Closed ericwb closed 1 month ago
Thank you for your comment, Eric.
Coincidence? I'm in the discussion with @davewichers about all SARIF readers and some (larger) refactoring ideas. When finished, all SARIF readers will use ID only and refer to rules provided by each tool.
I'll keep you informed about the process!
Fixed via #70
In SARIF standard, the rule ID and rule name can be two different values. Yet if you look at the https://github.com/OWASP-Benchmark/BenchmarkUtils/blob/bc1690b8b69a968b19bd12f6ee9ed05911654c5b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java#L136 you'll see that the rulesUsed HashMap maps rule names to CWE numbers.
However, later you see that https://github.com/OWASP-Benchmark/BenchmarkUtils/blob/bc1690b8b69a968b19bd12f6ee9ed05911654c5b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/CodeQLReader.java#L177 the rule ID is used to look up the value in the HashMap.
While this doesn't currently fail for CodeQL because the SARIF output for a rule id and name are exactly the same, this doesn't work for any other tool using SARIF with different values. It will also fail if CodeQL ever starting creating different values for ID and name.