heimdall2
heimdall2 copied to clipboard
mitre
sonarqube2hdf output issues - null on mandtory fields
I run sonarqube2hdf
`docker run --rm -w /share -v ${sarif_files_path}:/share -e SONAR_HOST_URL -e SONAR_TOKEN_GOLDENFROG mitre/saf:1.4.8 convert sonarqube2hdf -n ${{ inputs.SONAR_PROJECT_KEY || steps.sonar-properties.outputs.project-key}} -u $SONAR_HOST_URL --auth $SONAR_TOKEN -o ./hdf/sonarqube_scan.json "
` and afterwards i need to manually modify couple fields so i can convert it to sarif
using :
- name: SARIF Multitool
if: ${{ always() && steps.sonarqube-query-json.outcome == 'success' }}
uses: microsoft/[email protected]
with:
# Command to be sent to SARIF Multitool
command: 'convert ./hdf/sonarqube_scan.json -t Hdf --output ./hdf/sonarqube_scan.sarif'
The issue:
sonarqube2hdf command is generating "null" where SARIF multitool expect a specific value. My workround is to use sed and replace null with empty values which does work:
There are 2 problematic fields which are "mandatory" - version , code
"profiles": [ { "name": "Sonarqube Scan", "version": null,`
Could you take a look on this please?
Hi @Jiri-Stary. It seems like the SARIF multi-tool currently has an issue which is making it impossible for me to test locally: "BUG: Fix ERR999.UnhandledEngineException: System.IO.FileNotFoundException: Could not find file when a file name or directory path contains URL-encoded characters.". We will need to wait until that bugfix is released before I can test any changes I make using that utility.
Using that PR I linked you to in #6583, I am getting the following error:
$ npx @microsoft/sarif-multitool convert sonarcloud.json -t Hdf --output sonarcloud.sarif
$ npx @microsoft/sarif-multitool convert sonarcloud.json -t Hdf --output sonarcloud.sarifNewtonsoft.Json.JsonSerializationException: Required property 'code' not found in JSON. Path 'profiles[0].controls[0]', line 81, position 9.
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.EndProcessProperty(Object newObject, JsonReader reader, JsonObjectContract contract, Int32 initialDepth, JsonProperty property, PropertyPresence presence, Boolean setDefaultValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject(Object newObject, JsonReader reader, JsonObjectContract contract, JsonProperty member, String id)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateList(IList list, JsonReader reader, JsonArrayContract contract, JsonProperty containerProperty, String id)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateList(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, Object existingValue, String id)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.SetPropertyValue(JsonProperty property, JsonConverter propertyConverter, JsonContainerContract containerContract, JsonProperty containerProperty, JsonReader reader, Object target)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject(Object newObject, JsonReader reader, JsonObjectContract contract, JsonProperty member, String id)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateList(IList list, JsonReader reader, JsonArrayContract contract, JsonProperty containerProperty, String id)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateList(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, Object existingValue, String id)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.SetPropertyValue(JsonProperty property, JsonConverter propertyConverter, JsonContainerContract containerContract, JsonProperty containerProperty, JsonReader reader, Object target)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject(Object newObject, JsonReader reader, JsonObjectContract contract, JsonProperty member, String id)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
at Newtonsoft.Json.JsonSerializer.Deserialize(JsonReader reader, Type objectType)
at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
at Newtonsoft.Json.JsonConvert.DeserializeObject[T](String value, JsonSerializerSettings settings)
at Microsoft.CodeAnalysis.Sarif.Converters.HdfModel.HdfFile.FromJson(String json)
at Microsoft.CodeAnalysis.Sarif.Converters.HdfConverter.Convert(Stream input, IResultLogWriter output, OptionallyEmittedData dataToInsert)
at Microsoft.CodeAnalysis.Sarif.Converters.ToolFormatConverter.ConvertToStandardFormat(String toolFormat, Stream inputStream, IResultLogWriter outputStream, OptionallyEmittedData dataToInsert, String pluginAssemblyPath)
at Microsoft.CodeAnalysis.Sarif.Converters.ToolFormatConverter.ConvertToStandardFormat(String toolFormat, String inputFileName, String outputFileName, FilePersistenceOptions logFilePersistenceOptions, OptionallyEmittedData dataToInsert, String pluginAssemblyPath)
at Microsoft.CodeAnalysis.Sarif.Multitool.ConvertCommand.Run(ConvertOptions convertOptions, IFileSystem fileSystem)
It seems like the SARIF multitool is expecting certain attributes to be there which are not mandatory.
Here you can see that the code attribute is marked as being undefined/not provided, null, or a string: https://github.com/mitre/heimdall2/blob/b81071e8780c21a74bf963db9faddf5c919987c5/libs/inspecjs/src/generated_parsers/v_1_0/exec-json.ts#L157
However, SARIF is mistakenly requiring it (if I'm reading the C# correctly): https://github.com/microsoft/sarif-sdk/blob/d4aab92eb1b78a4bb8d87eeb18f6dbaaf3e69996/src/Sarif.Converters/HdfModel/ExecJsonControl.cs#L16
I unfortunately don't have the cycles to file a PR on the SARIF repo to fix this, but I am adding it to our tracker as something we can look into. If you have the availability, I'd be more than happy to review a PR.