Add error handling for SarifReader parsing of locations block in a

Dave Wichers · Dave Wichers · commit 658b59d935cd · 2025-05-29T10:47:15.000-05:00
result because CodeSonar SARIF files sometimes don't include locations
blocks in their findings.
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java
@@ -264,11 +264,26 @@ private TestCaseResult testCaseResultFor(JSONObject result, Map<String, Integer>
     }
 
     private static String resultUri(JSONObject result) {
-        return result.getJSONArray("locations")
-                .getJSONObject(0)
-                .getJSONObject("physicalLocation")
-                .getJSONObject("artifactLocation")
-                .getString("uri");
+        // This try/catch was added because CodeSonar SARIF results sometimes don't have locations
+        // elements. The have fingerprints and partialFingerprints elements which might refer
+        // back to findings of the same type that do include proper locations elements
+        try {
+            return result.getJSONArray("locations")
+                    .getJSONObject(0)
+                    .getJSONObject("physicalLocation")
+                    .getJSONObject("artifactLocation")
+                    .getString("uri");
+        } catch (Exception e) {
+            System.err.println(
+                    "WARNING: "
+                            + e.getMessage()
+                            + " for rule: "
+                            + result.getString("ruleId")
+                            + " with message: \""
+                            + result.getJSONObject("message").getString("text")
+                            + "\". Skipping this finding.");
+            return "NoResultURIFound";
+        }
     }
 
     /**
