search

fortify / fortify-ssc-parser-sarif

SSC parser plugin for SARIF input files
Other
4 stars 1 forks source link

Too long of a value results in very confusing exception #16

Open candrews opened 1 year ago

candrews commented 1 year ago

I'm trying to import this SARIF file: results.sarif

This result in a failure, and this exception is logged:

2023-03-02 19:16:40,531   [ERROR] com.fortify.manager.BLL.impl.FPRBLLImpl - Error parsing issues: results.sarif.zip
com.fortify.manager.exception.FMScanParseException: Cannot process vulnerabilities
    at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.translateException(FMDALExceptionTranslationInterceptor.java:70) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:41) ~[ssc-core-22.1.0.0149.jar:?]
    at jdk.internal.reflect.GeneratedMethodAccessor158.invoke(Unknown Source) ~[?:?]
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123) ~[spring-tx-5.3.18.jar:5.3.18]
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388) ~[spring-tx-5.3.18.jar:5.3.18]
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119) ~[spring-tx-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
    at com.fortify.manager.DAL.impl.ScanManagerImpl$$EnhancerBySpringCGLIB$$99088b66.parseScanIssues(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2240) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2194) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl$13.run(FPRBLLImpl.java:1886) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1883) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1856) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1716) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1599) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
    at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-22.1.0.0149.jar:?]
    at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source) ~[?:?]
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61) ~[spring-security-core-5.6.2.jar:5.6.2]
    at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46) ~[ssc-core-22.1.0.0149.jar:?]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
    at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294) ~[ssc-core-22.1.0.0149.jar:?]
    at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
    at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: com.fortify.manager.plugin.parser.exception.PluginParserException: Cannot process vulnerabilities
    at com.fortify.manager.plugin.parser.PluginFrameworkAnalysisParser.parseIssueInformation(PluginFrameworkAnalysisParser.java:176) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.DAL.impl.ScanManagerImpl.parseScanIssues(ScanManagerImpl.java:495) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.DAL.impl.ScanManagerImpl$$FastClassBySpringCGLIB$$131bf6cc.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:137) ~[spring-tx-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
    at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:39) ~[ssc-core-22.1.0.0149.jar:?]
    ... 61 more
Caused by: com.fortify.plugin.connector.api.ScanProcessingException: Error calling method setStringCustomAttributeValue; session c0kqtkopmh2bo
    at com.fortify.plugin.connector.parser.VulnerabilityProducerImpl.next(VulnerabilityProducerImpl.java:119) ~[plugin-connector-22.1.0.0149.jar:?]
    at com.fortify.manager.plugin.parser.PluginIssueProcessor.process(PluginIssueProcessor.java:47) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.plugin.parser.PluginFrameworkAnalysisParser.parseIssueInformation(PluginFrameworkAnalysisParser.java:174) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.DAL.impl.ScanManagerImpl.parseScanIssues(ScanManagerImpl.java:495) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.DAL.impl.ScanManagerImpl$$FastClassBySpringCGLIB$$131bf6cc.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:137) ~[spring-tx-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
    at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:39) ~[ssc-core-22.1.0.0149.jar:?]
    ... 61 more
2023-03-02 19:16:40,536   [ERROR] com.fortify.manager.BLL.impl.FPRBLLImpl - Scan processing exception for artifact id 521218
com.fortify.manager.service.parser.checker.ScanProcessException: Processing Messages:
  EXCEPTION: An unexpected error occurred during scan processing: com.fortify.manager.exception.FMScanParseException: Cannot process vulnerabilities
    at com.fortify.manager.BLL.impl.FPRBLLImpl.newUnexpectedScanProcessingException(FPRBLLImpl.java:2296) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2252) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2194) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl$13.run(FPRBLLImpl.java:1886) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1883) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1856) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1716) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1599) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
    at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-22.1.0.0149.jar:?]
    at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source) ~[?:?]
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61) ~[spring-security-core-5.6.2.jar:5.6.2]
    at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46) ~[ssc-core-22.1.0.0149.jar:?]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
    at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294) ~[ssc-core-22.1.0.0149.jar:?]
    at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
    at java.lang.Thread.run(Thread.java:829) ~[?:?]
2023-03-02 19:16:40,552   [ERROR] com.fortify.manager.logging.ExceptionInterceptor - Intercepted exception of type [com.fortify.manager.exception.FMDALException] thrown by target class [com.fortify.manager.BLL.impl.FPRBLLImpl] and method [public void com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(java.lang.Long,java.lang.Long,boolean,boolean,com.fortify.manager.BLL.impl.util.ArtifactUploadAdditionalParameters)]
com.fortify.manager.exception.FMDALException: Upload artifact failed for the following reason: Scan processing exception for artifact id 521218
    at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1644) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
    at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-22.1.0.0149.jar:?]
    at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source) ~[?:?]
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61) ~[spring-security-core-5.6.2.jar:5.6.2]
    at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46) ~[ssc-core-22.1.0.0149.jar:?]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
    at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294) ~[ssc-core-22.1.0.0149.jar:?]
    at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
    at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: com.fortify.manager.service.parser.checker.ScanProcessException: Processing Messages:
  EXCEPTION: An unexpected error occurred during scan processing: com.fortify.manager.exception.FMScanParseException: Cannot process vulnerabilities
    at com.fortify.manager.BLL.impl.FPRBLLImpl.newUnexpectedScanProcessingException(FPRBLLImpl.java:2296) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2252) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2194) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl$13.run(FPRBLLImpl.java:1886) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1883) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1856) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1716) ~[ssc-core-22.1.0.0149.jar:?]
    at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1599) ~[ssc-core-22.1.0.0149.jar:?]
    ... 34 more
2023-03-02 19:16:40,554   [WARN] com.fortify.manager.service.scheduler.SchedulerManagerImpl - Job JOB_ARTIFACTUPLOAD$610fefed-060d-452d-ae57-9a41cb50f653 failed: Upload artifact failed for the following reason: Scan processing exception for artifact id 521218\n[com.fortify.manager.exception.FMDALException: Upload artifact failed for the following reason: Scan processing exception for artifact id 521218\n at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1644)\n    at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581)\n    at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(&amp;lt;generated&amp;gt;)\n    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)\n   at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783)\n  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)\n  at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n  at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89)\n   at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72)\n   at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source)\n at java.base&#x2F;jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n  at java.base&#x2F;java.lang.reflect.Method.invoke(Method.java:566)\n    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634)\n  at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624)\n   at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72)\n    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n  at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n  at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61)\n  at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46)\n at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n  at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n  at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)\n    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n  at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n  at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698)\n    at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(&amp;lt;generated&amp;gt;)\n  at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102)\n  at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90)\n  at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65)\n at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42)\n at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294)\n   at java.base&#x2F;java.util.concurrent.FutureTask.run(FutureTask.java:264)\n    at java.base&#x2F;java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)\n at java.base&#x2F;java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)\n at java.base&#x2F;java.lang.Thread.run(Thread.java:829)\n]

Digging in, I found that the cause is that setStringCustomAttributeValue is called with a value that is too long. The error occurs at this line: https://github.com/fortify/fortify-ssc-parser-sarif/blob/v1.3.0/src/main/java/com/fortify/ssc/parser/sarif/parser/VulnerabilitiesProducer.java#L87 the value used originates at https://github.com/fortify/fortify-ssc-parser-sarif/blob/v1.3.0/src/main/java/com/fortify/ssc/parser/sarif/parser/VulnerabilitiesProducer.java#L169

I'm working to fix the root cause of the bad SARIF: https://github.com/microsoft/sarif-sdk/pull/2631

To be clear, the fact that Fortify is unable to import this (arguably invalid) SARIF is not the issue being reported.

The issue being reported is that the exception/error information is terrible.

Can Fortify throw an exception with a nice message? For example, if in the implementation of com.fortify.plugin.api.BasicVulnerabilityBuilder.setStringCustomAttributeValue(VulnerabilityAttribute, String) it checked if the attributeValue provided is too long, then threw an IllegalArgumentException which includes the vulnerabilityAttribute and attributeValue, that would make the user experience much better.

rsenden commented 1 year ago

In general, the plugin framework log (<fortify.home>/plugin-framework/logs/plugin-framework.log) usually provides more meaningful information in case of plugin issues; can you please check whether that's also true for this particular issue?

Parser plugins cannot control how errors are being logged by SSC, in particular if the error is thrown by the SSC parser plugin framework rather than the parser itself; improving these log messages will require an SSC enhancement request to be submitted through the support portal.

candrews commented 1 year ago

improving these log messages will require an SSC enhancement request to be submitted through the support portal.

I submitted a request as case number 02533418.

candrews commented 1 year ago

Parser plugins cannot control how errors are being logged by SSC

I was thinking though... plugins can do more error checking themselves in their tests. Perhaps the StaticVulnerabilityBuilder used by this plugin's tests should be improved to validate the setStringCustomAttributeValue calls' arguments in the same way that Fortify SSC does itself in production?

That would really help with validating that the plugin works correctly for the provided test files.