Skip to content

Commit

Permalink
work-around for issue 55
Browse files Browse the repository at this point in the history 
use dependency-check-report.xml as inputFile

dependency-check-report.xml has an entry for each vulnerability, which
can be referenced by line, thus avoiding the shuffling problem.
  • Loading branch information
@sschober
sschober committed May 4, 2018
1 parent 94e2b79 commit f5a1775
Show file tree
Hide file tree
Showing 4 changed files with 54 additions and 4 deletions.
24 changes: 20 additions & 4 deletions ...ependency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckSensor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import org.apache.commons.lang3.StringUtils;
import org.sonar.api.batch.fs.FileSystem;
import org.sonar.api.batch.fs.InputFile;
import org.sonar.api.batch.fs.TextRange;
import org.sonar.api.batch.rule.Severity;
import org.sonar.api.batch.sensor.Sensor;
import org.sonar.api.batch.sensor.SensorContext;
Expand Down Expand Up @@ -72,12 +73,19 @@ public DependencyCheckSensor(FileSystem fileSystem, PathResolver pathResolver) {
this.pathResolver = pathResolver;
}

private void addIssue(SensorContext context, Dependency dependency, Vulnerability vulnerability) {
private void addIssue(SensorContext context, InputFile reportFile, Dependency dependency, Vulnerability vulnerability) {

TextRange artificialTextRange = reportFile.selectLine(vulnerability.getLineNumer());
LOGGER.debug("TextRange: '{}' for dependency: '{}' and vulnerability: '{}'", artificialTextRange,
dependency.getFileName(), vulnerability.getName());

Severity severity = DependencyCheckUtils.cvssToSonarQubeSeverity(vulnerability.getCvssScore(), context.settings().getDouble(DependencyCheckConstants.SEVERITY_CRITICAL), context.settings().getDouble(DependencyCheckConstants.SEVERITY_MAJOR));

context.newIssue()
.forRule(RuleKey.of(DependencyCheckPlugin.REPOSITORY_KEY, DependencyCheckPlugin.RULE_KEY))
.at(new DefaultIssueLocation()
.on(context.module())
.on(reportFile)
.at(artificialTextRange)
.message(formatDescription(dependency, vulnerability))
)
.overrideSeverity(severity)
Expand Down Expand Up @@ -123,12 +131,20 @@ private void addIssues(SensorContext context, Analysis analysis) {
return;
}
for (Dependency dependency : analysis.getDependencies()) {
LOGGER.debug("Processing dependency '{}', filePath: '{}'", dependency.getFileName(), dependency.getFilePath());
InputFile testFile = fileSystem.inputFile(
fileSystem.predicates().hasPath(
escapeReservedPathChars(dependency.getFilePath())
)
);

String reportFilePath = context.settings().getString(DependencyCheckConstants.REPORT_PATH_PROPERTY);
InputFile reportFile = fileSystem.inputFile(fileSystem.predicates().hasPath(reportFilePath));
if (null == reportFile) {
LOGGER.warn("skipping dependency '{}' as no inputFile could established.", dependency.getFileName());
return;
}

int depVulnCount = dependency.getVulnerabilities().size();

if (depVulnCount > 0) {
Expand All @@ -139,7 +155,7 @@ private void addIssues(SensorContext context, Analysis analysis) {
saveMetricOnFile(context, testFile, DependencyCheckMetrics.TOTAL_DEPENDENCIES, (double) depVulnCount);

for (Vulnerability vulnerability : dependency.getVulnerabilities()) {
addIssue(context, dependency, vulnerability);
addIssue(context, reportFile, dependency, vulnerability);
vulnerabilityCount++;
}
}
Expand All @@ -158,7 +174,7 @@ private Analysis parseAnalysis(SensorContext context) throws IOException, Parser
return new ReportParser().parse(stream);
}
}

private String getHtmlReport(SensorContext context) {
XmlReportFile report = new XmlReportFile(context.settings(), fileSystem, this.pathResolver);
File reportFile = report.getFile(DependencyCheckConstants.HTML_REPORT_PATH_PROPERTY);
Expand Down
1 change: 1 addition & 0 deletions ...-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/ReportParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ private Collection<Vulnerability> processVulnerabilities(SMInputCursor vulnC) th

private Vulnerability processVulnerability(SMInputCursor vulnC) throws XMLStreamException {
Vulnerability vulnerability = new Vulnerability();
vulnerability.setLineNumer(vulnC.getLocation().getLineNumber());
SMInputCursor childCursor = vulnC.childCursor();
while (childCursor.getNext() != null) {
String nodeName = childCursor.getLocalName();
Expand Down
9 changes: 9 additions & 0 deletions ...cy-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Vulnerability.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ public class Vulnerability {
private String severity;
private String description;
private String cwe;
private int lineNumer;

public String getName() {
return name;
Expand Down Expand Up @@ -67,4 +68,12 @@ public void setCwe(String cwe) {
this.cwe = cwe;
}

public int getLineNumer() {
return lineNumer;
}

public void setLineNumer(int lineNumer) {
this.lineNumer = lineNumer;
}

}
24 changes: 24 additions & 0 deletions ...heck-plugin/src/test/java/org/sonar/dependencycheck/parser/DependencyCheckSensorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,11 @@

import org.junit.Before;
import org.junit.Test;
import org.sonar.api.batch.fs.FilePredicate;
import org.sonar.api.batch.fs.FileSystem;
import org.sonar.api.batch.fs.InputComponent;
import org.sonar.api.batch.fs.InputFile;
import org.sonar.api.batch.fs.internal.DefaultInputFile;
import org.sonar.api.batch.measure.Metric;
import org.sonar.api.batch.sensor.SensorContext;
import org.sonar.api.batch.sensor.SensorDescriptor;
Expand Down Expand Up @@ -76,6 +79,12 @@ public void shouldAnalyse() throws URISyntaxException {

when(context.settings().getString(DependencyCheckConstants.REPORT_PATH_PROPERTY)).thenReturn("dependency-check-report.xml");
when(pathResolver.relativeFile(any(File.class), anyString())).thenReturn(sampleReport);

InputFile mockInputFile = mock(DefaultInputFile.class);
when(fileSystem.inputFile(any(FilePredicate.class))).thenReturn(mockInputFile);
when(mockInputFile.isFile()).thenReturn(true);


sensor.execute(context);
}

Expand All @@ -94,6 +103,11 @@ public void shouldAddAnIssueForAVulnerability() throws URISyntaxException {

when(context.settings().getString(DependencyCheckConstants.REPORT_PATH_PROPERTY)).thenReturn("dependency-check-report.xml");
when(pathResolver.relativeFile(any(File.class), anyString())).thenReturn(sampleReport);

InputFile mockInputFile = mock(DefaultInputFile.class);
when(fileSystem.inputFile(any(FilePredicate.class))).thenReturn(mockInputFile);
when(mockInputFile.isFile()).thenReturn(true);

sensor.execute(context);

verify(context, times(3)).newIssue();
Expand All @@ -105,6 +119,11 @@ public void shouldPersistTotalMetrics() throws URISyntaxException {

when(context.settings().getString(DependencyCheckConstants.REPORT_PATH_PROPERTY)).thenReturn("dependency-check-report.xml");
when(pathResolver.relativeFile(any(File.class), anyString())).thenReturn(sampleReport);

InputFile mockInputFile = mock(DefaultInputFile.class);
when(fileSystem.inputFile(any(FilePredicate.class))).thenReturn(mockInputFile);
when(mockInputFile.isFile()).thenReturn(true);

sensor.execute(context);

verify(context.newMeasure(), times(8)).forMetric(any(Metric.class));
Expand All @@ -116,6 +135,11 @@ public void shouldPersistMetricsOnReport() throws URISyntaxException {

when(context.settings().getString(DependencyCheckConstants.REPORT_PATH_PROPERTY)).thenReturn("dependency-check-report.xml");
when(pathResolver.relativeFile(any(File.class), anyString())).thenReturn(sampleReport);

InputFile mockInputFile = mock(DefaultInputFile.class);
when(fileSystem.inputFile(any(FilePredicate.class))).thenReturn(mockInputFile);
when(mockInputFile.isFile()).thenReturn(true);

sensor.execute(context);

verify(context.newMeasure(), atLeastOnce()).on(any(InputComponent.class));
Expand Down

0 comments on commit f5a1775

Please sign in to comment.