cr fixes

build.gradle

@@ -4,7 +4,7 @@ import java.net.http.HttpResponse
 import java.nio.file.Paths
 
 plugins {
-    id "org.jetbrains.intellij" version "1.17.0"
+    id "org.jetbrains.intellij" version "1.16.0"
     id "java"
     id "maven-publish"
     id "de.undercouch.download" version "5.3.0"

src/main/java/com/jfrog/ide/idea/inspections/JFrogSecurityWarning.java

@@ -58,16 +58,24 @@ public JFrogSecurityWarning(SarifResult result, SourceCodeScanType reporter, Rul
                 getFirstRegion(result).getEndLine() - 1,
                 getFirstRegion(result).getEndColumn() - 1,
                 result.getMessage().getText(),
-                !result.getLocations().isEmpty() ? uriToPath(result.getLocations().get(0).getPhysicalLocation().getArtifactLocation().getUri()) : "",
+                getFilePath(result),
                 result.getRuleId(),
                 getFirstRegion(result).getSnippet().getText(),
                 reporter,
-                (!result.getKind().equals("pass") && (rule.getRuleProperties().map(properties -> properties.getApplicability().equals("applicable")).orElse(true))),
+                isWarningApplicable(result,rule),
                 Severity.fromSarif(result.getSeverity()),
                 convertCodeFlowsToFindingInfo(result.getCodeFlows())
         );
     }
 
+    private static boolean isWarningApplicable(SarifResult result,Rule rule){
+       return !result.getKind().equals("pass") && (rule.getRuleProperties().map(properties -> properties.getApplicability().equals("applicable")).orElse(true));
+    }
+
+    private static String getFilePath(SarifResult result){
+       return !result.getLocations().isEmpty() ? uriToPath(result.getLocations().get(0).getPhysicalLocation().getArtifactLocation().getUri()) : "";
+    }
+
     private static FindingInfo[][] convertCodeFlowsToFindingInfo(List<CodeFlow> codeFlows) {
         if (codeFlows == null || codeFlows.isEmpty()) {
             return null;

src/main/java/com/jfrog/ide/idea/scan/data/Rule.java

@@ -1,6 +1,8 @@
 package com.jfrog.ide.idea.scan.data;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Getter;
+import org.apache.batik.svggen.font.table.RangeRecord;
 
 import java.util.Objects;
 import java.util.Optional;
@@ -56,6 +58,7 @@ public int hashCode() {
         return Objects.hash(id);
     }
 
+
     @Override
     public boolean equals(Object other) {
         if (other == this) {
@@ -68,3 +71,5 @@ public boolean equals(Object other) {
         return Objects.equals(this.id, rhs.id);
     }
 }
+
+

src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java

@@ -7,6 +7,7 @@
 import junit.framework.TestCase;
 import org.apache.commons.io.FileUtils;
 import org.jfrog.build.api.util.NullLog;
+import org.junit.Assert;
 
 import java.io.File;
 import java.io.IOException;
@@ -15,6 +16,7 @@
 import java.util.List;
 
 import static com.jfrog.ide.common.utils.Utils.createYAMLMapper;
+import static org.junit.Assert.assertThrows;
 
 /**
  * @author tala
@@ -87,21 +89,28 @@ public void testSarifParserNotApplicResults() throws IOException {
 
     public void testSarifParserApplicResultsWithKindPass() throws IOException {
         List<JFrogSecurityWarning> parsedOutput = scanner.parseOutputSarif(APPLIC_KIND_PASS_OUTPUT);
-        assertEquals(4, parsedOutput.size());
-        // 2 known applicable results (code evidence returned)
+        assertEquals(6, parsedOutput.size());
+        //Not Applicable with kind pass
         assertEquals("applic_CVE-2022-25878", parsedOutput.get(0).getRuleID());
         assertFalse(parsedOutput.get(0).isApplicable());
-        assertEquals("CVE-2022-25978", parsedOutput.get(1).getRuleID());
+        //Applicable with kind pass
+        assertEquals("applic_CVE-2022-25978", parsedOutput.get(1).getRuleID());
         assertTrue(parsedOutput.get(1).isApplicable());
-        // 2 known no-applicable results (have a scanner but no code evidence returned)
+        //Not applicable with kind pass and no properties
         assertEquals("applic_CVE-2021-25878", parsedOutput.get(2).getRuleID());
         assertFalse(parsedOutput.get(2).isApplicable());
+        //Applicable with kind fail
         assertEquals("applic_CVE-2022-29019", parsedOutput.get(3).getRuleID());
-        assertFalse(parsedOutput.get(3).isApplicable());
+        assertTrue(parsedOutput.get(3).isApplicable());
+        //Not applicable as its not_covered
+        assertEquals("applic_CVE-2022-29004", parsedOutput.get(4).getRuleID());
+        assertFalse(parsedOutput.get(4).isApplicable());
+        //Not applicable as its undetermined
+        assertEquals("applic_CVE-2022-29014", parsedOutput.get(5).getRuleID());
+        assertFalse(parsedOutput.get(5).isApplicable());
     }
 
 
-
     public void testGetBinaryDownloadURL() {
         final String externalRepoName = "test-releases-repo";
         final String expectedExternalRepoUrl = "test-releases-repo/artifactory/xsc-gen-exe-analyzer-manager-local/";

src/test/resources/sourceCode/applicable_kind_pass_output.sarif

@@ -16,11 +16,11 @@
                 "markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called."
               },
               "shortDescription": {
-                "text": "Scanner for CVE-2020-28502"
+                "text": "Scanner for applic_CVE-2022-25878"
               }
             },
             {
-              "id": "CVE-2022-25978",
+              "id": "applic_CVE-2022-25978",
               "properties": {
                 "conclusion": "negative",
                 "applicability": "applicable"
@@ -30,7 +30,7 @@
                 "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used."
               },
               "shortDescription": {
-                "text": "Scanner for CVE-2020-5310"
+                "text": "Scanner for applic_CVE-2022-25978"
               }
             },
             {
@@ -40,7 +40,7 @@
                 "markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called."
               },
               "shortDescription": {
-                "text": "Scanner for CVE-2020-28502"
+                "text": "Scanner for applic_CVE-2021-25878"
               }
             },
             {
@@ -50,10 +50,35 @@
                 "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used."
               },
               "shortDescription": {
-                "text": "Scanner for CVE-2020-5310"
+                "text": "Scanner for applic_CVE-2022-29019"
               }
+            },
+            {
+              "id": "applic_CVE-2022-29004",
+              "fullDescription": {
+                "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.",
+                "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used."
+              },
+              "shortDescription": {
+                "text": "Scanner for applic_CVE-2022-29004"
+              }, "properties": {
+              "conclusion": "positive",
+              "applicability": "not_covered"
+            }
+            },
+            {
+              "id": "applic_CVE-2022-29014",
+              "fullDescription": {
+                "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.",
+                "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used."
+              },
+              "shortDescription": {
+                "text": "Scanner for applic_CVE-2022-29014"
+              }, "properties": {
+              "conclusion": "positive",
+              "applicability": "undetermined"
+            }
             }
-
           ],
           "version": "APPLIC_SCANNERv0.2.0"
         }
@@ -116,7 +141,7 @@
               }
             }
           ],
-          "ruleId": "CVE-2022-25978"
+          "ruleId": "applic_CVE-2022-25978"
         },
         {
           "message": {
@@ -129,8 +154,21 @@
           "message": {
             "text": "The scanner checks whether the vulnerable function `ansi-regex` is called."
           },
-          "kind": "pass",
+          "kind": "fail",
           "ruleId": "applic_CVE-2022-29019"
+        },
+        {
+        "message": {
+          "text": "The scanner checks whether the vulnerable function `call-all-ansi` is called."
+        },
+        "kind": "pass",
+        "ruleId": "applic_CVE-2022-29004"
+        },
+        {"message": {
+          "text": "The scanner checks whether the vulnerable function `not-call-all-ansi` is called."
+        },
+        "kind": "pass",
+        "ruleId": "applic_CVE-2022-29014"
         }
       ]
     }