplate, fnBase, checkerIgnRegex, plainTextUrl, spPosition;
+    string fnCweNames;
 
     try {
         desc.add_options()
+            ("cwe-names",
+             po::value(&fnCweNames)->default_value(fnCweNamesDefault),
+             "CSV file mapping CWE numbers to names")
             ("defect-url-template", po::value(&defUrlTemplate),
              "e.g. http://localhost/index.php?proj=%d&defect=%d")
             ("diff-base", po::value(&fnBase),
@@ -152,6 +162,14 @@ int main(int argc, char *argv[])
                     diffTitleFallback);
         }
 
+        // initialize CWE names lookup
+        CweNameLookup cweNames;
+        if (!fnCweNames.empty()) {
+            InStream strCweNames(fnCweNames);
+            cweNames.parse(strCweNames);
+            writer.setCweNameLookup(&cweNames);
+        }
+
         // write HTML
         writer.handleFile(pInput, fnInput);
         writer.flush();

src/csv-parser.cc

@@ -48,7 +48,7 @@ bool AbstractCsvParser::parse(InStream &ins)
 
     std::istream &str = ins.str();
     std::string line;
-    for (d->lineno = 0; std::getline(str, line); d->lineno++) {
+    for (d->lineno = 1; std::getline(str, line); d->lineno++) {
         // initialize tokenizer
         typedef boost::escaped_list_separator<char>     TSeparator;
         typedef boost::tokenizer<TSeparator>            TTokenizer;

src/cwe-name-lookup.cc

@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2020 Red Hat, Inc.
+ *
+ * This file is part of csdiff.
+ *
+ * csdiff is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * any later version.
+ *
+ * csdiff is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with csdiff.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "cwe-name-lookup.hh"
+
+#include "parser-common.hh"
+
+#include <map>
+
+struct CweNameLookup::Private {
+    typedef std::map<int, std::string> TMap;
+    TMap nameByCwe;
+    const std::string emp;
+};
+
+CweNameLookup::CweNameLookup():
+    d(new Private)
+{
+}
+
+CweNameLookup::~CweNameLookup()
+{
+    delete d;
+}
+
+bool CweNameLookup::handleLine(const TStringList &fields)
+{
+    if (2U != fields.size()) {
+        this->parseError("invalid count of fields");
+        return /* continue */ true;
+    }
+
+    // parse CWE number
+    const std::string &cweId = fields[/* CWE */ 0];
+    const int cwe = parse_int(cweId, -1);
+    if (cwe < 0) {
+        this->parseError("invalid CWE ID");
+        return /* continue */ true;
+    }
+
+    // lookup by CWE number
+    if (d->nameByCwe.count(cwe))
+        this->parseError("CWE name redefinition");
+
+    // define the mapping
+    const std::string &cweName = fields[/* name */ 1];
+    d->nameByCwe[cwe] = cweName;
+
+    return /* continue */ true;
+}
+
+const std::string& CweNameLookup::lookup(const int cwe) const
+{
+    const Private::TMap::const_iterator it = d->nameByCwe.find(cwe);
+    return (d->nameByCwe.end() == it)
+        ? d->emp
+        : it->second;
+}

src/cwe-name-lookup.hh

@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2020 Red Hat, Inc.
+ *
+ * This file is part of csdiff.
+ *
+ * csdiff is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * any later version.
+ *
+ * csdiff is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with csdiff.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef H_GUARD_CWE_NAME_LOOKUP_H
+#define H_GUARD_CWE_NAME_LOOKUP_H
+
+#include "abstract-filter.hh"
+#include "csv-parser.hh"
+
+#include <iostream>
+
+class CweNameLookup: public AbstractCsvParser {
+    public:
+        CweNameLookup();
+        virtual ~CweNameLookup();
+
+        /// return name of the given CWE ID, or an empty string if not found
+        const std::string& lookup(const int cwe) const;
+
+    protected:
+        virtual bool /* continue */ handleLine(const TStringList &);
+
+    private:
+        struct Private;
+        Private *d;
+};
+
+#endif /* H_GUARD_CWE_NAME_LOOKUP_H */

src/html-writer.cc

@@ -19,6 +19,7 @@
 
 #include "html-writer.hh"
 
+#include "cwe-name-lookup.hh"
 #include "deflookup.hh"
 #include "regex.hh"
 
@@ -195,12 +196,16 @@ void linkifyShellCheckMsg(std::string *pMsg)
             "\\1SC\\2\\3</a>");
 }
 
-void printCweLink(std::ostream &str, const int cwe)
+void printCweLink(std::ostream &str, const int cwe, const std::string &cweName)
 {
     str << "<a href=\"https://cwe.mitre.org/data/definitions/"
-        << cwe << ".html\""
-        << " title=\"definition of CWE-"
-        << cwe << " by MITRE\">"
+        << cwe << ".html\" title=\"";
+    if (cweName.empty())
+        str << "definition of CWE-" << cwe << " by MITRE";
+    else
+        str << "CWE-" << cwe << ": " << cweName;
+
+    str << "\">"
         << "CWE-" << cwe
         << "</a>";
 }
@@ -303,11 +308,12 @@ struct HtmlWriter::Private {
     HtmlWriterCore                  core;
     TScanProps                      scanProps;
     const std::string               defUrlTemplate;
-    unsigned                        defCnt;
-    DefLookup                      *baseLookup;
+    unsigned                        defCnt = 0U;
+    DefLookup                      *baseLookup = nullptr;
     RE                              checkerIgnRegex;
     std::string                     newDefMsg;
     std::string                     plainTextUrl;
+    const CweNameLookup            *cweNames = nullptr;
 
     Private(
             std::ostream           &str_,
@@ -316,9 +322,7 @@ struct HtmlWriter::Private {
             const std::string      &spPlacement_):
         str(str_),
         core(str_, titleFallback_, spPlacement_),
-        defUrlTemplate(defUrlTemplate_),
-        defCnt(0),
-        baseLookup(0)
+        defUrlTemplate(defUrlTemplate_)
     {
         if (!defUrlTemplate.empty())
             // just make sure that the format string is correct
@@ -394,6 +398,11 @@ void HtmlWriter::setPlainTextUrl(const std::string &url)
     d->plainTextUrl = url;
 }
 
+void HtmlWriter::setCweNameLookup(const CweNameLookup *cweNames)
+{
+    d->cweNames = cweNames;
+}
+
 void HtmlWriter::Private::writeLinkToDetails(const Defect &def)
 {
     const int defId = def.defectId;
@@ -451,13 +460,19 @@ void HtmlWriter::handleDef(const Defect &def)
 
     d->str << "<b>Error: <span style='background: #C0FF00;'>"
         << HtmlLib::escapeTextInline(def.checker) << "</span>";
-    if (def.cwe) {
+
+    const int cwe = def.cwe;
+    if (cwe) {
+        std::string cweName;
+        if (d->cweNames)
+            cweName = d->cweNames->lookup(cwe);
         d->str << " (";
-        printCweLink(d->str, def.cwe);
+        printCweLink(d->str, cwe, cweName);
         d->str << ")";
     }
     else
         d->str << HtmlLib::escapeTextInline(def.annotation);
+
     d->str << ":</b>";
 
     d->writeLinkToDetails(def);

src/html-writer.hh

@@ -22,6 +22,7 @@
 
 #include "abstract-writer.hh"
 
+class CweNameLookup;
 class DefLookup;
 
 class HtmlWriter: public AbstractWriter {
@@ -49,6 +50,9 @@ class HtmlWriter: public AbstractWriter {
 
         void setPlainTextUrl(const std::string &);
 
+        /// @attention cweNames needs to stay valid long enough (no deep copy)
+        void setCweNameLookup(const CweNameLookup *cweNames);
+
     private:
         struct Private;
         Private *d;

tests/cshtml/0001-smoke/runtest.sh

@@ -4,6 +4,7 @@ set -x
 
 # run cshtml
 "${CSHTML_BIN}" \
+    --cwe-names ""                                      \
     --diff-base "${TEST_SRC_DIR}/old/scan-results.js"   \
     --diff-base-ignore-checkers "SHELLCHECK_WARNING"    \
     --plain-text-url "scan-results.err"                 \