Create CSV file for logging Vulnerabilities and line numbers

[preetkaran20]

trafficstars

Is your feature request related to a problem? Please describe. SAST tools like SonarSource, want to evaluate their accuracy and improvements in finding security vulnerabilities. Now as the VulnerableApp is a Vulnerable Application for helping scanners evaluate themselves so we want to give them a CSV file something like: https://github.com/SasanLabs/VulnerableApp/blob/master/scanner/sast/expectedIssues.csv

Describe the solution you'd like We want to write a logger class that will be invoked from the Vulnerability class e.g.

class Logger {
   public static final <T> log(T input) {
      for(int i=0;i < 5;i++) { 
             int lineNumber = Thread.currentThread().getStackTrace()[i].getLineNumber();
             String className = Thread.currentThread().getStackTrace()[i].getClassName();
            // Similarly other things
            Class clazz = Class.forname(className);
           //Look for annotation: VulnerableAppRestController
          // Find the Vulnerability type from the method annotation: VulnerableAppRequestMapping
          // Log into the CSV (we can log all 5 lines of the stacktrace in CSV for context to SAST tools)
       }
       return input;
   }
}

//Invocation logic
/**
Generally, Validators are having some issues which cause security vulnerability so we will have right validator and buggy validator. So caller will execute the correct validator and if both the responses have differences then caller will call Logger.log class.
**/

We will only enable this logging if there is a static flag set. That static flag should be honored by the Logger.log method.

Definition of Done

1. Create a flag in https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/Application.java which will be enabled as command-line input.
2. Create a logger class to log into CSV. CSV should look similar to https://github.com/SasanLabs/VulnerableApp/blob/master/scanner/sast/expectedIssues.csv (Do consider how to efficiently work on CSV and Inmemory)
3. Add the caller logic for Logger for https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java Vulnerability
4. Document the details on a Wiki page.

Actual issue: https://github.com/SasanLabs/VulnerableApp/issues/274

The plan is that integration tests will be invoked to execute the Vulnerable Code and that Vulnerable code will be calling the logger which will create the CSV file and we will check in the CSV file into the repository. Integration test issue: https://github.com/SasanLabs/VulnerableApp/issues/411

Note : Above things are my thoughts but you are free to choose another approach