CxFlow Bug Fix: SonarQube Issue Messages No Longer Truncated, Descriptions Enriched

A critical bug in the CxFlow security tool has been resolved, fixing a defect that caused SonarQube to receive and truncate massively bloated, repetitive issue descriptions. The core problem was a scoping error in the `generateScaResults` function, where a `messageBuilder` was incorrectly placed outside a loop. This caused each subsequent vulnerability finding for a given software package to accumulate and repeat all the text from prior findings, creating a 'wall-of-text' that SonarQube's systems would cut off mid-message, rendering reports incomplete and unreadable.

The fix restructures the code to properly scope the message builder, eliminating the text accumulation. More significantly, the update enriches the data payload sent to SonarQube. For Software Composition Analysis (SCA) findings, messages now include structured fields such as Vulnerability ID, Package name, Severity, CVSS Score, a clear Description, Published date, Recommended Fix, and a direct CVE Reference URL. For Static Application Security Testing (SAST) findings, messages are enhanced with the vulnerability name as a headline, the CWE ID, and a link to the MITRE ATT&CK framework. The SAST `ruleId` format is also standardized to `CWE-NNN` for better rule identification within SonarQube.

Testing on a project with 338 SCA findings confirmed the fix's effectiveness. Post-update, all generated messages fell within a targeted 300–800 character range, with zero messages exceeding 2000 characters. This resolves a significant data fidelity issue for security teams relying on the CxFlow-to-SonarQube integration, ensuring vulnerability details are transmitted completely and structured for actionable analysis, rather than being lost to truncation.