fix: make sure that nil Cwe pointer is handled when getting the CWE ID

ccojocar · ccojocar · commit 19fa856badad · 2022-08-20T13:32:31.000+02:00
diff --git a/cwe/types.go b/cwe/types.go
@@ -19,7 +19,11 @@ func (w *Weakness) SprintURL() string {
 
 // SprintID format the CWE ID
 func (w *Weakness) SprintID() string {
-	return fmt.Sprintf("%s-%s", Acronym, w.ID)
+	id := "0000"
+	if w != nil {
+		id = w.ID
+	}
+	return fmt.Sprintf("%s-%s", Acronym, id)
 }
 
 // MarshalJSON print only id and URL
diff --git a/report/golint/writer.go b/report/golint/writer.go
@@ -15,7 +15,7 @@ func WriteReport(w io.Writer, data *gosec.ReportInfo) error {
 
 	for _, issue := range data.Issues {
 		what := issue.What
-		if issue.Cwe.ID != "" {
+		if issue.Cwe != nil && issue.Cwe.ID != "" {
 			what = fmt.Sprintf("[%s] %s", issue.Cwe.SprintID(), issue.What)
 		}
 
diff --git a/report/junit/formatter.go b/report/junit/formatter.go
@@ -8,11 +8,15 @@ import (
 )
 
 func generatePlaintext(issue *gosec.Issue) string {
+	cweID := "CWE"
+	if issue.Cwe != nil {
+		cweID = issue.Cwe.ID
+	}
 	return "Results:\n" +
 		"[" + issue.File + ":" + issue.Line + "] - " +
 		issue.What + " (Confidence: " + strconv.Itoa(int(issue.Confidence)) +
 		", Severity: " + strconv.Itoa(int(issue.Severity)) +
-		", CWE: " + issue.Cwe.ID + ")\n" + "> " + html.EscapeString(issue.Code)
+		", CWE: " + cweID + ")\n" + "> " + html.EscapeString(issue.Code)
 }
 
 // GenerateReport Convert a gosec report to a JUnit Report
diff --git a/report/sarif/formatter.go b/report/sarif/formatter.go
@@ -27,12 +27,14 @@ func GenerateReport(rootPaths []string, data *gosec.ReportInfo) (*Report, error)
 	weaknesses := make(map[string]*cwe.Weakness)
 
 	for _, issue := range data.Issues {
-		_, ok := weaknesses[issue.Cwe.ID]
-		if !ok {
-			weakness := cwe.Get(issue.Cwe.ID)
-			weaknesses[issue.Cwe.ID] = weakness
-			cweTaxon := parseSarifTaxon(weakness)
-			cweTaxa = append(cweTaxa, cweTaxon)
+		if issue.Cwe != nil {
+			_, ok := weaknesses[issue.Cwe.ID]
+			if !ok {
+				weakness := cwe.Get(issue.Cwe.ID)
+				weaknesses[issue.Cwe.ID] = weakness
+				cweTaxon := parseSarifTaxon(weakness)
+				cweTaxa = append(cweTaxa, cweTaxon)
+			}
 		}
 
 		r, ok := rulesIndices[issue.RuleID]
@@ -97,6 +99,9 @@ func parseSarifRule(issue *gosec.Issue) *ReportingDescriptor {
 }
 
 func buildSarifReportingDescriptorRelationship(weakness *cwe.Weakness) *ReportingDescriptorRelationship {
+	if weakness == nil {
+		return nil
+	}
 	return &ReportingDescriptorRelationship{
 		Target: &ReportingDescriptorReference{
 			ID:            weakness.ID,

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ func WriteReport(w io.Writer, data *gosec.ReportInfo) error {`
`15`	`15`
`16`	`16`	`for _, issue := range data.Issues {`
`17`	`17`	`what := issue.What`
`18`		`- if issue.Cwe.ID != "" {`
	`18`	`+ if issue.Cwe != nil && issue.Cwe.ID != "" {`
`19`	`19`	`what = fmt.Sprintf("[%s] %s", issue.Cwe.SprintID(), issue.What)`
`20`	`20`	`}`
`21`	`21`