{"errorMessages":["Error in the JQL Query: Expecting either 'OR' or 'AND' but got 'jquery'. (line 1, character 52)"],"errors":{}}

fortify-ps / FortifyBugTrackerUtility

Automated submission of FoD and SSC vulnerabilities to external systems

MIT License

25 stars 14 forks source link

{"errorMessages":["Error in the JQL Query: Expecting either 'OR' or 'AND' but got 'jquery'. (line 1, character 52)"],"errors":{}} #53

Open ghost opened 3 years ago

ghost commented 3 years ago

When a vulnerability name contains single quote such as ( Vulnerable version of the library 'jquery' found ), the script fails due to single quote being treated as part of JQL instead of search query. this vulnerability is from Burp XML upload.

rsenden commented 3 years ago

Thanks for reporting this. Based on your description, I'm assuming you are exporting vulnerability data from SSC to JIRA using the SSCToJiraWithParents.xml configuration file, correct? Are you using the default configuration?

Can you please share the value of the jqlExpression property in your configuration file?

ghost commented 3 years ago

Yes, this is from SSC to Jira using the SSCToJiraWithParents.xml, i have modified the configuration for the need on our end. below is the jqlExpression value="summary~'"${summary}"'"

rsenden commented 3 years ago

The utility simply evaluates all ${...} expressions in the jqlExpression property, and then passes this JQL expression to JIRA without any further modifications. As such this is not really a bug with the utility itself, but with the value of the jqlExpression property.

You will need to work with a JIRA specialist to find a working JQL query that matches a summary like Vulnerable version of the library 'jquery' found; maybe you just need to escape or remove any single quotes (and other special characters for that matter). For example, you could potentially use something like ${summary.replaceAll("'", "") to remove all single quotes.

You can also consider already removing any special characters from the summary field (again using ${field.replaceAll(...)} to avoid having to deal with any special characters altogether.

rsenden commented 3 years ago

@miirshad Were you able to get this issue fixed? If so, can you please share the jqlExpression property value that you are currently using?

4lexaG commented 1 month ago

There is a problem when two categories have similar names, since the query uses 'contain'. I recommend adding the vulId to the summary to differentiate them; it worked for me.