Log and skip vulnerabilities with unresolved CWEs
Closes #5 (closed)
Summary
https://gitlab.com/gitlab-org/secure/gsoc-sast-benchmark/evaluator/-/jobs/2900005426 failed, because some vulnerabilities do not have a mapping to CWE. With these changes, the evaluator will log these instances in the following fashion
No CWE or CWE mapping for vulnerability at: WebGoat/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java:66
No CWE or CWE mapping for vulnerability at: WebGoat/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java:166
No CWE or CWE mapping for vulnerability at: WebGoat/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java:144
No CWE or CWE mapping for vulnerability at: WebGoat/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java:100
No CWE or CWE mapping for vulnerability at: WebGoat/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java:51
No CWE or CWE mapping for vulnerability at: WebGoat/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java:71This allows users to further debug why the vulnerability was not mapped.
Changed behavior
The new behavior can be observed in the changed test. While previously it would error out and return a nil report, currently
it keeps processing even if a vulnerability with no CWE is encountered. In this way, vulnerabilities with no cwe mappings are practically non-existent to the evaluator.
Edited by Martynas Krupskis