fix(fortifyExecuteScan): occasional panics when snippets are undefined or contain XML comments (#3686)

2024-12-12 10:55:20 +02:00 · 2022-03-31 12:13:17 +02:00 · 2022-03-31 12:13:17 +02:00 · dc91332e29
commit dc91332e29
parent 20c5f0a63b
2 changed files with 25 additions and 16 deletions
--- a/pkg/fortify/fpr_to_sarif.go
+++ b/pkg/fortify/fpr_to_sarif.go
@ -648,25 +648,29 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
 						default:
 							snippetTarget = fvdl.Vulnerabilities.Vulnerability[i].AnalysisInfo.Trace[k].Primary.Entry[l].Node.Action.ActionData
 						}
-						physLocationSnippetLines := strings.Split(threadFlowLocation.Location.PhysicalLocation.ContextRegion.Snippet.Text, "\n")
-						snippetText := ""
-						for j := 0; j < len(physLocationSnippetLines); j++ {
-							if strings.Contains(physLocationSnippetLines[j], snippetTarget) {
-								snippetText = physLocationSnippetLines[j]
-								break
+						if threadFlowLocation.Location.PhysicalLocation.ContextRegion.Snippet != nil {
+							physLocationSnippetLines := strings.Split(threadFlowLocation.Location.PhysicalLocation.ContextRegion.Snippet.Text, "\n")
+							snippetText := ""
+							for j := 0; j < len(physLocationSnippetLines); j++ {
+								if strings.Contains(physLocationSnippetLines[j], snippetTarget) {
+									snippetText = physLocationSnippetLines[j]
+									break
+								}
 							}
+							snippetSarif := new(format.SnippetSarif)
+							if snippetText != "" {
+								snippetSarif.Text = snippetText
+							} else {
+								snippetSarif.Text = threadFlowLocation.Location.PhysicalLocation.ContextRegion.Snippet.Text
+							}
+							threadFlowLocation.Location.PhysicalLocation.Region.Snippet = snippetSarif
 						}
-						snippetSarif := new(format.SnippetSarif)
-						if snippetText != "" {
-							snippetSarif.Text = snippetText
-						} else {
-							snippetSarif.Text = threadFlowLocation.Location.PhysicalLocation.ContextRegion.Snippet.Text
-						}
-						threadFlowLocation.Location.PhysicalLocation.Region.Snippet = snippetSarif
 					} else {
-						snippetSarif := new(format.SnippetSarif)
-						snippetSarif.Text = threadFlowLocation.Location.PhysicalLocation.ContextRegion.Snippet.Text
-						threadFlowLocation.Location.PhysicalLocation.Region.Snippet = snippetSarif
+						if threadFlowLocation.Location.PhysicalLocation.ContextRegion.Snippet != nil {
+							snippetSarif := new(format.SnippetSarif)
+							snippetSarif.Text = threadFlowLocation.Location.PhysicalLocation.ContextRegion.Snippet.Text
+							threadFlowLocation.Location.PhysicalLocation.Region.Snippet = snippetSarif
+						}
 					}
 					location = *threadFlowLocation.Location
 					//set Kinds
--- a/pkg/fortify/fpr_to_sarif_test.go
+++ b/pkg/fortify/fpr_to_sarif_test.go
@ -60,6 +60,9 @@ func TestParse(t *testing.T) {
              <SourceLocation path="result/rules/Custom_Rules_for_Annotation_Management.xml" line="2" colStart="0" colEnd="0" snippet="DUMMYDUMMY#result/rules/Custom_Rules_for_Annotation_Management.xml:2:2"/>
            </Node>
          </Entry>
+          <Entry>
+            <NodeRef id="4491"/>
+          </Entry>
        </Primary>
      </Trace>
    </Unified>
@ -86,6 +89,7 @@ func TestParse(t *testing.T) {
          <Entry>
            <Node isDefault="true">
              <SourceLocation path="result/rules/Custom_Rules_for_Annotation_Management.xml" line="2" colStart="0" colEnd="0" snippet="DUMMYDUMMY#result/rules/Custom_Rules_for_Annotation_Management.xml:2:2"/>
+              <Action>Dummy action</Action>
            </Node>
          </Entry>
        </Primary>
@ -292,6 +296,7 @@ If you are concerned about leaking system data via NFC on an Android device, you
        <Group name="Impact">5</Group>
        <Group name="RemediationEffort">1</Group>
        <Group name="Probability">5</Group>
+        <Group name="altcategoryCWE">CWE ID 111</Group>
      </MetaInfo>
    </Rule>
  </RuleInfo>