C/C++: Paths reported in sarif results contain extra back slashes in latest version of CodeQL (2.19.2)

[jacob-ronstadt]

Description of the issue

Expr used as source in data flow. Source is a string that doesn't match a given pattern:
e.getValue().toString().toLowerCase().matches(pattern)

Source is used in the output message:
select f, message, source, source.asIndirectExpr().toString()

In the source code the string is a function argument hard-coded such as: L"\\some\\bad\\path\\test\\test.txt"

In the sarif file results from running codeql database analyze with --format=sarif-latest, the same source code, and using the same commands for building and analyzing the database, previous versions of CodeQL CLI (2.17.6 tested) show this as:
"message":{"text":"\\some\\bad\\path\\test\\test.txt"}}]}],
while CodeQL CLI 2.19.2 show:
"message":{"text":"\\\\some\\\\bad\\\\path\\\\test\\\\test.txt"}}]}],

[jketema]

Hi @jacob-ronstadt,

Thanks for the report. We're currently discussing internally whether this change is correct or not.

[aeisenberg]

For reference, it looks like when we fixed #15245, we inadvertently introduced this issue, related to this part of the SARIF spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/sarif-v2.1.0-errata01-os-complete.html#_Toc141790717. If I'm understanding correctly, only text inside of links should be double escaped. All other places should be escaped once.

[rvermeulen]

FYI, we have a remediation that is now under review.

[aeisenberg]

Can we close this issue?

[rvermeulen]

@jacob-ronstadt thanks again for reporting this. We addressed this and using the latest CodeQL CLI should result in properly escaped messages.

If you need further support, feel free to open a new issue.