Giter Site home page Giter Site logo

fortify-ssc-parser-sarif's Introduction

Fortify SSC Parser Plugin for SARIF

Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.

This Fortify SSC parser plugin allows for importing SARIF (Static Analysis Results Interchange Format) files.

Limitations

  • SARIF 2.1.0 only
    The plugin should be able to parse any SARIF files that adhere to the SARIF 2.1.0 specification. Other versions of the specification are currently not supported.

  • Only basic issue information
    At the moment, the plugin only parses and displays basic issue information. Future versions of the plugin may display more information like code flows, thread flows, web requests, web responses, ...

  • Actual results may vary depending on input
    For example, due to the flexibility of the SARIF specification:

    • The plugin may be unable to calculate consistent, unique issue instance id's because the input file doesn't provide sufficient details to uniquely identify an issue
    • The plugin may not be able to determine Fortify Priority Order because the input file does not provide issue severity levels
    • The plugin may be unable to determine Fortify Priority Order because the input file uses custom properties to specify issue severity
    • The plugin may be unable to display appropriate issue category or description because the input file is lacking this information, or providing this information in a non-standard way

  • SARIF results from multiple tools cannot be uploaded to single SSC application version
    Being a generic format, you may have multiple tools generating SARIF files that you want to import into SSC. Due to limitations in the SSC parser framework, it is currently not possible to import SARIF files from different sources into a single SSC application version. Independent of which tool was actually used to generate the SARIF file, SSC will assume that all SARIF files originate from the same scan engine. SSC will try to merge these uploads, thereby basically marking all issues from a previously uploaded SARIF file as 'removed'.

Resources

Support

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

The software is provided "as is" and is not supported through the regular OpenText Support channels. Support requests may be submitted through the GitHub Issues page for this repository. A (free) GitHub account is required to submit new issues or to comment on existing issues.

Support requests created through the GitHub Issues page may include bug reports, enhancement requests and general usage questions. Please avoid creating duplicate issues by checking whether there is any existing issue, either open or closed, that already addresses your question, bug or enhancement request. If an issue already exists, please add a comment to provide additional details if applicable.

Support requests on the GitHub Issues page are handled on a best-effort basis; there is no guaranteed response time, no guarantee that reported bugs will be fixed, and no guarantee that enhancement requests will be implemented. If you require dedicated support for this and other Fortify software, please consider purchasing OpenText Fortify Professional Services. OpenText Fortify Professional Services can assist with general usage questions, integration of the software into your processes, and implementing customizations, bug fixes, and feature requests (subject to feasibility analysis). Please contact your OpenText Sales representative or fill in the Professional Services Contact Form to obtain more information on pricing and the services that OpenText Fortify Professional Services can provide.

This document was auto-generated from README.template.md; do not edit by hand

fortify-ssc-parser-sarif's People

Contributors

candrews avatar github-actions[bot] avatar rsenden avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

candrews

fortify-ssc-parser-sarif's Issues

Parsing Error

Using the semgrep tool with the p\xss rule pack produce semgrep_results.zip against https://github.com/CSPF-Founder/JavaVulnerableLab results in a parsing error:

2021-02-23 20:29:16,884   [ERROR] com.fortify.manager.BLL.impl.FPRBLLImpl - Error parsing issues: semgrep_results.zip
com.fortify.manager.exception.FMScanParseException: Cannot process vulnerabilities
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.translateException(FMDALExceptionTranslationInterceptor.java:62) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:34) ~[ssc-core-20.2.0.0149.jar:?]
	at sun.reflect.GeneratedMethodAccessor153.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_282]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_282]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:644) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:633) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:295) ~[spring-tx-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) ~[spring-tx-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:93) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:689) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at com.fortify.manager.DAL.impl.ScanManagerImpl$$EnhancerBySpringCGLIB$$b81a44b2.parseScanIssues(<generated>) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2285) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2239) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.access$1700(FPRBLLImpl.java:195) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$16.run(FPRBLLImpl.java:1915) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1912) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1885) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1745) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1622) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1604) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-20.2.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:750) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-20.2.0.0149.jar:?]
	at sun.reflect.GeneratedMethodAccessor857.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_282]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_282]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:644) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:633) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69) ~[spring-security-core-5.1.7.RELEASE.jar:5.1.7.RELEASE]
	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:47) ~[ssc-core-20.2.0.0149.jar:?]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:93) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:689) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$f1ff0abc.uploadArtifactJobCallback(<generated>) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:98) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:88) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:63) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:39) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:269) ~[ssc-core-20.2.0.0149.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_282]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
Caused by: com.fortify.manager.plugin.parser.exception.PluginParserException: Cannot process vulnerabilities
	at com.fortify.manager.plugin.parser.PluginFrameworkAnalysisParser.parseIssueInformation(PluginFrameworkAnalysisParser.java:176) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl.parseScanIssues(ScanManagerImpl.java:466) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl$$FastClassBySpringCGLIB$$131bf6cc.invoke(<generated>) ~[ssc-core-20.2.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:750) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:139) ~[spring-tx-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:32) ~[ssc-core-20.2.0.0149.jar:?]
	... 54 more
Caused by: com.fortify.plugin.connector.api.ScanProcessingException: can't parse argument number: ...; session 58rbi58qnqm6a
	at com.fortify.plugin.connector.parser.VulnerabilityProducerImpl.next(VulnerabilityProducerImpl.java:119) ~[plugin-connector-20.2.0.0014.jar:?]
	at com.fortify.manager.plugin.parser.PluginIssueProcessor.process(PluginIssueProcessor.java:50) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.plugin.parser.PluginFrameworkAnalysisParser.parseIssueInformation(PluginFrameworkAnalysisParser.java:174) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl.parseScanIssues(ScanManagerImpl.java:466) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl$$FastClassBySpringCGLIB$$131bf6cc.invoke(<generated>) ~[ssc-core-20.2.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:750) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:139) ~[spring-tx-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:32) ~[ssc-core-20.2.0.0149.jar:?]
	... 54 more
2021-02-23 20:29:16,890   [ERROR] com.fortify.manager.BLL.impl.FPRBLLImpl - Scan processing exception for artifact id 773
com.fortify.manager.service.parser.checker.ScanProcessException: null
	at com.fortify.manager.BLL.impl.FPRBLLImpl.newUnexpectedScanProcessingException(FPRBLLImpl.java:2341) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2297) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2239) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.access$1700(FPRBLLImpl.java:195) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$16.run(FPRBLLImpl.java:1915) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1912) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1885) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1745) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1622) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1604) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-20.2.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:750) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-20.2.0.0149.jar:?]
	at sun.reflect.GeneratedMethodAccessor857.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_282]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_282]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:644) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:633) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69) ~[spring-security-core-5.1.7.RELEASE.jar:5.1.7.RELEASE]
	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:47) ~[ssc-core-20.2.0.0149.jar:?]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:93) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:689) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$f1ff0abc.uploadArtifactJobCallback(<generated>) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:98) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:88) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:63) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:39) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:269) ~[ssc-core-20.2.0.0149.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_282]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
2021-02-23 20:29:16,900   [ERROR] com.fortify.manager.logging.ExceptionInterceptor - Intercepted exception of type [com.fortify.manager.exception.FMDALException] thrown by target class [com.fortify.manager.BLL.impl.FPRBLLImpl] and method [public void com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(java.lang.Long,java.lang.Long,boolean,boolean,com.fortify.manager.BLL.impl.util.ArtifactUploadAdditionalParameters)]
com.fortify.manager.exception.FMDALException: Upload artifact failed for the following reason: Scan processing exception for artifact id 773
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1667) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1604) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-20.2.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:750) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-20.2.0.0149.jar:?]
	at sun.reflect.GeneratedMethodAccessor857.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_282]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_282]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:644) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:633) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69) ~[spring-security-core-5.1.7.RELEASE.jar:5.1.7.RELEASE]
	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:47) ~[ssc-core-20.2.0.0149.jar:?]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:93) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:689) ~[spring-aop-5.1.13.RELEASE.jar:5.1.13.RELEASE]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$f1ff0abc.uploadArtifactJobCallback(<generated>) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:98) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:88) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:63) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:39) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:269) ~[ssc-core-20.2.0.0149.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_282]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
Caused by: com.fortify.manager.service.parser.checker.ScanProcessException
	at com.fortify.manager.BLL.impl.FPRBLLImpl.newUnexpectedScanProcessingException(FPRBLLImpl.java:2341) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2297) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2239) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.access$1700(FPRBLLImpl.java:195) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$16.run(FPRBLLImpl.java:1915) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1912) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1885) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1745) ~[ssc-core-20.2.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1622) ~[ssc-core-20.2.0.0149.jar:?]
	... 30 more
2021-02-23 20:29:16,902   [WARN] com.fortify.manager.service.scheduler.SchedulerManagerImpl - Job JOB_ARTIFACTUPLOAD$14703008-d4ea-46e2-9f11-31c397cf0198 failed: Upload artifact failed for the following reason: Scan processing exception for artifact id 773\n[com.fortify.manager.exception.FMDALException: Upload artifact failed for the following reason: Scan processing exception for artifact id 773\n	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1667)\n	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1604)\n	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(&amp;lt;generated&amp;gt;)\n	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:750)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)\n	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88)\n	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72)\n	at sun.reflect.GeneratedMethodAccessor857.invoke(Unknown Source)\n	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n	at java.lang.reflect.Method.invoke(Method.java:498)\n	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:644)\n	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:633)\n	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69)\n	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:47)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:93)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:689)\n	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$f1ff0abc.uploadArtifactJobCallback(&amp;lt;generated&amp;gt;)\n	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:98)\n	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:88)\n	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:63)\n	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:39)\n	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:269)\n	at java.util.concurrent.FutureTask.run(FutureTask.java:266)\n	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\nat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n	at java.lang.Thread.run(Thread.java:748)\n]

and

2021-02-23T20:29:16,884 | WARN  | pool-12-thread-1 | ScanParserMessageHandler         | 21 - com.fortify.plugin.camel.scanparser - 20.2.0.0014 |  Unexpected error while parsing vulnerabilities; session 58rbi58qnqm6a
java.lang.IllegalArgumentException: can't parse argument number: ...
	at java.text.MessageFormat.makeFormat(MessageFormat.java:1429) ~[?:1.8.0_282]
	at java.text.MessageFormat.applyPattern(MessageFormat.java:479) ~[?:1.8.0_282]
	at java.text.MessageFormat.<init>(MessageFormat.java:362) ~[?:1.8.0_282]
	at java.text.MessageFormat.format(MessageFormat.java:840) ~[?:1.8.0_282]
	at com.fortify.ssc.parser.sarif.domain.Result.resolveArgs(Result.java:185) ~[?:?]
	at com.fortify.ssc.parser.sarif.domain.Result.getResultMessage(Result.java:175) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesProducer.getVulnerabilityAbstract(VulnerabilitiesProducer.java:93) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesProducer.generateInstanceIdString(VulnerabilitiesProducer.java:131) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesProducer.getInstanceIdString(VulnerabilitiesProducer.java:112) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesProducer.getInstanceId(VulnerabilitiesProducer.java:101) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesProducer.produceVulnerability(VulnerabilitiesProducer.java:43) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesParser.lambda$parseResults$0(VulnerabilitiesParser.java:109) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.lambda$handler$0(AbstractStreamingJsonParser.java:70) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:168) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseChildren(AbstractStreamingJsonParser.java:241) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseArrayEntries(AbstractStreamingJsonParser.java:228) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseObjectOrArrayChildren(AbstractStreamingJsonParser.java:205) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.lambda$addParentHandler$1(AbstractStreamingJsonParser.java:113) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:168) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:142) ~[?:?]
	at com.fortify.util.ssc.parser.AbstractScanDataStreamingJsonParser.parse(AbstractScanDataStreamingJsonParser.java:59) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesParser.parseResults(VulnerabilitiesParser.java:110) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesParser.parseRun(VulnerabilitiesParser.java:89) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:168) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseChildren(AbstractStreamingJsonParser.java:241) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseArrayEntries(AbstractStreamingJsonParser.java:228) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseObjectOrArrayChildren(AbstractStreamingJsonParser.java:205) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.lambda$addParentHandler$1(AbstractStreamingJsonParser.java:113) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:168) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseChildren(AbstractStreamingJsonParser.java:241) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseObjectProperties(AbstractStreamingJsonParser.java:217) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseObjectOrArrayChildren(AbstractStreamingJsonParser.java:203) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.lambda$addParentHandler$1(AbstractStreamingJsonParser.java:113) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:168) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:142) ~[?:?]
	at com.fortify.util.ssc.parser.AbstractScanDataStreamingJsonParser.parse(AbstractScanDataStreamingJsonParser.java:59) ~[?:?]
	at com.fortify.util.ssc.parser.AbstractScanDataStreamingJsonParser.parse(AbstractScanDataStreamingJsonParser.java:50) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesParser.parse(VulnerabilitiesParser.java:67) ~[?:?]
	at com.fortify.ssc.parser.sarif.SARIFParserPlugin.parseVulnerabilities(SARIFParserPlugin.java:51) ~[?:?]
	at sun.reflect.GeneratedMethodAccessor2687.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_282]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_282]
	at com.fortify.plugin.runtime.helpers.BundleUtils$PluginInvocationHandler.invoke(BundleUtils.java:196) ~[?:?]
	at com.sun.proxy.$Proxy317.parseVulnerabilities(Unknown Source) ~[?:?]
	at com.fortify.plugin.runtime.scanparser.internal.ScanParserServiceImpl.parseVulnerabilities(ScanParserServiceImpl.java:34) ~[?:?]
	at com.fortify.plugin.camel.scanparser.internal.ScanParserMessageHandler.handleInRequest(ScanParserMessageHandler.java:91) [com.fortify.plugin.camel.scanparser-20.2.0.0014.jar:?]
	at com.fortify.plugin.camel.scanparser.internal.ScanParserMessageHandler.handleInRequest(ScanParserMessageHandler.java:36) [com.fortify.plugin.camel.scanparser-20.2.0.0014.jar:?]
	at com.fortify.plugin.camel.helpers.ExchangeProcessorRequest.handle(ExchangeProcessorRequest.java:40) [com.fortify.plugin.camel-20.2.0.0014.jar:?]
	at com.fortify.plugin.camel.helpers.ExchangeProcessor$AsyncTask.run(ExchangeProcessor.java:123) [com.fortify.plugin.camel-20.2.0.0014.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
Caused by: java.lang.NumberFormatException: For input string: "..."
	at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) ~[?:1.8.0_282]
	at java.lang.Integer.parseInt(Integer.java:569) ~[?:1.8.0_282]
	at java.lang.Integer.parseInt(Integer.java:615) ~[?:1.8.0_282]
	at java.text.MessageFormat.makeFormat(MessageFormat.java:1427) ~[?:1.8.0_282]
	... 51 more

Gradle deprecation warning

The following warning is shown when running ./gradlew distThirdParty --warning-mode=all:

> Task :generateLicenseReport
The runtime configuration has been deprecated for resolution. This will fail with an error in Gradle 7.0. Please resolve the runtimeClasspath configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/6.8.3/userguide/upgrading_version_5.html#dependencies_should_no_longer_be_declared_using_the_compile_and_runtime_configurations

This is caused by this issue: jk1/Gradle-License-Report#161 (comment)

Once this has been fixed in the plugin, the plugin version should be updated in our build.gradle.

Note that this applies to all parser plugins in the fortify-ps organization: https://github.com/fortify-ps?q=fortify-ssc-parser

Sarif parser plugin is not working on JAVA 17

From 23.2 release SSC will be supporting java 17.
We tried latest sarif plugin on latest SSC running on java 17.

When user is trying to upload *.sarif file, it is staying in "Processing" state for one hour(after one hour upload will be failed) and in plugin-framework.log there is a exception:

2023-08-02T10:31:38,733 | WARN  | pool-13-thread-2 | InOnlyTask                       | 27 - com.fortify.plugin.camel - 23.2.0.0 |  Message handling failed
java.lang.NoClassDefFoundError: Could not initialize class com.fortify.ssc.parser.sarif.domain.Artifact
	at com.fortify.ssc.parser.sarif.domain.RunData.<init>(RunData.java:71) ~[?:?]
	at com.fortify.ssc.parser.sarif.domain.RunData.parseRunData(RunData.java:87) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesParser.parseRun(VulnerabilitiesParser.java:88) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:178) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseChildren(AbstractStreamingJsonParser.java:243) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseArrayEntries(AbstractStreamingJsonParser.java:230) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseObjectOrArrayChildren(AbstractStreamingJsonParser.java:207) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.lambda$addParentHandler$2(AbstractStreamingJsonParser.java:127) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:178) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseChildren(AbstractStreamingJsonParser.java:243) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseObjectProperties(AbstractStreamingJsonParser.java:219) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parseObjectOrArrayChildren(AbstractStreamingJsonParser.java:205) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.lambda$addParentHandler$2(AbstractStreamingJsonParser.java:127) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:178) ~[?:?]
	at com.fortify.util.json.AbstractStreamingJsonParser.parse(AbstractStreamingJsonParser.java:156) ~[?:?]
	at com.fortify.util.ssc.parser.json.AbstractScanDataStreamingJsonParser.parse(AbstractScanDataStreamingJsonParser.java:64) ~[?:?]
	at com.fortify.util.ssc.parser.json.AbstractScanDataStreamingJsonParser.parse(AbstractScanDataStreamingJsonParser.java:52) ~[?:?]
	at com.fortify.ssc.parser.sarif.parser.VulnerabilitiesParser.parse(VulnerabilitiesParser.java:67) ~[?:?]
	at com.fortify.ssc.parser.sarif.SARIFParserPlugin.parseVulnerabilities(SARIFParserPlugin.java:51) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
	at com.fortify.plugin.runtime.helpers.BundleUtils$PluginInvocationHandler.invoke(BundleUtils.java:200) ~[?:?]
	at jdk.proxy13.$Proxy346.parseVulnerabilities(Unknown Source) ~[?:?]
	at com.fortify.plugin.runtime.scanparser.internal.ScanParserServiceImpl.parseVulnerabilities(ScanParserServiceImpl.java:39) ~[?:?]
	at com.fortify.plugin.camel.scanparser.internal.ScanParserMessageHandler.handleInRequest(ScanParserMessageHandler.java:96) ~[?:?]
	at com.fortify.plugin.camel.scanparser.internal.ScanParserMessageHandler.handleInRequest(ScanParserMessageHandler.java:40) ~[?:?]
	at com.fortify.plugin.camel.helpers.ExchangeProcessorRequest.handle(ExchangeProcessorRequest.java:38) ~[com.fortify.plugin.camel-23.2.0.0.jar:?]
	at com.fortify.plugin.camel.helpers.InOnlyTask.run(InOnlyTask.java:35) [com.fortify.plugin.camel-23.2.0.0.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
	at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.reflect.InaccessibleObjectException: Unable to make field private volatile boolean java.security.PermissionCollection.readOnly accessible: module java.base does not "opens java.security" to unnamed module @6034146 [in thread "pool-13-thread-1"]
	at java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:354) ~[?:?]
	at java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:297) ~[?:?]
	at java.lang.reflect.Field.checkCanSetAccessible(Field.java:178) ~[?:?]
	at java.lang.reflect.Field.setAccessible(Field.java:172) ~[?:?]
	at org.mapdb.elsa.ElsaSerializerPojo$FieldInfo.<init>(ElsaSerializerPojo.java:247) ~[?:?]
	at org.mapdb.elsa.ElsaSerializerPojo.makeClassInfo(ElsaSerializerPojo.java:297) ~[?:?]
	at org.mapdb.elsa.ElsaClassInfoResolver$ArrayBased.<init>(ElsaClassInfoResolver.java:31) ~[?:?]
	at org.mapdb.elsa.ElsaMaker.make(ElsaMaker.java:56) ~[?:?]
	at com.fortify.util.mapdb.CustomSerializerElsa.<init>(CustomSerializerElsa.java:62) ~[?:?]
	at com.fortify.ssc.parser.sarif.domain.Artifact.<clinit>(Artifact.java:37) ~[?:?]
	... 33 more

Sarif file validation failure

When running the tool with the sarif multi-tool I get a file that seems to be non-compliant with SARIF 2.1.0 based on the validator found here:

https://sarifweb.azurewebsites.net/Validation

The following is the error produced

SARIF1010: runs[0].results[0]: This result contains neither of the properties 'ruleId' or 'rule.id'. The SARIF specification (§3.27.5) requires at least one of these properties to be present.

SARIF "kind" not handled

SARIF's kind is not currently handled. kind is how SARIF records findings for tests that were done or skipped or errored out as well as vulnerabilities (kind=fail, the default if kind is absent, indicates a vulnerability).

The values for kind and what I think this plugin should do in each case are:

  • pass should not record the vulnerability in fortify
  • open should behave the same as fail
  • informational should not record the vulnerability in fortify
  • notApplicable should not record the vulnerability in fortify
  • review should behave the same as fail
  • fail (default is kind is no specified) should record the vulnerability in fortify (the current behavior)

Too long of a value results in very confusing exception

I'm trying to import this SARIF file: results.sarif

This result in a failure, and this exception is logged:

2023-03-02 19:16:40,531   [ERROR] com.fortify.manager.BLL.impl.FPRBLLImpl - Error parsing issues: results.sarif.zip
com.fortify.manager.exception.FMScanParseException: Cannot process vulnerabilities
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.translateException(FMDALExceptionTranslationInterceptor.java:70) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:41) ~[ssc-core-22.1.0.0149.jar:?]
	at jdk.internal.reflect.GeneratedMethodAccessor158.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123) ~[spring-tx-5.3.18.jar:5.3.18]
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388) ~[spring-tx-5.3.18.jar:5.3.18]
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119) ~[spring-tx-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.DAL.impl.ScanManagerImpl$$EnhancerBySpringCGLIB$$99088b66.parseScanIssues(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2240) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2194) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$13.run(FPRBLLImpl.java:1886) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1883) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1856) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1716) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1599) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-22.1.0.0149.jar:?]
	at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61) ~[spring-security-core-5.6.2.jar:5.6.2]
	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294) ~[ssc-core-22.1.0.0149.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
	at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: com.fortify.manager.plugin.parser.exception.PluginParserException: Cannot process vulnerabilities
	at com.fortify.manager.plugin.parser.PluginFrameworkAnalysisParser.parseIssueInformation(PluginFrameworkAnalysisParser.java:176) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl.parseScanIssues(ScanManagerImpl.java:495) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl$$FastClassBySpringCGLIB$$131bf6cc.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:137) ~[spring-tx-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:39) ~[ssc-core-22.1.0.0149.jar:?]
	... 61 more
Caused by: com.fortify.plugin.connector.api.ScanProcessingException: Error calling method setStringCustomAttributeValue; session c0kqtkopmh2bo
	at com.fortify.plugin.connector.parser.VulnerabilityProducerImpl.next(VulnerabilityProducerImpl.java:119) ~[plugin-connector-22.1.0.0149.jar:?]
	at com.fortify.manager.plugin.parser.PluginIssueProcessor.process(PluginIssueProcessor.java:47) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.plugin.parser.PluginFrameworkAnalysisParser.parseIssueInformation(PluginFrameworkAnalysisParser.java:174) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl.parseScanIssues(ScanManagerImpl.java:495) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl$$FastClassBySpringCGLIB$$131bf6cc.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:137) ~[spring-tx-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:39) ~[ssc-core-22.1.0.0149.jar:?]
	... 61 more
2023-03-02 19:16:40,536   [ERROR] com.fortify.manager.BLL.impl.FPRBLLImpl - Scan processing exception for artifact id 521218
com.fortify.manager.service.parser.checker.ScanProcessException: Processing Messages:
  EXCEPTION: An unexpected error occurred during scan processing: com.fortify.manager.exception.FMScanParseException: Cannot process vulnerabilities
	at com.fortify.manager.BLL.impl.FPRBLLImpl.newUnexpectedScanProcessingException(FPRBLLImpl.java:2296) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2252) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2194) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$13.run(FPRBLLImpl.java:1886) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1883) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1856) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1716) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1599) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-22.1.0.0149.jar:?]
	at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61) ~[spring-security-core-5.6.2.jar:5.6.2]
	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294) ~[ssc-core-22.1.0.0149.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
	at java.lang.Thread.run(Thread.java:829) ~[?:?]
2023-03-02 19:16:40,552   [ERROR] com.fortify.manager.logging.ExceptionInterceptor - Intercepted exception of type [com.fortify.manager.exception.FMDALException] thrown by target class [com.fortify.manager.BLL.impl.FPRBLLImpl] and method [public void com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(java.lang.Long,java.lang.Long,boolean,boolean,com.fortify.manager.BLL.impl.util.ArtifactUploadAdditionalParameters)]
com.fortify.manager.exception.FMDALException: Upload artifact failed for the following reason: Scan processing exception for artifact id 521218
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1644) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-22.1.0.0149.jar:?]
	at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61) ~[spring-security-core-5.6.2.jar:5.6.2]
	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294) ~[ssc-core-22.1.0.0149.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
	at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: com.fortify.manager.service.parser.checker.ScanProcessException: Processing Messages:
  EXCEPTION: An unexpected error occurred during scan processing: com.fortify.manager.exception.FMScanParseException: Cannot process vulnerabilities
	at com.fortify.manager.BLL.impl.FPRBLLImpl.newUnexpectedScanProcessingException(FPRBLLImpl.java:2296) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2252) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2194) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$13.run(FPRBLLImpl.java:1886) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1883) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1856) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1716) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1599) ~[ssc-core-22.1.0.0149.jar:?]
	... 34 more
2023-03-02 19:16:40,554   [WARN] com.fortify.manager.service.scheduler.SchedulerManagerImpl - Job JOB_ARTIFACTUPLOAD$610fefed-060d-452d-ae57-9a41cb50f653 failed: Upload artifact failed for the following reason: Scan processing exception for artifact id 521218\n[com.fortify.manager.exception.FMDALException: Upload artifact failed for the following reason: Scan processing exception for artifact id 521218\n	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1644)\n	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581)\n	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(&amp;lt;generated&amp;gt;)\n	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89)\n	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72)\n	at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source)\n	at java.base&#x2F;jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n	at java.base&#x2F;java.lang.reflect.Method.invoke(Method.java:566)\n	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634)\n	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624)\n	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61)\n	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698)\n	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(&amp;lt;generated&amp;gt;)\n	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102)\n	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90)\n	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65)\n	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42)\n	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294)\n	at java.base&#x2F;java.util.concurrent.FutureTask.run(FutureTask.java:264)\n	at java.base&#x2F;java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)\n	at java.base&#x2F;java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)\n	at java.base&#x2F;java.lang.Thread.run(Thread.java:829)\n]

Digging in, I found that the cause is that setStringCustomAttributeValue is called with a value that is too long. The error occurs at this line: https://github.com/fortify/fortify-ssc-parser-sarif/blob/v1.3.0/src/main/java/com/fortify/ssc/parser/sarif/parser/VulnerabilitiesProducer.java#L87 the value used originates at https://github.com/fortify/fortify-ssc-parser-sarif/blob/v1.3.0/src/main/java/com/fortify/ssc/parser/sarif/parser/VulnerabilitiesProducer.java#L169

I'm working to fix the root cause of the bad SARIF: microsoft/sarif-sdk#2631

To be clear, the fact that Fortify is unable to import this (arguably invalid) SARIF is not the issue being reported.

The issue being reported is that the exception/error information is terrible.

Can Fortify throw an exception with a nice message? For example, if in the implementation of com.fortify.plugin.api.BasicVulnerabilityBuilder.setStringCustomAttributeValue(VulnerabilityAttribute, String) it checked if the attributeValue provided is too long, then threw an IllegalArgumentException which includes the vulnerabilityAttribute and attributeValue, that would make the user experience much better.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.