Bug report: Fortify Plugin doesn't accurately map Fortify Priority to the correct Sonar Issue Severity

58 views
Skip to first unread message

gordon.d...@gmail.com

unread,
Jul 15, 2015, 5:20:16 PM7/15/15
to sona...@googlegroups.com

The docs for this plugin state "Note that severity of rules are taken from Fortify report (instanceSeverity) so the severity configured in quality profile is ignored." As the example project linked to at the end of this post demonstrates the "instanceSeverity" field does not always map correctly to the "Fortify Priority". As a result, we can't trust that the severity of issues in Sonar maps accurately to the Fortify Priority. The "HowToUnderstandThisExample.txt" file in that example project demonstrates the problem and proposes a method of solving the problem.


Based on this understanding I've been using a clumsy workaround for a few months now and have found that it produces the right criticalities in Sonar. Our current workaround is to run a program that replaces the "instanceSeverity" values in the FVDL file with corrected values that we get out of the OWasp XML report. My proposed long-term fix is to change the Fortify Plugin to not use the (proprietary / versioned-contract-less) FVDL file and instead use one of the canned XML reports that Fortify can generate. See the "HowToUnderstandThisExample.txt" file for more info.


https://github.com/gjd6640/sonar-fortify-friority-bug-demo


(Original post's subject was incomplete. This is a second posting attempt.)

Simon Brandhof

unread,
Jul 15, 2015, 6:00:49 PM7/15/15
to gordon.d...@gmail.com, sona...@googlegroups.com
Hi Gordon,

As ReportGenerator and its templates are poorly documented, I'm not sure that the format of generated XML file is guaranteed to be more forward-compatible than FVDL. Nevertheless what's the trick for converting the incorrect FVDL field "instanceSeverity" to the correct XML field "Priority" ? Is ReportGenerator supposed to be more than a format converter ? Does it connect to Fortify360 server to get additional data ?  

Thanks


Simon BRANDHOF | SonarSource
Tech Lead & Co-Founder
http://twitter.com/SimonBrandhof

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/7e0659df-c85d-4779-aceb-5ac235a71e75%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Gordon Daugherty

unread,
Jul 15, 2015, 6:38:24 PM7/15/15
to Simon Brandhof, sona...@googlegroups.com
My understanding is that the FVDL file contains the values of the four factors that are used to compute the priority value. The ReportGenerator (locally, no server connection needed) reads in those four values and uses them in a simple formula to compute a single priority value. The weighting of that formula is end-customer adjustable. I think that most customers just use the default weighting.

So, yes, I believe the report generator is more than just a format converter since it computes a priority value.

Gordon
Reply all
Reply to author
Forward
0 new messages