advanced-security
diff --git a/‎__tests__/main.test.ts‎
Lines changed: 72 additions & 0 deletions b/‎__tests__/main.test.ts‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎dist/index.js‎
Lines changed: 21 additions & 2 deletions b/‎dist/index.js‎
Lines changed: 21 additions & 2 deletions
diff --git a/‎dist/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/main.ts‎
Lines changed: 9 additions & 3 deletions b/‎src/main.ts‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎src/utils.ts‎
Lines changed: 13 additions & 0 deletions b/‎src/utils.ts‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎test-data/webgoat-with-security-standard-tag.sarif.expected‎
Lines changed: 1 addition & 1 deletion b/‎test-data/webgoat-with-security-standard-tag.sarif.expected‎
Lines changed: 1 addition & 1 deletion
@@ -1,7 +1,79 @@
+import {normalizeCweId} from '../src/utils'
+
 describe('main', () => {
   it('placeholder test', () => {
     // This is a placeholder test to prevent Jest from failing
     // TODO: Add proper unit tests for the main module
     expect(true).toBe(true)
   })
+
+  describe('CWE ID normalization', () => {
+    it('should handle CWE IDs with leading zeros', () => {
+      // Test that 099 maps to 99
+      const normalizedId = normalizeCweId('099')
+      expect(normalizedId).toBe('99')
+    })
+
+    it('should handle CWE IDs without leading zeros', () => {
+      // Test that 89 maps to 89
+      const normalizedId = normalizeCweId('89')
+      expect(normalizedId).toBe('89')
+    })
+
+    it('should handle CWE IDs with multiple leading zeros', () => {
+      // Test that 020 maps to 20
+      const normalizedId = normalizeCweId('020')
+      expect(normalizedId).toBe('20')
+    })
+
+    it('should return null for non-numeric CWE IDs', () => {
+      // Test that invalid CWE IDs return null
+      const normalizedId = normalizeCweId('abc')
+      expect(normalizedId).toBeNull()
+    })
+
+    it('should return null for empty strings', () => {
+      // Test that empty strings return null
+      const normalizedId = normalizeCweId('')
+      expect(normalizedId).toBeNull()
+    })
+
+    it('should return null for strings with only spaces', () => {
+      // Test that strings with only spaces return null
+      const normalizedId = normalizeCweId('   ')
+      expect(normalizedId).toBeNull()
+    })
+
+    it('should handle strings with leading/trailing spaces', () => {
+      // Test that strings with spaces are parsed correctly
+      const normalizedId = normalizeCweId('  99  ')
+      expect(normalizedId).toBe('99')
+    })
+
+    it('should return null for negative numbers', () => {
+      // Test that negative numbers return null (CWE IDs should be positive)
+      const normalizedId = normalizeCweId('-99')
+      expect(normalizedId).toBeNull()
+    })
+
+    it('should handle strings with mixed alphanumeric characters (parseInt is lenient)', () => {
+      // Test that mixed alphanumeric strings are parsed leniently
+      // parseInt stops at first non-numeric character, so '99abc' becomes 99
+      // This is acceptable for our use case as malformed tags would be rare
+      const normalizedId = normalizeCweId('99abc')
+      expect(normalizedId).toBe('99')
+    })
+
+    it('should handle zero', () => {
+      // Test that zero is handled correctly
+      const normalizedId = normalizeCweId('0')
+      expect(normalizedId).toBe('0')
+    })
+
+    it('should handle zero with leading zeros', () => {
+      // Test that zero with leading zeros is handled correctly
+      const normalizedId = normalizeCweId('000')
+      expect(normalizedId).toBe('0')
+    })
+  })
 })
@@ -5,7 +5,7 @@ import * as core from '@actions/core'
 import {DOMParser} from '@xmldom/xmldom'
 import * as xpath from 'xpath'
 import {JSONPath} from 'jsonpath-plus'
-import {LogLevel, log} from './utils'
+import {LogLevel, log, normalizeCweId} from './utils'
 
 let sarifFilePath: string
 let outputFilePath: string
@@ -103,9 +103,15 @@ JSONPath({
     for (const tag of tags) {
       if (tag.startsWith(codeQlCweTagPrefix)) {
         const cweId = tag.replace(codeQlCweTagPrefix, '')
-        if (cweIds.includes(cweId)) {
+        // Normalize CWE ID by converting to integer to remove leading zeros
+        const normalizedCweId = normalizeCweId(cweId)
+        // Skip if the CWE ID is not a valid number
+        if (normalizedCweId === null) {
+          continue
+        }
+        if (cweIds.includes(normalizedCweId)) {
           tags.push(securityStandardTag)
-          tags.push(...cweCategories[cweId])
+          tags.push(...cweCategories[normalizedCweId])
           return
         }
       }
 
@@ -41,3 +41,16 @@ export function log(message: string, level = LogLevel.Info): void {
     }
   }
 }
+
+/**
+ * Normalize a CWE ID by removing leading zeros
+ * @param cweId - The CWE ID string (e.g., "099", "020", "89")
+ * @returns The normalized CWE ID string (e.g., "99", "20", "89") or null if invalid
+ */
+export function normalizeCweId(cweId: string): string | null {
+  const parsedCweId = parseInt(cweId, 10)
+  if (Number.isNaN(parsedCweId) || parsedCweId < 0) {
+    return null
+  }
+  return String(parsedCweId)
+}
Original file line number	Diff line number	Diff line change
`@@ -41,3 +41,16 @@ export function log(message: string, level = LogLevel.Info): void {`
`41`	`41`	`}`
`42`	`42`	`}`
`43`	`43`	`}`
	`44`	`+`
	`45`	`+/**`
	`46`	`+ * Normalize a CWE ID by removing leading zeros`
	`47`	`+ * @param cweId - The CWE ID string (e.g., "099", "020", "89")`
	`48`	`+ * @returns The normalized CWE ID string (e.g., "99", "20", "89") or null if invalid`
	`49`	`+ */`
	`50`	`+export function normalizeCweId(cweId: string): string \| null {`
	`51`	`+ const parsedCweId = parseInt(cweId, 10)`
	`52`	`+ if (Number.isNaN(parsedCweId) \|\| parsedCweId < 0) {`
	`53`	`+ return null`
	`54`	`+ }`
	`55`	`+ return String(parsedCweId)`
	`56`	`+}`