From 19fa856badad483cae700ee1213dd7f1a933d6d3 Mon Sep 17 00:00:00 2001
From: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
Date: Sat, 20 Aug 2022 13:20:36 +0200
Subject: [PATCH] fix: make sure that nil Cwe pointer is handled when getting
 the CWE ID

---
 cwe/types.go              |  6 +++++-
 report/golint/writer.go   |  2 +-
 report/junit/formatter.go |  6 +++++-
 report/sarif/formatter.go | 17 +++++++++++------
 4 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/cwe/types.go b/cwe/types.go
index a14ccb5..562510a 100644
--- a/cwe/types.go
+++ b/cwe/types.go
@@ -19,7 +19,11 @@ func (w *Weakness) SprintURL() string {
 
 // SprintID format the CWE ID
 func (w *Weakness) SprintID() string {
-	return fmt.Sprintf("%s-%s", Acronym, w.ID)
+	id := "0000"
+	if w != nil {
+		id = w.ID
+	}
+	return fmt.Sprintf("%s-%s", Acronym, id)
 }
 
 // MarshalJSON print only id and URL
diff --git a/report/golint/writer.go b/report/golint/writer.go
index e9d0245..3f1434c 100644
--- a/report/golint/writer.go
+++ b/report/golint/writer.go
@@ -15,7 +15,7 @@ func WriteReport(w io.Writer, data *gosec.ReportInfo) error {
 
 	for _, issue := range data.Issues {
 		what := issue.What
-		if issue.Cwe.ID != "" {
+		if issue.Cwe != nil && issue.Cwe.ID != "" {
 			what = fmt.Sprintf("[%s] %s", issue.Cwe.SprintID(), issue.What)
 		}
 
diff --git a/report/junit/formatter.go b/report/junit/formatter.go
index 187c854..d14def6 100644
--- a/report/junit/formatter.go
+++ b/report/junit/formatter.go
@@ -8,11 +8,15 @@ import (
 )
 
 func generatePlaintext(issue *gosec.Issue) string {
+	cweID := "CWE"
+	if issue.Cwe != nil {
+		cweID = issue.Cwe.ID
+	}
 	return "Results:\n" +
 		"[" + issue.File + ":" + issue.Line + "] - " +
 		issue.What + " (Confidence: " + strconv.Itoa(int(issue.Confidence)) +
 		", Severity: " + strconv.Itoa(int(issue.Severity)) +
-		", CWE: " + issue.Cwe.ID + ")\n" + "> " + html.EscapeString(issue.Code)
+		", CWE: " + cweID + ")\n" + "> " + html.EscapeString(issue.Code)
 }
 
 // GenerateReport Convert a gosec report to a JUnit Report
diff --git a/report/sarif/formatter.go b/report/sarif/formatter.go
index 3c67747..16198dd 100644
--- a/report/sarif/formatter.go
+++ b/report/sarif/formatter.go
@@ -27,12 +27,14 @@ func GenerateReport(rootPaths []string, data *gosec.ReportInfo) (*Report, error)
 	weaknesses := make(map[string]*cwe.Weakness)
 
 	for _, issue := range data.Issues {
-		_, ok := weaknesses[issue.Cwe.ID]
-		if !ok {
-			weakness := cwe.Get(issue.Cwe.ID)
-			weaknesses[issue.Cwe.ID] = weakness
-			cweTaxon := parseSarifTaxon(weakness)
-			cweTaxa = append(cweTaxa, cweTaxon)
+		if issue.Cwe != nil {
+			_, ok := weaknesses[issue.Cwe.ID]
+			if !ok {
+				weakness := cwe.Get(issue.Cwe.ID)
+				weaknesses[issue.Cwe.ID] = weakness
+				cweTaxon := parseSarifTaxon(weakness)
+				cweTaxa = append(cweTaxa, cweTaxon)
+			}
 		}
 
 		r, ok := rulesIndices[issue.RuleID]
@@ -97,6 +99,9 @@ func parseSarifRule(issue *gosec.Issue) *ReportingDescriptor {
 }
 
 func buildSarifReportingDescriptorRelationship(weakness *cwe.Weakness) *ReportingDescriptorRelationship {
+	if weakness == nil {
+		return nil
+	}
 	return &ReportingDescriptorRelationship{
 		Target: &ReportingDescriptorReference{
 			ID:            weakness.ID,