Open candrews opened 1 year ago
In general, the plugin framework log (<fortify.home>/plugin-framework/logs/plugin-framework.log
) usually provides more meaningful information in case of plugin issues; can you please check whether that's also true for this particular issue?
Parser plugins cannot control how errors are being logged by SSC, in particular if the error is thrown by the SSC parser plugin framework rather than the parser itself; improving these log messages will require an SSC enhancement request to be submitted through the support portal.
improving these log messages will require an SSC enhancement request to be submitted through the support portal.
I submitted a request as case number 02533418.
Parser plugins cannot control how errors are being logged by SSC
I was thinking though... plugins can do more error checking themselves in their tests. Perhaps the StaticVulnerabilityBuilder
used by this plugin's tests should be improved to validate the setStringCustomAttributeValue
calls' arguments in the same way that Fortify SSC does itself in production?
That would really help with validating that the plugin works correctly for the provided test files.
I'm trying to import this SARIF file: results.sarif
This result in a failure, and this exception is logged:
Digging in, I found that the cause is that
setStringCustomAttributeValue
is called with a value that is too long. The error occurs at this line: https://github.com/fortify/fortify-ssc-parser-sarif/blob/v1.3.0/src/main/java/com/fortify/ssc/parser/sarif/parser/VulnerabilitiesProducer.java#L87 the value used originates at https://github.com/fortify/fortify-ssc-parser-sarif/blob/v1.3.0/src/main/java/com/fortify/ssc/parser/sarif/parser/VulnerabilitiesProducer.java#L169I'm working to fix the root cause of the bad SARIF: https://github.com/microsoft/sarif-sdk/pull/2631
To be clear, the fact that Fortify is unable to import this (arguably invalid) SARIF is not the issue being reported.
The issue being reported is that the exception/error information is terrible.
Can Fortify throw an exception with a nice message? For example, if in the implementation of
com.fortify.plugin.api.BasicVulnerabilityBuilder.setStringCustomAttributeValue(VulnerabilityAttribute, String)
it checked if theattributeValue
provided is too long, then threw anIllegalArgumentException
which includes thevulnerabilityAttribute
andattributeValue
, that would make the user experience much better.