fortify fpr_parser: allow optional fields to be optional (#13160)

Author: fopina

dojo/tools/fortify/fpr_parser.py

@@ -133,14 +133,14 @@ def convert_vulnerabilities_to_findings(self, root: Element, audit_log: Element,
             finding = Finding(test=test, static_finding=True)
 
             finding.active, finding.false_p = self.compute_status(related_data, vuln_data)
-            finding.title = self.format_title(vuln_data, snippet, description, rule)
+            finding.title = self.format_title(vuln_data, snippet)
             finding.description = self.format_description(vuln_data, snippet, description, rule)
             finding.mitigation = self.format_mitigation(vuln_data, snippet, description, rule)
-            finding.severity = self.compute_severity(vuln_data, snippet, description, rule)
+            finding.severity = self.compute_severity(vuln_data, rule)
             finding.impact = self.format_impact(related_data, vuln_data)
 
             finding.file_path = vuln_data.source_location_path
-            finding.line = int(self.compute_line(vuln_data, snippet, description, rule))
+            finding.line = int(self.compute_line(vuln_data, snippet))
             finding.unique_id_from_tool = vuln_data.instance_id
 
             findings.append(finding)
@@ -225,26 +225,28 @@ def parse_description_information(self, description: Element) -> DescriptionData
     def parse_rule_information(self, rule: Element) -> RuleData:
         """Parse the rule information and return a RuleData object."""
         rule_data = RuleData()
-        rule_data.accuracy = rule.findtext("Group[@name='Accuracy']", None, self.namespaces)
-        rule_data.impact = rule.findtext("Group[@name='Impact']", None, self.namespaces)
-        rule_data.probability = rule.findtext("Group[@name='Probability']", None, self.namespaces)
-        rule_data.impact_bias = rule.findtext("Group[@name='ImpactBias']", None, self.namespaces)
-        rule_data.confidentiality_impact = rule.findtext("Group[@name='ConfidentialityImpact']", None, self.namespaces)
-        rule_data.integrity_impact = rule.findtext("Group[@name='IntegrityImpact']", None, self.namespaces)
-        rule_data.remediation_effort = rule.findtext("Group[@name='Recommendations']", None, self.namespaces)
-        logger.debug(f"Rule Impact: {rule_data.impact}")
+        if rule is not None:
+            rule_data.accuracy = rule.findtext("Group[@name='Accuracy']", None, self.namespaces)
+            rule_data.impact = rule.findtext("Group[@name='Impact']", None, self.namespaces)
+            rule_data.probability = rule.findtext("Group[@name='Probability']", None, self.namespaces)
+            rule_data.impact_bias = rule.findtext("Group[@name='ImpactBias']", None, self.namespaces)
+            rule_data.confidentiality_impact = rule.findtext("Group[@name='ConfidentialityImpact']", None, self.namespaces)
+            rule_data.integrity_impact = rule.findtext("Group[@name='IntegrityImpact']", None, self.namespaces)
+            rule_data.remediation_effort = rule.findtext("Group[@name='Recommendations']", None, self.namespaces)
+            logger.debug(f"Rule Impact: {rule_data.impact}")
         return rule_data
 
-    def format_title(self, vulnerability, snippet, description, rule) -> str:
+    def format_title(self, vulnerability, snippet) -> str:
         # defaults for when there is no snippet (shouldn't happen, future improvement: parser might also parse ReplacementDefinitions and/or Context elements)
         file_name = vulnerability.source_location_path.split("/")[-1]
-        line = self.compute_line(vulnerability, snippet, description, rule)
+        line = self.compute_line(vulnerability, snippet)
 
         return f"{vulnerability.vulnerability_type} - {file_name}: {line} ({vulnerability.class_id})"
 
     def format_description(self, vulnerability, snippet, description, rule) -> str:
         desc = f"##Catagory: {vulnerability.vulnerability_type}\n"
-        desc += f"###Abstract:\n{description.abstract}\n"
+        if description:
+            desc += f"###Abstract:\n{description.abstract}\n"
 
         desc += f"**SourceLocationPath:** {vulnerability.source_location_path}\n"
         desc += f"**SourceLocationLine:** {vulnerability.source_location_line}\n"
@@ -258,7 +260,8 @@ def format_description(self, vulnerability, snippet, description, rule) -> str:
                 "leads to this finding. \n")
             desc += f"###Snippet:\n**File: {snippet.file_name}: {snippet.start_line}**\n```\n{snippet.text}\n```\n"
 
-        desc += f"##Explanation:\n {description.explanation}"
+        if description:
+            desc += f"##Explanation:\n {description.explanation}"
 
         desc += f"##Details: {vulnerability.instance_id}\n"
         desc += f"**InstanceID:** {vulnerability.instance_id}\n"
@@ -273,14 +276,14 @@ def format_description(self, vulnerability, snippet, description, rule) -> str:
 
     def format_mitigation(self, vulnerability, snippet, description, rule) -> str:
         mitigation = ""
-        if description.recommendations:
+        if description and description.recommendations:
             mitigation += f"###Recommendation:\n {description.recommendations}\n"
 
-        if description.tips:
+        if description and description.tips:
             mitigation += f"###Tips:\n {description.tips}"
         return mitigation
 
-    def compute_severity(self, vulnerability, snippet, description, rule) -> str:
+    def compute_severity(self, vulnerability, rule) -> str:
         """Convert the the float representation of severity and confidence to a string severity."""
         if not rule.impact:
             logger.debug("No rule impact found, setting severity to Informational")
@@ -330,7 +333,7 @@ def compute_status(self, related_data, vulnerability) -> tuple[bool, bool]:
             return False, True
         return True, False
 
-    def compute_line(self, vulnerability, snippet, description, rule) -> str:
+    def compute_line(self, vulnerability, snippet) -> str:
         if snippet and snippet.start_line:
             return snippet.start_line
         return vulnerability.source_location_line

unittests/scans/fortify/hello_world_no_metainfo.fpr

@@ -154,3 +154,27 @@ def test_fortify_fpr_suppressed_finding(self):
                 self.assertFalse(finding.active)
                 self.assertTrue(finding.false_p)
                 self.assertEqual("Threaded Comments:\n2025-03-10T20:52:28.964+05:30 - (testuser): Not an issue. Handled in server config to refer to internal Artifactory\n", finding.impact)
+
+    def test_fortify_hello_world_fpr_rule_without_metainfo(self):
+        with (get_unit_tests_scans_path("fortify") / "hello_world_no_metainfo.fpr").open(encoding="utf-8") as testfile:
+            parser = FortifyParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(4, len(findings))
+            # for i in range(len(findings)):
+            #     print(f"{i}: {findings[i]}: {findings[i].severity}")
+
+            with self.subTest(i=0):
+                finding = findings[0]
+                self.assertEqual("Password Management - HelloWorld.java: 5 (720E3A66-55AC-4D2D-8DB9-DC30E120A52F)", finding.title)
+                # Info as rule has no metainfo/impact
+                self.assertEqual("Informational", finding.severity)
+                self.assertEqual("A5338E223E737FF81F8A806C50A05969", finding.unique_id_from_tool)
+                self.assertEqual("src/main/java/hello/HelloWorld.java", finding.file_path)
+                self.assertEqual(5, finding.line)
+            with self.subTest(i=1):
+                finding = findings[1]
+                self.assertEqual("Password Management - HelloWorld.java: 13 (9C5BD1B5-C296-48d4-B5F5-5D2958661BC4)", finding.title)
+                self.assertEqual("High", finding.severity)
+                self.assertEqual("D3166922519EDD92D132761602EB71B4", finding.unique_id_from_tool)
+                self.assertEqual("src/main/java/hello/HelloWorld.java", finding.file_path)
+                self.assertEqual(13, finding.line)