Wrong startLine number on sonarqube reports

[LvffY]

Expected Behavior

Sonarqube reports should be generated correctly, i.e with a strictly positive integer as startLine (I've tested 0 and I got the same error.)

{
	"issues": [
		{
			"engineId": "KICS v1.4.8",
			"ruleId": "581dae78-307d-45d5-aae4-fe2b0db267a5",
			"severity": "CRITICAL",
			"type": "CODE_SMELL",
			"primaryLocation": {
				"message": "Azurerm Container Registry Must Contain Associated Locks ",
				"filePath": "create_acr.yml",
				"textRange": {
					"startLine": 1
				}
			}
		},
		{
			"engineId": "KICS v1.4.8",
			"ruleId": "487f4be7-3fd9-4506-a07a-eae252180c08",
			"severity": "CRITICAL",
			"type": "VULNERABILITY",
			"primaryLocation": {
				"message": "Query to find passwords and secrets in infrastructure code.",
				"filePath": "group_vars/backends/vars.yml",
				"textRange": {
					"startLine": 15
				}
			}
		},
		{
			"engineId": "KICS v1.4.8",
			"ruleId": "da4f2739-174f-4cdd-b9ef-dc3f14b5931f",
			"severity": "MAJOR",
			"type": "CODE_SMELL",
			"primaryLocation": {
				"message": "Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty",
				"filePath": "create_vnet.yml",
				"textRange": {
					"startLine": 1
				}
			}
		},
		{
			"engineId": "KICS v1.4.8",
			"ruleId": "c62746cf-92d5-4649-9acf-7d48d086f2ee",
			"severity": "MAJOR",
			"type": "VULNERABILITY",
			"primaryLocation": {
				"message": "Ensure Storage Account is using the latest version of TLS encryption",
				"filePath": "create_storage.yml",
				"textRange": {
					"startLine": 19
				}
			}
		}
	]
}

Actual Behavior

When running our sonarqube report (available from #4418), whe can have some report like this :

{
	"issues": [
		{
			"engineId": "KICS v1.4.8",
			"ruleId": "581dae78-307d-45d5-aae4-fe2b0db267a5",
			"severity": "CRITICAL",
			"type": "CODE_SMELL",
			"primaryLocation": {
				"message": "Azurerm Container Registry Must Contain Associated Locks ",
				"filePath": "create_acr.yml",
				"textRange": {
					"startLine": -1
				}
			}
		},
		{
			"engineId": "KICS v1.4.8",
			"ruleId": "487f4be7-3fd9-4506-a07a-eae252180c08",
			"severity": "CRITICAL",
			"type": "VULNERABILITY",
			"primaryLocation": {
				"message": "Query to find passwords and secrets in infrastructure code.",
				"filePath": "group_vars/backends/vars.yml",
				"textRange": {
					"startLine": 15
				}
			}
		},
		{
			"engineId": "KICS v1.4.8",
			"ruleId": "da4f2739-174f-4cdd-b9ef-dc3f14b5931f",
			"severity": "MAJOR",
			"type": "CODE_SMELL",
			"primaryLocation": {
				"message": "Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty",
				"filePath": "create_vnet.yml",
				"textRange": {
					"startLine": -1
				}
			}
		},
		{
			"engineId": "KICS v1.4.8",
			"ruleId": "c62746cf-92d5-4649-9acf-7d48d086f2ee",
			"severity": "MAJOR",
			"type": "VULNERABILITY",
			"primaryLocation": {
				"message": "Ensure Storage Account is using the latest version of TLS encryption",
				"filePath": "create_storage.yml",
				"textRange": {
					"startLine": 19
				}
			}
		}
	]
}

When running our Sonarqube Analysis with the sonar.externalIssuesReportPaths configuration setup to point at our sonarqube-results.json we fall into the error java.lang.IllegalArgumentException: -1 is not a valid line for a file

Steps to Reproduce the Problem

1. Try to analyse ansible playbook with issues like the following

---
- name: Deploy Spark on AKS
  hosts: infra
  environment:
    AZURE_CLIENT_ID: "{{ azure.client_id }}"
    AZURE_SECRET: "{{ azure.secret }}"
    AZURE_SUBSCRIPTION_ID: "{{ azure.subscription_id }}"
    AZURE_TENANT: "{{ azure.tenant }}"

  tasks:

    - name: "Create {{ spark_on_aks.rg_name }}"
      azure.azcollection.azure_rm_resourcegroup:
        name: "{{ spark_on_aks.rg_name }}"
        location: "{{ global.location }}"
        state: present
        append_tags: false
        tags:
          PROJECT: DEMONSTRATEUR
          USECASE: SPARK_ON_AKS
          ENVIRONMENT: "{{ global.tags.env_name }}"

    - name: "Create ACR {{ spark_on_aks.acr_name }}"
      azure.azcollection.azure_rm_containerregistry:
        name: "{{ spark_on_aks.acr_name }}"
        resource_group: "{{ spark_on_aks.rg_name }}"
        state: present
        append_tags: false
        tags:
          PROJECT: DEMONSTRATEUR
          USECASE: SPARK_ON_AKS
          ENVIRONMENT: "{{ global.tags.env_name }}"
## here we're missing Azure locks for example

2. Run a kics analysis with sonarqube report format (run from checkmarx/kics:debian in my case)

/app/bin/kics scan --ci -p ${PWD} --report-formats "sonarqube" --ignore-on-exit results --output-path $PWD

3. You should have some sonarqube report (in sonarqube-results.json) with some JSON like

{
	"issues": [
		{
			"engineId": "KICS v1.4.8",
			"ruleId": "581dae78-307d-45d5-aae4-fe2b0db267a5",
			"severity": "CRITICAL",
			"type": "CODE_SMELL",
			"primaryLocation": {
				"message": "Azurerm Container Registry Must Contain Associated Locks ",
				"filePath": "create_acr.yml",
				"textRange": {
					"startLine": -1
				}
			}
		}
	]
}

Specifications

(N/A if not applicable)

• Version: 1.4.8
• Platform: Debian
• Subsystem: N/A

Workaround

If anyone falls into this issue, I've figured to find an (easy) workaround. Just add the following line after your KICS analysis :

sed -i -e 's/"startLine": -1/"startLine": 1/g' sonarqube-results.json

[cx-joao-reigota]

Hi @LvffY, This issue has been fixed in PR #4583, from now on when KICS fails to find the line containing the vulnerability instead of setting the line to -1 it will set it as 1 and it will be available in the next release, Thank you!