fix(sonarqube): mdDesc fallback

Author: samiat4911

dojo/tools/api_sonarqube/importer.py

@@ -3,6 +3,7 @@
 import textwrap
 
 import html2text
+import markdown
 from django.conf import settings
 from django.core.exceptions import ValidationError
 from lxml import etree
@@ -153,13 +154,13 @@ def import_issues(self, test):
                 except KeyError:
                     sonarqube_permalink = "No permalink \n"
 
-                # custom (user defined) SQ rules may not have 'htmlDesc'
-                if "htmlDesc" in rule:
+                rule_details = self.get_rule_details(rule)
+                if rule_details:
                     description = self.clean_rule_description_html(
-                        rule["htmlDesc"],
+                        rule_details,
                     )
-                    cwe = self.clean_cwe(rule["htmlDesc"])
-                    references = sonarqube_permalink + self.get_references(rule["htmlDesc"])
+                    cwe = self.clean_cwe(rule_details)
+                    references = sonarqube_permalink + self.get_references(rule_details)
                 else:
                     description = ""
                     cwe = None
@@ -338,8 +339,10 @@ def import_hotspots(self, test):
 
     @staticmethod
     def clean_rule_description_html(raw_html):
+        if not raw_html:
+            return ""
         search = re.search(
-            r"^(.*?)(?:(<h2>See</h2>)|(<b>References</b>))",
+            r"^(.*?)(?:(<h2>See</h2>)|(<h2>References</h2>)|(<b>References</b>))",
             raw_html,
             re.DOTALL,
         )
@@ -356,6 +359,21 @@ def clean_cwe(raw_html):
             return int(search.group(1))
         return None
 
+    @staticmethod
+    def get_rule_details(rule):
+        if html_desc := rule.get("htmlDesc"):
+            return html_desc
+        if not (md_desc := rule.get("mdDesc")):
+            return ""
+        if SonarQubeApiImporter.is_html_description(md_desc):
+            return md_desc
+        # SonarQube 2025.x can return markdown-only rule descriptions.
+        return markdown.markdown(md_desc, extensions=["extra"])
+
+    @staticmethod
+    def is_html_description(description):
+        return bool(re.search(r"<[a-zA-Z][^>]*>", description))
+
     @staticmethod
     def convert_sonar_severity(sonar_severity):
         sev = sonar_severity.lower()
@@ -382,6 +400,8 @@ def convert_scanner_confidence(sonar_scanner_confidence):
 
     @staticmethod
     def get_references(vuln_details):
+        if not vuln_details:
+            return ""
         parser = etree.HTMLParser()
         details = etree.fromstring(vuln_details, parser)
 

unittests/scans/api_sonarqube/rule_md_desc_only.json

@@ -0,0 +1,32 @@
+{
+    "key": "typescript:S1854",
+    "repo": "typescript",
+    "name": "Dead stores should be removed",
+    "createdAt": "2018-01-17T10:11:21-0500",
+    "mdDesc": "A dead store happens when a local variable is assigned a value that is not read by any subsequent instruction. Calculating or retrieving a value only to then overwrite it or throw it away, could indicate a serious error in the code. Even if it's not an error, it is at best a waste of resources. Therefore all calculated values should be used.\n\n## Noncompliant Code Example\n\ni = a + b; // Noncompliant; calculation result not used before value is overwritten\ni = compute();\n\n## Compliant Solution\n\ni = a + b;\ni += compute();\n\n## Exceptions\n\nThis rule ignores initializations to -1, 0, 1, `null`, `true`, `false`, `\"\"`, `[]` and `{}`.\n\n## See\n\n- [MITRE, CWE-563](http://cwe.mitre.org/data/definitions/563.html) - Assignment to Variable without Use ('Unused Variable')\n- [CERT, MSC13-C.](https://www.securecoding.cert.org/confluence/x/QYA5) - Detect and remove unused values\n- [CERT, MSC56-J.](https://www.securecoding.cert.org/confluence/x/uQCSBg) - Detect and remove superfluous code and values\n",
+    "severity": "MAJOR",
+    "status": "READY",
+    "isTemplate": false,
+    "tags": [],
+    "sysTags": [
+        "cert",
+        "cwe",
+        "unused"
+    ],
+    "lang": "ts",
+    "langName": "TypeScript",
+    "params": [],
+    "defaultDebtRemFnType": "CONSTANT_ISSUE",
+    "defaultDebtRemFnOffset": "15min",
+    "debtOverloaded": false,
+    "debtRemFnType": "CONSTANT_ISSUE",
+    "debtRemFnOffset": "15min",
+    "defaultRemFnType": "CONSTANT_ISSUE",
+    "defaultRemFnBaseEffort": "15min",
+    "remFnType": "CONSTANT_ISSUE",
+    "remFnBaseEffort": "15min",
+    "remFnOverloaded": false,
+    "scope": "MAIN",
+    "isExternal": false,
+    "type": "CODE_SMELL"
+}

unittests/tools/test_api_sonarqube_importer.py

@@ -28,6 +28,11 @@ def dummy_rule_wo_html_desc(self, *args, **kwargs):
         return json.load(json_file)
 
 
+def dummy_rule_md_desc_only(self, *args, **kwargs):
+    with (get_unit_tests_scans_path("api_sonarqube") / "rule_md_desc_only.json").open(encoding="utf-8") as json_file:
+        return json.load(json_file)
+
+
 def dummy_no_hotspot(self, *args, **kwargs):
     with (get_unit_tests_scans_path("api_sonarqube") / "hotspots" / "no_vuln.json").open(encoding="utf-8") as json_file:
         return json.load(json_file)
@@ -293,6 +298,45 @@ def test_parser(self):
         self.assertEqual("internal.dummy.project:src/main/javascript/TranslateDirective.ts", finding.file_path)
 
 
+class TestSonarqubeImporterMarkdownRuleDescription(DojoTestCase):
+    fixtures = [
+        "unit_sonarqube_toolType.json",
+        "unit_sonarqube_toolConfig1.json",
+        "unit_sonarqube_toolConfig2.json",
+        "unit_sonarqube_product.json",
+        "unit_sonarqube_sqcNoKey.json",
+        "unit_sonarqube_sqcWithKey.json",
+    ]
+
+    def setUp(self):
+        product = Product.objects.get(name="product")
+        engagement = Engagement(product=product)
+        self.test = Test(
+            engagement=engagement,
+            api_scan_configuration=Product_API_Scan_Configuration.objects.all().last(),
+        )
+
+    @mock.patch("dojo.tools.api_sonarqube.api_client.SonarQubeAPI.get_project", dummy_product)
+    @mock.patch("dojo.tools.api_sonarqube.api_client.SonarQubeAPI.get_rule", dummy_rule_md_desc_only)
+    @mock.patch("dojo.tools.api_sonarqube.api_client.SonarQubeAPI.find_issues", dummy_issues)
+    @mock.patch("dojo.tools.api_sonarqube.api_client.SonarQubeAPI.get_hotspot_rule", dummy_hotspot_rule)
+    @mock.patch("dojo.tools.api_sonarqube.api_client.SonarQubeAPI.find_hotspots", empty_list)
+    def test_parser(self):
+        parser = SonarQubeApiImporter()
+        findings = parser.get_findings(None, self.test)
+        self.assertEqual(2, len(findings))
+        finding = findings[0]
+        self.assertEqual(563, finding.cwe)
+        self.assertIn(
+            "A dead store happens when a local variable is assigned a value",
+            finding.description,
+        )
+        self.assertIn(
+            "[MITRE, CWE-563](http://cwe.mitre.org/data/definitions/563.html)",
+            finding.references,
+        )
+
+
 class TestSonarqubeImporterTwoIssuesNoHotspots(DojoTestCase):
     # Testing case no 9. https://github.com/DefectDojo/django-DefectDojo/pull/4107
     fixtures = [