-
Notifications
You must be signed in to change notification settings - Fork 91
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
There were several bugs in the converter that led to invalid SARIF: - The trailing 12-digit component of the GUID identifying the `toolComponent` for the CWE taxonomy had only 11 digits. This was due to an invalid GUID in `FortifyFprConverter.CweToolComponent.Guid`. Presumably this was a copy/paste error from when the author generated the GUID. I generated a new, valid GUID. Also, the invalid GUID had been copy/pasted to another location in the source code, rather than referring to it by its name `FortifyFprConverter.CweToolComponent.Guid`. - Some `threadFlowLocation.kinds` arrays contained duplicate (non-unique) values. This was due to an incorrect initialization of one of the elements of the `ActionTypeToLocationKindMap` (which I also renamed to `ActionTypeToLocationKinds`). - The array `run.threadFlowLocations` contained duplicate (non-unique) elements. This was due to the assumption that the `ThreadFlowLocation` objects we constructed from the Fortify `UnifiedNodePool` were all distinct. Although it is true that all the `Node` sub-elements of the `UnifiedNodePool` element are distinct, we do not use all of the properties of the `Node` element in constructing a `ThreadFlowLocation`. As a result, some of the `ThreadFlowLocation`s were identical. - `rule.id` was missing. Fortify doesn't have anything other than the GUID to serve as `rule.id` -- which, per the spec, needs to be a "stable, opaque" identifier. So I assigned the GUID to both the `id` and `guid` properties. Also: - Upgrade FortifyTest.fpr.sarif (which had been generated by a pre-release version of the SDK) to the final version of the SARIF 2.1.0 format. This is necessary because if this file is down-level, the `FortifyFprConverter`'s call to the `PrereleaseCompatibilityTransformer` produces valid SARIF, masking the bugs in the converter. - We do a little code cleanup (removing unnecessary parentheses in object initializers, capitalizing "SARIF" in comments, _etc._).
- Loading branch information
Larry Golding
committed
Aug 14, 2019
1 parent
6e194ec
commit 8bc1e45
Showing
7 changed files
with
1,428 additions
and
1,640 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.