Skip to content

Fix SARIF parser: unwrap BlackDuck nested fingerprint dict values#15080

Open
Jino-T wants to merge 2 commits into
bugfixfrom
fix/sarif-blackduck-nested-fingerprints
Open

Fix SARIF parser: unwrap BlackDuck nested fingerprint dict values#15080
Jino-T wants to merge 2 commits into
bugfixfrom
fix/sarif-blackduck-nested-fingerprints

Conversation

@Jino-T

@Jino-T Jino-T commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • BlackDuck SARIF output wraps fingerprint values as {"value": "<hash>"} objects instead of the plain strings the SARIF 2.1.0 spec requires
  • get_fingerprints_hashes() stored these dicts directly into unique_id_from_tool, which Django's CharField silently coerced to str(dict) on save — but the objects arrive as actual dicts in memory
  • On second reimport, update_candidates_with_saved_finding() uses unique_id_from_tool as a Python dict key (candidates_by_uid.setdefault(finding.unique_id_from_tool, [])) — dicts are not hashable, raising TypeError: cannot use 'dict' as a set element (unhashable type: 'dict')
  • This crash happens for all reimport deduplication algorithms (the update runs unconditionally), so there is no algorithm-based workaround

Fix

Unwrap the nested dict at parse time in get_fingerprints_hashes():

if isinstance(value, dict):
    value = value.get("value", "")

Test plan

  • Ran manage.py test unittests.tools.test_sarif_parser — all 25 tests pass
  • Added 2 new cases to test_get_fingerprints_hashes covering nested dict with value key and nested dict with missing value key (empty-string fallback)
  • Added test_blackduck_nested_fingerprints integration test with a sanitized 5-finding SARIF fixture covering Medium/High/Info/Critical severity levels — verifies unique_id_from_tool is a plain string and not a dict representation
  • Sanitized fixture uses fictional tool name, component names, and synthetic fingerprint hashes; real public CVE IDs are retained for authenticity

Note on existing findings in affected customer databases

Findings created before this fix will have unique_id_from_tool stored as "{'value': 'abc123...'}" (the str() repr of the dict). After deploying the fix, new reimports will produce the correct hash string — these will not match the old str-repr values, causing the old findings to be closed and new ones opened on the next reimport. Customers should be warned if they care about finding continuity.

🤖 Generated with Claude Code

@Jino-T @claude
Fix SARIF parser: unwrap BlackDuck nested fingerprint dict values
43edf4c 
BlackDuck SARIF output uses {"value": "<hash>"} objects as fingerprint
values instead of plain strings as the SARIF 2.1.0 spec requires.

get_fingerprints_hashes() was storing these dicts directly into
unique_id_from_tool. Django's CharField silently coerces them to their
str() repr on save, but they arrive as actual dict objects in memory.

On second reimport the reimporter calls update_candidates_with_saved_finding()
which uses unique_id_from_tool as a Python dict key:

    candidates_by_uid.setdefault(finding.unique_id_from_tool, [])

Dicts are not hashable, so this raises:

    TypeError: cannot use 'dict' as a set element (unhashable type: 'dict')

This crash happens for ALL reimport deduplication algorithms because
update_candidates_with_saved_finding() runs unconditionally after each
finding is saved. Changing the deduplication algorithm is not a workaround.

Fix: unwrap the nested dict at parse time. If the value is a dict, extract
its "value" key (empty string fallback if missing). This produces the
correct plain-string unique_id_from_tool the rest of the pipeline expects.

Adds two unit test cases to test_get_fingerprints_hashes and a new
integration test test_blackduck_nested_fingerprints with a sanitized
5-finding SARIF fixture covering all severity levels.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Jino-T Jino-T requested review from Maffooch and mtesauro as code owners June 24, 2026 16:11
@Jino-T @claude
Fix docstring format to satisfy ruff D213/D209
a2ab048 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@valentijnscholten valentijnscholten added this to the 3.0.200 milestone Jun 24, 2026
@Maffooch Maffooch requested review from blakeaowens and dogboat June 24, 2026 23:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valentijnscholten valentijnscholten valentijnscholten approved these changes
@Maffooch Maffooch Maffooch approved these changes
@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner
@paulOsinski paulOsinski Awaiting requested review from paulOsinski
@dogboat dogboat Awaiting requested review from dogboat
@blakeaowens blakeaowens Awaiting requested review from blakeaowens

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

parser unittests

Projects

None yet

Milestone

3.0.200

Development

Successfully merging this pull request may close these issues.

3 participants

@Jino-T @valentijnscholten @Maffooch