Fix #1530: CS converter doesn't produce threadFlowLocation.location.

[ghost]

When the CS converter translates a sequence of propagation-event elements into a threadFlow, it populates each threadFlowLocation.stack from the propagation-event's stack sub-element. The converter also takes the propagation-event's signature sub-element and places it at the top of the stack.

But the converter does not populate threadFlowLocation.location, which confuses the VS Code Viewer, which expects location to be present. Sure, we could "fix" the viewer, but really, signature does specify the location, and we should populate it.

While looking at the code I found a couple more issues:

• The WebGoat.xml.sarif test file included run.language = "en-US", which is wrong because it's the default. I removed it. I have a fix in another branch for the test infrastructure bug that failed to detect this.
• "Fully qualified logical names" were not being handled consistently. Now, they never include the return type of the method, and the never include the argument signature. As a result, there are hundreds of line changes in WebGoat.xml.sarif test file. The important changes, for purposes of fixing the bug, is that every threadFlowLocation object now has location property in addition to the stack property.

[ghost]

@michaelcfanning is added to the review. #Closed

[ghost]

@harleenkohli is added to the review. #Closed

[ghost]

@rscrivens is added to the review. #Closed

[ghost]

LogicalLocationRegex [](start = 38, length = 20)

Moved down, right before the new method RemoveReturnTypeFrom. #ByDesign

[ghost]

fullyQualifiedLogicalName [](start = 57, length = 25)

There's no need to strip off the return type here, in this special case, because now we do it on every stack frame when we create it (see below). #ByDesign

[ghost]

Location [](start = 16, length = 8)

After all the fuss and bother, this one-liner is the fix for #1530. The rest was just making sure the fully qualified logical name was in the right form. #Resolved

[michaelcfanning]

i don't like what we've done to FQN, we've elided the information that qualifies one method overload over the other. this isn't heplful and will compromise result matching.

---

In reply to: 293025496 [](ancestors = 293025496)

[ghost]

Same as the other two comments -- I will restore the signature to the FQN.

---

In reply to: 293604799 [](ancestors = 293604799,293025496)

[ghost]

                  "location": {

The result of the fix: every threadFlowLocation object now has a location property. Rusty, note that you only get a logical location. The viewer needs to handle that case. #ByDesign

---

Refers to: src/Test.FunctionalTests.Sarif/v2/ConverterTestData/ContrastSecurity/WebGoat.xml.sarif:134 in 6a4b5d6. [](commit_id = 6a4b5d6, deletion_comment = False)

[ghost]

          "System.Web.HttpRequest.get_Form",

The first of hundreds of places where we stripped off the return type and the method signature from the fully qualified logical name, leaving just the namespace-qualified method name. #Resolved

---

Refers to: src/Test.FunctionalTests.Sarif/v2/ConverterTestData/ContrastSecurity/WebGoat.xml.sarif:113 in 6a4b5d6. [](commit_id = 6a4b5d6, deletion_comment = False)

[michaelcfanning]

                              "fullyQualifiedName": "System.Web.Hosting.PipelineRuntime.ProcessRequestNotification()"

why is this a good change? Removing the parens suggests we aren't providing params data, are we not? #Resolved

---

Refers to: src/Test.FunctionalTests.Sarif/v2/ConverterTestData/ContrastSecurity/WebGoat.xml.sarif:3049 in 6a4b5d6. [](commit_id = 6a4b5d6, deletion_comment = True)

[michaelcfanning]

                        "fullyQualifiedName": "System.String.Concat"

this isn't a fully qualified name, there are many string.concat overloads, so which one is this>? you need to populate this before doing the stack frame stripping, i think #Resolved

---

Refers to: src/Test.FunctionalTests.Sarif/v2/ConverterTestData/ContrastSecurity/WebGoat.xml.sarif:12246 in 6a4b5d6. [](commit_id = 6a4b5d6, deletion_comment = False)

[michaelcfanning]

🕐

[ghost]

                        "fullyQualifiedName": "System.String.Concat"

It was the same change that stripped off the return type. I'll restore the signature (including empty parens when there are no arguments).

---

In reply to: 501905176 [](ancestors = 501905176)

---

Refers to: src/Test.FunctionalTests.Sarif/v2/ConverterTestData/ContrastSecurity/WebGoat.xml.sarif:12246 in 6a4b5d6. [](commit_id = 6a4b5d6, deletion_comment = False)

[ghost]

                              "fullyQualifiedName": "System.Web.Hosting.PipelineRuntime.ProcessRequestNotification()"

It's not. I got overaggressive when I stripped off the return type. Will fix.

---

In reply to: 501904892 [](ancestors = 501904892)

---

Refers to: src/Test.FunctionalTests.Sarif/v2/ConverterTestData/ContrastSecurity/WebGoat.xml.sarif:3049 in 6a4b5d6. [](commit_id = 6a4b5d6, deletion_comment = True)

[ghost]

          "System.Web.HttpRequest.get_Form",

Per feedback, we now strip just the return type, and leave the argument signature.

---

In reply to: 501370995 [](ancestors = 501370995)

---

Refers to: src/Test.FunctionalTests.Sarif/v2/ConverterTestData/ContrastSecurity/WebGoat.xml.sarif:113 in 6a4b5d6. [](commit_id = 6a4b5d6, deletion_comment = False)

[michaelcfanning]