| 355 | } |
| 356 | |
| 357 | void noCweNoSecurity() |
| 358 | { |
| 359 | SarifReport report; |
| 360 | |
| 361 | // Error without CWE ID should not have security properties |
| 362 | report.addFinding(createErrorMessage("styleError", Severity::style, "Style error", "test.cpp", 10, 5, 0)); |
| 363 | |
| 364 | std::string sarif = report.serialize("Cppcheck"); |
| 365 | picojson::value json; |
| 366 | ASSERT(parseAndValidateJson(sarif, json)); |
| 367 | |
| 368 | const picojson::object& root = json.get<picojson::object>(); |
| 369 | const picojson::array& runs = root.at("runs").get<picojson::array>(); |
| 370 | const picojson::object& cur_run = runs[0].get<picojson::object>(); |
| 371 | const picojson::object& tool = cur_run.at("tool").get<picojson::object>(); |
| 372 | const picojson::object& driver = tool.at("driver").get<picojson::object>(); |
| 373 | const picojson::array& rules = driver.at("rules").get<picojson::array>(); |
| 374 | |
| 375 | ASSERT_EQUALS(1U, rules.size()); |
| 376 | |
| 377 | const picojson::object& rule = rules[0].get<picojson::object>(); |
| 378 | const picojson::object& props = rule.at("properties").get<picojson::object>(); |
| 379 | |
| 380 | // Should NOT have security-severity |
| 381 | ASSERT(props.find("security-severity") == props.end()); |
| 382 | |
| 383 | // Should NOT have tags (or if present, no security tag) |
| 384 | if (props.find("tags") != props.end()) |
| 385 | { |
| 386 | const picojson::array& tags = props.at("tags").get<picojson::array>(); |
| 387 | for (const auto& tag : tags) |
| 388 | { |
| 389 | ASSERT(tag.get<std::string>() != "security"); |
| 390 | } |
| 391 | } |
| 392 | } |
| 393 | |
| 394 | void inconclusiveCertainty() |
| 395 | { |