Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Too long of a value results in very confusing exception #16

Open
candrews opened this issue Mar 3, 2023 · 3 comments
Open

Too long of a value results in very confusing exception #16

candrews opened this issue Mar 3, 2023 · 3 comments

Comments

@candrews
Copy link
Contributor

candrews commented Mar 3, 2023

I'm trying to import this SARIF file: results.sarif

This result in a failure, and this exception is logged:

2023-03-02 19:16:40,531   [ERROR] com.fortify.manager.BLL.impl.FPRBLLImpl - Error parsing issues: results.sarif.zip
com.fortify.manager.exception.FMScanParseException: Cannot process vulnerabilities
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.translateException(FMDALExceptionTranslationInterceptor.java:70) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:41) ~[ssc-core-22.1.0.0149.jar:?]
	at jdk.internal.reflect.GeneratedMethodAccessor158.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123) ~[spring-tx-5.3.18.jar:5.3.18]
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388) ~[spring-tx-5.3.18.jar:5.3.18]
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119) ~[spring-tx-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.DAL.impl.ScanManagerImpl$$EnhancerBySpringCGLIB$$99088b66.parseScanIssues(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2240) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2194) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$13.run(FPRBLLImpl.java:1886) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1883) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1856) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1716) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1599) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-22.1.0.0149.jar:?]
	at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61) ~[spring-security-core-5.6.2.jar:5.6.2]
	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294) ~[ssc-core-22.1.0.0149.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
	at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: com.fortify.manager.plugin.parser.exception.PluginParserException: Cannot process vulnerabilities
	at com.fortify.manager.plugin.parser.PluginFrameworkAnalysisParser.parseIssueInformation(PluginFrameworkAnalysisParser.java:176) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl.parseScanIssues(ScanManagerImpl.java:495) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl$$FastClassBySpringCGLIB$$131bf6cc.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:137) ~[spring-tx-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:39) ~[ssc-core-22.1.0.0149.jar:?]
	... 61 more
Caused by: com.fortify.plugin.connector.api.ScanProcessingException: Error calling method setStringCustomAttributeValue; session c0kqtkopmh2bo
	at com.fortify.plugin.connector.parser.VulnerabilityProducerImpl.next(VulnerabilityProducerImpl.java:119) ~[plugin-connector-22.1.0.0149.jar:?]
	at com.fortify.manager.plugin.parser.PluginIssueProcessor.process(PluginIssueProcessor.java:47) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.plugin.parser.PluginFrameworkAnalysisParser.parseIssueInformation(PluginFrameworkAnalysisParser.java:174) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl.parseScanIssues(ScanManagerImpl.java:495) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.DAL.impl.ScanManagerImpl$$FastClassBySpringCGLIB$$131bf6cc.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:137) ~[spring-tx-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.DAL.support.FMDALExceptionTranslationInterceptor.aroundRepositoryMethod(FMDALExceptionTranslationInterceptor.java:39) ~[ssc-core-22.1.0.0149.jar:?]
	... 61 more
2023-03-02 19:16:40,536   [ERROR] com.fortify.manager.BLL.impl.FPRBLLImpl - Scan processing exception for artifact id 521218
com.fortify.manager.service.parser.checker.ScanProcessException: Processing Messages:
  EXCEPTION: An unexpected error occurred during scan processing: com.fortify.manager.exception.FMScanParseException: Cannot process vulnerabilities
	at com.fortify.manager.BLL.impl.FPRBLLImpl.newUnexpectedScanProcessingException(FPRBLLImpl.java:2296) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2252) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2194) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$13.run(FPRBLLImpl.java:1886) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1883) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1856) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1716) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1599) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-22.1.0.0149.jar:?]
	at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61) ~[spring-security-core-5.6.2.jar:5.6.2]
	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294) ~[ssc-core-22.1.0.0149.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
	at java.lang.Thread.run(Thread.java:829) ~[?:?]
2023-03-02 19:16:40,552   [ERROR] com.fortify.manager.logging.ExceptionInterceptor - Intercepted exception of type [com.fortify.manager.exception.FMDALException] thrown by target class [com.fortify.manager.BLL.impl.FPRBLLImpl] and method [public void com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(java.lang.Long,java.lang.Long,boolean,boolean,com.fortify.manager.BLL.impl.util.ArtifactUploadAdditionalParameters)]
com.fortify.manager.exception.FMDALException: Upload artifact failed for the following reason: Scan processing exception for artifact id 521218
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1644) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72) ~[ssc-core-22.1.0.0149.jar:?]
	at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61) ~[spring-security-core-5.6.2.jar:5.6.2]
	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46) ~[ssc-core-22.1.0.0149.jar:?]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753) ~[spring-aop-5.3.18.jar:5.3.18]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698) ~[spring-aop-5.3.18.jar:5.3.18]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(<generated>) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294) ~[ssc-core-22.1.0.0149.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
	at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: com.fortify.manager.service.parser.checker.ScanProcessException: Processing Messages:
  EXCEPTION: An unexpected error occurred during scan processing: com.fortify.manager.exception.FMScanParseException: Cannot process vulnerabilities
	at com.fortify.manager.BLL.impl.FPRBLLImpl.newUnexpectedScanProcessingException(FPRBLLImpl.java:2296) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseScanIssues(FPRBLLImpl.java:2252) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.parseIssuesForScans(FPRBLLImpl.java:2194) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl$13.run(FPRBLLImpl.java:1886) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.doRunStep(FprProcessingRunner.java:85) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FprProcessingRunner.runStep(FprProcessingRunner.java:61) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processScansAndIssuesForArtifact(FPRBLLImpl.java:1883) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifact(FPRBLLImpl.java:1856) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.processArtifactUpload(FPRBLLImpl.java:1716) ~[ssc-core-22.1.0.0149.jar:?]
	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1599) ~[ssc-core-22.1.0.0149.jar:?]
	... 34 more
2023-03-02 19:16:40,554   [WARN] com.fortify.manager.service.scheduler.SchedulerManagerImpl - Job JOB_ARTIFACTUPLOAD$610fefed-060d-452d-ae57-9a41cb50f653 failed: Upload artifact failed for the following reason: Scan processing exception for artifact id 521218\n[com.fortify.manager.exception.FMDALException: Upload artifact failed for the following reason: Scan processing exception for artifact id 521218\n	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1644)\n	at com.fortify.manager.BLL.impl.FPRBLLImpl.uploadArtifactJobCallback(FPRBLLImpl.java:1581)\n	at com.fortify.manager.BLL.impl.FPRBLLImpl$$FastClassBySpringCGLIB$$686a4cd1.invoke(&amp;lt;generated&amp;gt;)\n	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n	at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89)\n	at com.fortify.manager.logging.ExceptionInterceptor.aroundBll(ExceptionInterceptor.java:72)\n	at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source)\n	at java.base&#x2F;jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n	at java.base&#x2F;java.lang.reflect.Method.invoke(Method.java:566)\n	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634)\n	at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624)\n	at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61)\n	at com.fortify.manager.security.FmMethodSecurityInteceptor.invoke(FmMethodSecurityInteceptor.java:46)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)\n	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)\n	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698)\n	at com.fortify.manager.BLL.impl.FPRBLLImpl$$EnhancerBySpringCGLIB$$a4d065aa.uploadArtifactJobCallback(&amp;lt;generated&amp;gt;)\n	at com.fortify.manager.BLL.jobs.ArtifactUploadJob.executeJob(ArtifactUploadJob.java:102)\n	at com.fortify.manager.service.scheduler.SimpleJob.executeJob(SimpleJob.java:90)\n	at com.fortify.manager.service.scheduler.SimpleJob.runInternal(SimpleJob.java:65)\n	at com.fortify.manager.service.scheduler.SimpleJob.run(SimpleJob.java:42)\n	at com.fortify.manager.service.scheduler.SchedulerManagerImpl.lambda$submitJob$3(SchedulerManagerImpl.java:294)\n	at java.base&#x2F;java.util.concurrent.FutureTask.run(FutureTask.java:264)\n	at java.base&#x2F;java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)\n	at java.base&#x2F;java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)\n	at java.base&#x2F;java.lang.Thread.run(Thread.java:829)\n]

Digging in, I found that the cause is that setStringCustomAttributeValue is called with a value that is too long. The error occurs at this line: https://github.com/fortify/fortify-ssc-parser-sarif/blob/v1.3.0/src/main/java/com/fortify/ssc/parser/sarif/parser/VulnerabilitiesProducer.java#L87 the value used originates at https://github.com/fortify/fortify-ssc-parser-sarif/blob/v1.3.0/src/main/java/com/fortify/ssc/parser/sarif/parser/VulnerabilitiesProducer.java#L169

I'm working to fix the root cause of the bad SARIF: microsoft/sarif-sdk#2631

To be clear, the fact that Fortify is unable to import this (arguably invalid) SARIF is not the issue being reported.

The issue being reported is that the exception/error information is terrible.

Can Fortify throw an exception with a nice message? For example, if in the implementation of com.fortify.plugin.api.BasicVulnerabilityBuilder.setStringCustomAttributeValue(VulnerabilityAttribute, String) it checked if the attributeValue provided is too long, then threw an IllegalArgumentException which includes the vulnerabilityAttribute and attributeValue, that would make the user experience much better.

@rsenden
Copy link
Collaborator

rsenden commented Mar 3, 2023

In general, the plugin framework log (<fortify.home>/plugin-framework/logs/plugin-framework.log) usually provides more meaningful information in case of plugin issues; can you please check whether that's also true for this particular issue?

Parser plugins cannot control how errors are being logged by SSC, in particular if the error is thrown by the SSC parser plugin framework rather than the parser itself; improving these log messages will require an SSC enhancement request to be submitted through the support portal.

@candrews
Copy link
Contributor Author

candrews commented Mar 4, 2023

improving these log messages will require an SSC enhancement request to be submitted through the support portal.

I submitted a request as case number 02533418.

@candrews
Copy link
Contributor Author

candrews commented Mar 4, 2023

Parser plugins cannot control how errors are being logged by SSC

I was thinking though... plugins can do more error checking themselves in their tests. Perhaps the StaticVulnerabilityBuilder used by this plugin's tests should be improved to validate the setStringCustomAttributeValue calls' arguments in the same way that Fortify SSC does itself in production?

That would really help with validating that the plugin works correctly for the provided test files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants