Extraction of sample and excerpt not working when use xpath. #621
Description
Describe the bug
We are trying to use xpath selection with a complex xpath like this:
//*[local-name(.)='artifactId' and text()='mylibrary']/parent::*/*[local-name(.)='version']
in order to detect pom versions (with maven namespace, this is why we use local-name function). It works but the sample and excerpt returned is the beginning of the document.
Example rule:
{
"name": "TEST xpath",
"description": "Detects the use of 1.x version of the library",
"id": "XPATH000000",
"applies_to": [
"pom.xml"
],
"tags": [
"XPATH.Version"
],
"severity": "critical",
"patterns": [
{
"pattern": "1\\..+",
"type": "regex",
"scopes": [
"code"
],
"modifiers": [ ],
"confidence": "high",
"xpaths": ["//*[local-name(.)='artifactId' and text()='mylibrary']/parent::*/*[local-name(.)='version']"]
}
]
}
Example pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>test</artifactId>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>test.com</groupId>
<artifactId>mylibrary</artifactId>
<version>1.6.0</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>
Returned match:
{
"ruleId": "XPATH000000",
"ruleName": "TEST xpath",
"ruleDescription": "test",
"tags": [
"XPATH.Version"
],
"severity": "Critical",
"pattern": "1\\..\u002B",
"confidence": "High",
"type": "Regex",
"language": "pom.xml",
"fileName": "/workdir/git/wsc-adminnow/code/test/pom.xml",
"sample": "1.0\u0022",
"excerpt": "\u003C?xml version=\u00221.0\u0022 encoding=\u0022UTF-8\u0022?\u003E\r\n\u003Cproject xmlns=\u0022http://maven.apache.org/POM/4.0.0\u0022 xmlns:xsi=\u0022http://www.w3.org/2001/XMLSchema-instance\u0022 xsi:schemaLocation=\u0022http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd\u0022\u003E\r\n \u003CmodelVersion\u003E4.0.0\u003C/modelVersion\u003E\r\n\r\n",
"startLocationLine": 1,
"startLocationColumn": 15,
"endLocationLine": 1,
"endLocationColumn": 20
}
It seems that the sample and excerpt extraction uses the pattern against the whole document, instead apply first the xpath and then use the pattern.
To Reproduce
Steps to reproduce the behavior:
- Run ApplicationInspector with a custom rule using the xpath related.
- Check the sample and excerpt matched.
Expected behavior
Sample must contains the version inside tag, and excerpt the following and previous lines.
Operating Environment (please complete the following information):
- Application Inspector Version: 1.9.32