The docs for this plugin state "Note that severity of rules are taken from Fortify report (instanceSeverity) so the severity configured in quality profile is ignored." As the example project linked to at the end of this post demonstrates the "instanceSeverity" field does not always map correctly to the "Fortify Priority". As a result, we can't trust that the severity of issues in Sonar maps accurately to the Fortify Priority. The "HowToUnderstandThisExample.txt" file in that example project demonstrates the problem and proposes a method of solving the problem.
Based on this understanding I've been using a clumsy workaround for a few months now and have found that it produces the right criticalities in Sonar. Our current workaround is to run a program that replaces the "instanceSeverity" values in the FVDL file with corrected values that we get out of the OWasp XML report. My proposed long-term fix is to change the Fortify Plugin to not use the (proprietary / versioned-contract-less) FVDL file and instead use one of the canned XML reports that Fortify can generate. See the "HowToUnderstandThisExample.txt" file for more info.
https://github.com/gjd6640/sonar-fortify-friority-bug-demo
(Original post's subject was incomplete. This is a second posting attempt.)
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/7e0659df-c85d-4779-aceb-5ac235a71e75%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.