fix: Add Unmapped CWE/Finding Warnings to All Parsers

[TheAuditorTool]

Add Unmapped CWE/Finding Warnings to All Parsers

Closes #7

---

What This Does

When a security tool reports a vulnerability type that a parser doesn't recognize, the parser should print a message so you know about it. Some parsers already did this, but others were silently discarding the finding. This update makes all parsers consistent: they all print a message now.

No scoring logic was changed. The only difference is that you'll see console messages when a parser encounters something new. The return values (what the scoring engine actually uses) are identical to before.

What You'll See in the Console

For parsers where the finding would be lost (returns 0 or -1):

WARNING: WebInspect-Unmapped rule: some-new-rule-id
WARNING: Parasoft-Unmapped finding category: SomeNewCategory

For parsers where the finding survives but wasn't explicitly mapped (CWE passes through):

INFO: Checkmarx - unmapped CWE: 917. Passing through as-is.
INFO: Veracode - unmapped CWE: 502. Passing through as-is.

These messages tell you exactly which parser saw the new value and what that value is, so you can add the proper mapping when you're ready.

Files Changed (18 files, all in score/parsers/)

Parsers that were silently dropping findings (added WARNING)

Parser	What was silent
AppScanSourceReader	Unknown finding types returned 0
FluidAttacksReader	Unknown categories returned 0
ParasoftReader	Unknown categories returned -1
SourceMeterReader	Unknown vulnerability types returned 0
W3AFReader	Unknown finding names returned 0
WebInspectReader	Unknown rules returned 0

Parsers that were silently passing CWEs through (added INFO)

Parser	What was silent
AppScanDynamicReader	All CWEs passed through with no mapping
BearerReader	Unmapped CWEs passed through
CheckmarxESReader	Unmapped CWEs passed through
CheckmarxReader	Unmapped CWEs passed through
CoverityReader	Unknown checker names in V2 format
HCLAppScanStandardReader	Unknown finding types with raw CWE
KiuwanReader	CWEs not in the fix-up table
NetsparkerReader	CWEs not in the (very small) switch
VeracodeReader	CWEs not in the translation list

Special cases

Parser	What changed	Why
VisualCodeGrepperReader	Uncommented an existing println that was commented out	The warning was already written but disabled
ShiftLeftReader	Changed throw RuntimeException to println + return 0	Unknown categories were crashing the parser instead of warning
HCLAppScanSourceReader	Removed the -DDEBUG gate on warnings	Warnings were only printed if you set a special JVM property

What Was NOT Changed (and why)

Parsers that already warn properly (30 parsers) — no changes needed. These include: AcunetixReader, BurpReader, CASTAIPReader, CheckmarxIASTReader, ContrastAssessReader, CrashtestReader, FortifyReader, HorusecReader, InsiderReader, NJSScanReader, PMDReader, QualysWASReader, Rapid7Reader, ReshiftReader, SeekerReader, SemgrepReader, ShiftLeftScanReader, SnappyTickReader, SonarQubeJsonReader, SonarQubeReader, ThunderScanReader, WapitiReader, WapitiJsonReader, ZapJsonReader, and all SARIF-based readers.

Parsers with no CWE mapping (7 parsers) — these read the CWE number directly from the tool's output, so there's nothing to map and nothing to warn about: BlackDuckReader, FaastReader, FusionLiteInsightReader, JuliaReader, MendReader, NoisyCricketReader, ScnrReader.

Parsers from the original issue that no longer exist: HdivReader, LGTMReader, XanitizerReader, ShiftLeftNGSASTReader, ShiftLeftNGSASTReaderJSON. These were either removed or renamed since the issue was filed.

How to Verify

Run scorecard generation against any tool results you already have. The scorecards themselves will be identical — the only new output is console messages for unmapped values.