✨ Support multiple rule names for AppScan (#428)

ryandens · web-flow · commit bf886d3f59b7 · 2024-07-23T09:17:08.000-04:00
- **:sparkles: support muitiple rule names in AppScan**
- **:bulb: Improve docs for AppScan getRule accessor**
diff --git a/plugins/codemodder-plugin-appscan/src/main/java/io/codemodder/providers/sarif/appscan/AppScanModule.java b/plugins/codemodder-plugin-appscan/src/main/java/io/codemodder/providers/sarif/appscan/AppScanModule.java
@@ -41,10 +41,27 @@ protected void configure() {
               .findFirst();
 
       annotation.ifPresent(
-          providedAppScanScan ->
+          providedAppScanScan -> {
+            if (!providedAppScanScan.ruleName().isEmpty()) {
               bind(RuleSarif.class)
                   .annotatedWith(providedAppScanScan)
-                  .toInstance(map.getOrDefault(providedAppScanScan.ruleName(), RuleSarif.EMPTY)));
+                  .toInstance(map.getOrDefault(providedAppScanScan.ruleName(), RuleSarif.EMPTY));
+            } else if (providedAppScanScan.ruleNames().length > 0) {
+
+              RuleSarif ruleSarif = RuleSarif.EMPTY;
+              for (final String ruleName : providedAppScanScan.ruleNames()) {
+                final var result = map.get(ruleName);
+                if (result != null) {
+                  ruleSarif = result;
+                  break;
+                }
+              }
+
+              bind(RuleSarif.class).annotatedWith(providedAppScanScan).toInstance(ruleSarif);
+            } else {
+              throw new IllegalStateException("No rule name provided in " + providedAppScanScan);
+            }
+          });
     }
   }
 }
diff --git a/plugins/codemodder-plugin-appscan/src/main/java/io/codemodder/providers/sarif/appscan/AppScanRuleSarif.java b/plugins/codemodder-plugin-appscan/src/main/java/io/codemodder/providers/sarif/appscan/AppScanRuleSarif.java
@@ -107,9 +107,9 @@ public SarifSchema210 rawDocument() {
   }
 
   /**
-   * This returns the "ruleId" element, which has a value like "SA2813462719". The "message[text]"
-   * field has a more human-readable value like "SQL Injection". To stay aligned with other tools
-   * that use a more strict ID, we use the rule ID.
+   * This returns the "message[text]" field from the SARIF results. This is a human-readable value
+   * like "SQL Injection". We would ordinarily use this as the rule ID but this value is different
+   * each time we retrieve the SARIF for a given scan
    */
   @Override
   public String getRule() {
diff --git a/plugins/codemodder-plugin-appscan/src/main/java/io/codemodder/providers/sarif/appscan/ProvidedAppScanScan.java b/plugins/codemodder-plugin-appscan/src/main/java/io/codemodder/providers/sarif/appscan/ProvidedAppScanScan.java
@@ -14,5 +14,8 @@
 public @interface ProvidedAppScanScan {
 
   /** The AppScan rule name, which shows up as the "message text" in the SARIF results. */
-  String ruleName();
+  String ruleName() default "";
+
+  /** The AppScan rule names, which show up as the "message text" in the SARIF results. */
+  String[] ruleNames() default {};
 }

Original file line number	Diff line number	Diff line change
`@@ -14,5 +14,8 @@`
`14`	`14`	`public @interface ProvidedAppScanScan {`
`15`	`15`
`16`	`16`	`/** The AppScan rule name, which shows up as the "message text" in the SARIF results. */`
`17`		`- String ruleName();`
	`17`	`+ String ruleName() default "";`
	`18`	`+`
	`19`	`+ /** The AppScan rule names, which show up as the "message text" in the SARIF results. */`
	`20`	`+ String[] ruleNames() default {};`
`18`	`21`	`}`