SonarQube is not importing vulnerabilities from scan as "filePath" is without volume [E:]

[dobromirttmf]

SSC vulnerabilities cannot be imported in SonarQube 8.3.1 during scan.

Issue: json file was generated successfully from SSC app version with FortifyVulnerabilityExporter version 1.2.0, but SonarQube was not importing vulnerabilities from scan as "filePath" was without volume.

Examples:

filePath with volume: "filePath" : "E:/Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs", filePath without volume: "filePath" : "/Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs",

"issues" : [ {
   "engineId" : "FortifySCA",
   "ruleId" : "Dead Code: Unused Field",
   "severity" : "INFO",
   "type" : "VULNERABILITY",
   "primaryLocation" : {
     "message" : "Dead Code: Unused Field - https://fortifyssc.veripark.com/ssc/html/ssc/version/10001/fix/8263/?engineType=SCA&issue=645F7B691879C8261100E0AA0E8AA3F0",
     "filePath" : "/Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs",
     "textRange" : {
       "startLine" : 17
     }
   } 

There were 0 issues imported. Error experienced during SonarQube scan with external Fortify issue import:

13:59:48.253 DEBUG: Importing issues from 'E:\Fortify\FortifyVulnerabilityExporter\sq-fortify-sast.json'
13:59:48.268 INFO: **Imported 0 issues in 0 files**
13:59:48.268 INFO: External issues ignored for 443 unknown files, including: Agents/xyz/a0/_work/1/s/Source/Business/EService/Global.asax.cs, Agents/xyz/a0/_work/1/s/Source/Business/EService/Web.config, Agents/xyz/a0/_work/1/s/Source/Business/EService/Web.Debug.config, Agents/xyz/a0/_work/1/s/Source/Business/EService/Web.Release.config, Agents/xyz/a0/_work/1/s/Source/Business/A.Business/Activities/BaseClass/BaseActivity.cs

Adding the E: volume to the filePath property fixes this issue.

[rsenden]

FortifyVulnerabilityExporter can only export issue details like file paths that are exposed through the SSC REST API; apparently SSC doesn't provide the drive letter so FortifyVulnerabilityExporter cannot know that a drive letter should be included to generate an absolute path. This is also mentioned in the documentation in more generic terms: https://github.com/fortify/FortifyVulnerabilityExporter#sonarqube-integration

Product changes would be required to resolve this issue in a generic way, so please consider to:

• Submit a SonarQube feature request, asking to have SonarQube be more forgiving on the file path. For example, if you are running the Sonar scan from the E-drive as well, then SonarQube should understand that /Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs actually points to E:/Agents/vbc/a0/_work/1/s/Source/AAA/BBB/C.asax.cs.
• Submit a Fortify SSC feature request, asking to have the SSC REST API return a property containing the full, absolute source file path. This information is available in the FPR file (by combining SourceBasePath and actual vulnerability path), but not exposed through the SSC REST API.

As a work-around, you can use one of the following approaches:

• Post-process the generated JSON file to modify the filePath properties to a format that is accepted by SonarQube.
• Customize the FortifyVulnerabilityExporter JSON output by using a custom configuration file or through command line options. In this particular example, you could for example add the following command line option to add the E: prefix to the file paths: --json.sonarqube.sast.format.vulnerabilityMappers.issue.fields.primaryLocation.filePath=E:$[vuln.fullFileName]

Please leave a comment if you have any suggestions on how FortifyVulnerabilityExporter could assist in working around these product limitations.

[dobromirttmf]

@rsenden Thank you for the feedback. Regarding the second workaround: are there any future plans for adding this custom functionality in FortifyVulnerabilityExporter or client should do it in his own?

proposed workaround: "Customize the FortifyVulnerabilityExporter JSON output by using a custom configuration file or through command line options"

[rsenden]

@dobromirttmf The second work-around was already available, but version 1.3.0 adds a --json.sonarqube.sast.filePathPrefix command line option that makes it a bit easier to specify a file path prefix.