Merge pull request #3 from snyk-partners/fix/Fix-unique-issues-id-col…

…lisions fix: Fix unique issue id collisions
snyk-partners · Dec 7, 2020 · dd715e6 · dd715e6
2 parents 17ff3e5 + 9c3e082
commit dd715e6
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 6 deletions.
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>io.snyk.integrations.fortify</groupId>
     <artifactId>parser</artifactId>
-    <version>0.0.3</version>
+    <version>0.0.4</version>
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>

diff --git a/src/main/java/io/snyk/integrations/fortify/parser/CustomAttribute.java b/src/main/java/io/snyk/integrations/fortify/parser/CustomAttribute.java
@@ -15,6 +15,8 @@ public enum CustomAttribute implements com.fortify.plugin.spi.VulnerabilityAttri
     IS_UPGRADABLE("isUpgradable", AttrType.STRING),
     IS_PATCHABLE("isPatchable", AttrType.STRING),
     TARGET_FILE("targetFile", AttrType.STRING),
+
+    PROJECT_NAME("projectName", AttrType.STRING),
     ISSUE_URL("issueUrl", AttrType.STRING);
     ;
 

diff --git a/src/main/java/io/snyk/integrations/fortify/parser/Scan.java b/src/main/java/io/snyk/integrations/fortify/parser/Scan.java
@@ -5,7 +5,9 @@
 public class Scan {
     public Date scanDate;
 
+    public String targetFile;
     public String displayTargetFile;
+    public String projectName;
 
     public Issue[] vulnerabilities;
 
@@ -24,4 +26,4 @@ public class Issue {
         public boolean isUpgradable;
         public boolean isPatchable;
     }
-}
+}
diff --git a/src/main/java/io/snyk/integrations/fortify/parser/SnykParserPlugin.java b/src/main/java/io/snyk/integrations/fortify/parser/SnykParserPlugin.java
@@ -74,11 +74,12 @@ public void parseVulnerabilities(final ScanData scanData, final VulnerabilityHan
             for (Scan scan : scans) {
                 for (Scan.Issue issue : scan.vulnerabilities) {
                     try {
-                        String uniqueId = scan.displayTargetFile + ":" + hashJsonObject(issue);
+                        String targetFile = scan.targetFile != null ? scan.targetFile : scan.displayTargetFile;
+                        String uniqueId = hashStringObject(targetFile) + ":" + hashJsonObject(issue);
                         StaticVulnerabilityBuilder vulnerabilityBuilder = vulnerabilityHandler
                                 .startStaticVulnerability(uniqueId);
 
-                        buildVulnerability(vulnerabilityBuilder, issue, scan.displayTargetFile);
+                        buildVulnerability(vulnerabilityBuilder, issue, targetFile, scan.projectName);
 
                         vulnerabilityBuilder.completeVulnerability();
                     } catch (NullPointerException e) {
@@ -91,7 +92,7 @@ public void parseVulnerabilities(final ScanData scanData, final VulnerabilityHan
         }
     }
 
-    private void buildVulnerability(final StaticVulnerabilityBuilder vulnerabilityBuilder, final Scan.Issue issue, final String targetFile) {
+    private void buildVulnerability(final StaticVulnerabilityBuilder vulnerabilityBuilder, final Scan.Issue issue, final String targetFile, final String projectName) {
         // mandatory by SSC
         vulnerabilityBuilder.setAccuracy(5f);
         vulnerabilityBuilder.setAnalyzer("snyk");
@@ -135,6 +136,7 @@ private void buildVulnerability(final StaticVulnerabilityBuilder vulnerabilityBu
         vulnerabilityBuilder.setStringCustomAttributeValue(CustomAttribute.IS_PATCHABLE,
                 (issue.isPatchable ? "Yes" : "No"));
         vulnerabilityBuilder.setStringCustomAttributeValue(CustomAttribute.TARGET_FILE, targetFile);
+        vulnerabilityBuilder.setStringCustomAttributeValue(CustomAttribute.PROJECT_NAME, projectName);
         vulnerabilityBuilder.setStringCustomAttributeValue(CustomAttribute.ISSUE_URL,
                 "https://snyk.io/vuln/" + issue.id);
     }
@@ -164,4 +166,14 @@ private String hashJsonObject(final Object obj) {
             return ""; // should never reach here
         }
     }
+
+    private String hashStringObject(final String obj) {
+        try {
+            byte[] stringBytes = obj.getBytes();
+            byte[] digest = MessageDigest.getInstance("SHA-256").digest(stringBytes);
+            return UUID.nameUUIDFromBytes(digest).toString();
+        } catch (NoSuchAlgorithmException e) {
+            return ""; // should never reach here
+        }
+    }
 }
diff --git a/src/main/resources/plugin.xml b/src/main/resources/plugin.xml
@@ -4,7 +4,7 @@
         id="io.snyk.integrations.fortify.parser" api-version="1.0">
     <plugin-info>
         <name>Snyk Parser Plugin</name>
-        <version><!--VERSION-->0.0.3<!--/VERSION--></version>
+        <version><!--VERSION-->0.0.4<!--/VERSION--></version>
         <data-version>1</data-version>
         <vendor name="Snyk" url="https://snyk.io"/>
         <description>Snyk automates finding and fixing known vulnerabilities in your open source dependencies. This plugin parses "snyk test" results and uploads them to Fortify Software Security Center.

diff --git a/src/main/resources/resources/en.properties b/src/main/resources/resources/en.properties
@@ -11,4 +11,5 @@ from=Through
 isUpgradable=Is Upgradable
 isPatchable=Is Patchable
 targetFile=Target File
+projectName=Project Name
 issueUrl=More Info on snyk.io
diff --git a/src/main/resources/viewtemplate/ViewTemplate.json b/src/main/resources/viewtemplate/ViewTemplate.json
@@ -55,6 +55,12 @@
           "templateId": "SIMPLE",
           "dataType": "string"
         },
+        {
+          "type": "template",
+          "key": "customAttributes.projectName",
+          "templateId": "SIMPLE",
+          "dataType": "string"
+        },
         {
           "type": "template",
           "key": "customAttributes.packageManager",