Skip to content

fix: handle malformed URIs #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rsenden merged 1 commit into from
Dec 8, 2025
Merged

fix: handle malformed URIs #39

rsenden merged 1 commit into from
Dec 8, 2025
+76 −2

Conversation

@MonsieurCo
Copy link
Contributor

@MonsieurCo MonsieurCo commented Nov 20, 2025
edited
Loading

Fixing issue of parsing error when encountering malformed URI
example
scanning and uploading to ssc this project with opengrep with a SARIF output
result in this error :

Exception: An unexpected error occurred during scan processing: com.fortify.manager.exception.FMScanParseException:
Parsing error while parsing scan vulnerabilities: Cannot deserialize value of type 'java.net.URI' from String "2_Server 
Streaming/client/client.js": not a valid textual representation, problem: Illegal character in path at index 8: 2_Server 
Streaming/client/client.js at [Source: (com.fortify.util.io.RegionInputStream); line: 1, column: 3213] (through reference 
chain: com.fortify.ssc.parser.sarif.domain.Result["locations"]->java.lang.Object[][0]-
>com.fortify.ssc.parser.sarif.domain.Location["physicalLocation"]-
>com.fortify.ssc.parser.sarif.domain.PhysicalLocation["artifactLocation"]-
>com.fortify.ssc.parser.sarif.domain.ArtifactLocation["uri"]); session b8mvd7v78ni6a
image

the SARIF output from opengrep is correct because parsed correctly by other parsers (eg: VScode SARIF viewer )

i have build the the fix and installed on my fortify version and the error is gone.

files causing issue present in this comment #37 (comment) if you want to reproduce.

Ps : i've fulfilled the form for contributing on this project in CONTRIBUTING.md

@Romain-Geissler-1A
Copy link

Romain-Geissler-1A commented Nov 20, 2025

I don't know java at all, but isn't there already some builtin library utility to parse uri encoded data, rather than doing it manually ?

@MonsieurCo
Copy link
Contributor Author

MonsieurCo commented Nov 20, 2025

you have a good point on that,

i am not an experimented developer in java and at first I considered using URLEncoder but i am not sure if i would not introduce some sort of bugs since it's designed for form data it replaces spaces with + instead of %20 (where i learned that ) , which could break file paths or URIs.
since in SARIF follow the standard https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/sarif-v2.1.0-errata01-os-complete.html#_Toc141790680 in the RFC3986 says that it should be encoded in percent

that's why i went in a naïve approach to be sure i would not rely on a unknown decision from a library that could not be compliant with the sarif format.

i can look for that library but it seems not in standalone
i found again on stackoverflow a post talking about the issue and someone is advising to use uriencode from springframework
and that might be too much to add no ?

@MonsieurCo
Copy link
Contributor Author

MonsieurCo commented Nov 21, 2025

Ps:
I made sure that the code is parsing correctly others non-alphanumeric characters without crashing.
image

@rsenden rsenden merged commit 1c891f7 into fortify:main Dec 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MonsieurCo @Romain-Geissler-1A @rsenden