-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rules 1011 2008 (split from original) #1921
rules 1011 2008 (split from original) #1921
Conversation
@@ -60,6 +60,8 @@ protected override SarifValidationContext CreateContext(ValidateOptions options, | |||
|
|||
if (!string.IsNullOrEmpty(sarifText)) | |||
{ | |||
// DISCUSS IN PR: Deserializing the object here injects "$Schema" property, corrupting our test for | |||
// SARIF2008_ProvideSchema |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Larry - need to discuss how to solve this. #Closed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is also a possible bug in our Validate command. Isnt it? If you confirm, i can log a bug, mark the test cases as ignore and move on for now.
In reply to: 443040878 [](ancestors = 443040878)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, change to SARIF2008 is the right fix.
In reply to: 443046418 [](ancestors = 443046418,443040878)
Text = RuleResources.SARIF2008_ProvideSchema_FullDescription_Text | ||
}; | ||
|
||
public override FailureLevel DefaultLevel => FailureLevel.Error; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Error [](start = 66, length = 5)
Warning (so rename resource strings accordingly). #Closed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
protected override void Analyze(SarifLog log, string logPointer) | ||
{ | ||
if (!Context.InputLogToken.HasProperty("$schema")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
) [](start = 61, length = 1)
Yes! #Closed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* Users/hakohli/validation rules defaultmsgs (#1917) * remove stale rule references - 1006 and 1009 * house keeping changes for 1001 * more cleanup- remove fulldecsription private field * updates after decisions on resx naming * sarif file rule name should be shorter Co-authored-by: Harleen Kaur Kohli <erferferfg> * sarif validation rules 1002 1006 2001 (#1918) * changing rule ids only * updating rule names and message ids Co-authored-by: Harleen Kaur Kohli <erferferfg> * Validation rules: 1005 1008 1009 1010 (#1920) * rules 1011 2008 (split from original) (#1921) * rule id changed and tested * changing rule name and tested * description resx id updated * resx updated and test cases regened * final changes after splitting the rule in two. * reviews++ * fix one thing Co-authored-by: Harleen Kaur Kohli <erferferfg> * rule 1007 (combine) (#1922) Co-authored-by: Harleen Kaur Kohli <erferferfg> * validation rule 1004 (#1923) * renaming ruleid and tested * rulename changed and tested * description resx changed * merged test cases into one rule * cleanup and reordering Co-authored-by: Harleen Kaur Kohli <erferferfg> * Adding rule SARIF2005.ProvideHelpfulToolInformation (#1926) * Adding ContextRegionMustBeProperSupersetOfRegion to SARIF1008. (#1925) * Fix test break to due failure to pre-merge. (#1928) * validation rule sarif1004 (#1930) * changing file contents to follow conventions * validation rule 1004 * reviews++ * tiny thing ;) * another tiny thing! Co-authored-by: Harleen Kaur Kohli <erferferfg> * Add rules spreadsheet and document. (#1931) * Provide messages for SARIF1005. (#1934) * validation rule sarif1002 (part 1) (#1933) * formatting changes only * sub-rule: FileUrisMustNotIncludeDotDotSegments * another test case output * removing brnach comments from newly wrtiten rules. Co-authored-by: Harleen Kaur Kohli <erferferfg> * Adding rule SARIF2001.AuthorHighQualityMessages (#1929) * sarif1007 subrule: RegionStartPropertyMustBePresent (#1935) * changing file formatting per convention * adding sub-rule: RegionStartPropertyMustBePresent Co-authored-by: Harleen Kaur Kohli <erferferfg> * Update rules factoring spreadsheet. (#1936) * Update version-related comment in rules spreadsheet. (#1937) * Update coding status on spreadsheet. * Adding Rule SARIF2009 Adding tests * Update rule status spreadsheet. * code review - 1 * code review - 2 * code review - 3 * code review - 4 * code review - 5 * code review - 6 * Standardize and add messages to SARIF1001. * Provide messages for SARIF1002 (except for the RFC 8089 message). * Provide messages for SARIF1007. * Rename SARIF2005 to ProvideToolProperties. * Adding rule SARIF2004.OptimizeFileSize: EliminateLocationOnlyArtifacts (#1939) * Provide messages for SARIF2001; update code to populate arguments. * Provide message strings for SARIF1006. * Move a rule description message to the right place. * Standardize and provide messages for SARIF1009. * Add description for SARIF1009. * Reformat SARIF1005, update spreadsheet. (#1940) * Author "Principles" section. (#1941) * More about tool information. * Copy edits to "Principles" section. * More spreadsheet updates. * More spreadsheet updates. * More spreadsheet updates. * More spreadsheet updates. * More spreadsheet updates. * adding placeholders for all resource strings and rule ids. (#1943) * adding placeholders for all resource strings and rule ids. * remove unneeded using refernece Co-authored-by: Harleen Kaur Kohli <erferferfg> * Adding rule SARIF1012 (#1944) * More spreadsheet updates. * Adding Rule SARIF2006 (#1942) * Adding rule SARIF2002 (#1946) * More spreadsheet updates, a little document work. * Adding Rule SARIF2003 (#1947) * More spreadsheet updates and document work. * Adding Rule SARIF2011 (#1948) * split rule sarif2001 into multiple (#1945) * rename original rule - tested * copies of the same rule created * added test cases * cleaned up resx strings * pushing changes so far - 2 test cases fail * expected outputs * fixes for test cases Co-authored-by: Harleen Kaur Kohli <erferferfg> * More spreadsheet updates and document work. * Adding Rule SARIF2012 (#1949) * More spreadsheet updates and document work. * Add rule SARIF2004.OptimizeFileSize.EliminateIdOnlyRules (#1950) * sub-rule added * reviews answered and merge from latest faetures branch Co-authored-by: Harleen Kaur Kohli <erferferfg> * More spreadsheet updates and document work. * More spreadsheet updates and document work. * More spreadsheet updates and document work. * Adding rule SARIF2013 (#1951) * More spreadsheet updates and document work. * Updating Rule SARIF2009 and SARIF2014 (#1954) * Update spreadsheet. * sarif validation rule 2010 - provide code snippets (#1953) * rule + test cases * reviews++ * remove blank line Co-authored-by: Harleen Kaur Kohli <erferferfg> * Updating rules based on the guidelines (#1955) * More spreadsheet updates and document work. * Update spreadsheet. * Document: "high quality" => "effective" everywhere. * Document: Split up "enriched SARIF" rule. * Author messages for SARIF2008.ProvideSchema. * Remove obsolete "uriBaseId conventions" text. * Rule description for SARIF2007.ExpressPathsRelativeToRepoRoot * Fix ExpressUriBaseIdsCorrectly messages. * Fix doc errors; update spreadsheet. * user msgs verified for 1006 to 1010 (#1957) * user messages updated for 1006 to 1010 * adding period back for 1008 description Co-authored-by: Harleen Kaur Kohli <erferferfg> * Adding Rule SARIF2007 (#1958) * Bugfix null reference Rule SARIF2007 (#1959) * Update spreadsheet: last rule written! * Introduce SARIF1003 in spreadsheet. * user msgs verified for 1001 to 1005 (#1956) * usewr msgs verified for 1001 to 1005 * changing implementation for one sub-rule Co-authored-by: Harleen Kaur Kohli <erferferfg> * Fix missing cross-ref in doc. * Remove backticks from plain text message. * user messages for rules 1011, 1012, 2001, 2002. (#1960) * user messages for rules 1011, 1012, 2001, 2002. * fixing wrong message * fixed updated string and merge from features Co-authored-by: Harleen Kaur Kohli <erferferfg> * Fix 2005 messages. * user msgs verified for 2005 2008 2009 (#1961) * user msgs verified for 2005, 2008, 2009 * 2005 msgs updated * proof read 2008 & 2009 Co-authored-by: Harleen Kaur Kohli <erferferfg> * Doc update for 2005/8/9. * user msgs verified for 2014 & 2015 (#1965) * user msgs verified for 2014 & 2015 * proof read 2014 and 2015 Co-authored-by: Harleen Kaur Kohli <erferferfg> * Doc update for 2014/15. * Restoring original functionality for sub rule: UriBaseIdRequiresRelativeUri (#1967) Authored-by: Harleen Kaur Kohli * Spreadsheet update for 1004. * Update messages and code for SARIF1004. (#1968) * Fix bug in 1012. (#1969) * Provide messages for SARIF2003.ProvideVersionControlProvenance. (#1970) * Provide messages for SARIF2004.OptimizeFileSize. (#1973) * Provide messages for SARIF2006.MessagesShouldBeReachable. (#1974) * Provide messages for SARIF2007.ExpressLocationsRelativeToRepoRoot. (#1975) * Provide messages for SARIF1012.ProvideHelpUris. (#1976) * Provide messages for SARIF2013.ProvideEmbeddedFileContent. (#1977) * Fix broken functional test due to typo in message. (#1978) * Provide messages for SARIF2010.ProvideCodeSnippets. (#1979) * Provide messages for SARIF2011.ProvideContextRegion. (#1980) * Remove overactive assertion. (#1981) * Fix empty 2005 message (wrong argument order to LogResult). (#1982) * Update release history and bump minor version number. (#1983) * Update version Co-authored-by: Harleen Kaur Kohli <hakohli@microsoft.com> Co-authored-by: Eddy Nakamura <eddynaka@gmail.com> Co-authored-by: Larry Golding (Myriad Consulting Inc) <v-lgold@microsoft.com> Co-authored-by: Larry Golding <lgolding@comcast.net> Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com> Co-authored-by: Michael Fanning <mikefan@microsoft.com>
* Honor insert and remove arguments for rebase uri command. (#1927) * Add data insert/removal to rebase uri command. * Update release notes for rebase uri command. * Remove console message. * Rule validaton request template (github issue) (#1903) * first draft for Rule Request template. * updated - merged with Larry's version. * deletin original * reviews++ * removing stuff that "hits in the face" :D Co-authored-by: Harleen Kaur Kohli <erferferfg> * rule validation template file (#1902) * first draft * improving comments and wordsmithing * updates after Principles conversation this morning. * reviews++ * typo :O * another typo :) * reviews++ Co-authored-by: Harleen Kaur Kohli <erferferfg> * Create 'SARIF Validation Rule Authoring Principles' doc. (#1906) * Create 'SARIF Validation Rule Authoring Principles' doc. * Add periods to sentences; complete incomplete principle. * Rewrite after discussion with Michael and team. * Fix typos. * Fix a typo. * First half of rule factoring: existing rules. * Correct description of rule number ranges. * Fix a typo. * Finish first draft. * Add missing separator. * Wordsmith a heading. * Changes per HK review. * Finish HK review. * Incomplete 'Contributing a rule' doc, derived from BinSkim. * Start rule factoring spreadsheet. * Finish first cut at rule factoring spreadsheet. * Fix typos. * Update rules spreadsheet per MF review. * Update rules spreadsheet; add Rule Messages doc. * Finish strings for 2009; add 'Message status' column. * Incorporate Introduction. * Update Rule Messages with Introduction. * Remove redundant file; rename real one. * Message refinements. * Rename 'Producing' doc and tweak intro. * Author messages for SARIF2002.UseMessageArguments. * Author messages for SARIF1012.MessagePropertiesMustBeConsistent. * Serialization Consistency fixes (#1924) * Serialization consistency fixes. - Ensure DateTimeConverter used for all DateTime properties. - Reimplement SerializedPropertyInfoConverter to copy tokens rather than loading to JToken and serializing again. - Make PropertyBagConverter use SerializedPropertyInfoConverter for values. * Reset build.props to next logical version. * Updated OM based on CodeGenHints. * Release notes update * Fix #1915: Allow result message to be truncated (#1932) * Fix #1915: Allow result message to be truncated * Address PR feedback; update release history. * Restore accidentally deleted Autogenerated files. * Restore erroneously deleted const. * Add comments for "horizontal ellipsis". * Upgrade netcoreapp from Multitool (#1962) * Upgrade netcoreapp from Multitool update * adding system.runtime * Remove extra version header from release history. (#1985) * Remove extra version header from release history. * Increase a test timeout. * Increase timeout on a test that fails on one of the VMs. Co-authored-by: Larry Golding <lgolding@comcast.net> * Guarantee "execute" permissions for NPM package. (#1986) * Chmod for Darwin. * Chmod for Linux. * Fix. * Merge feature branch with new SARIF validation rules (#1984) * Users/hakohli/validation rules defaultmsgs (#1917) * remove stale rule references - 1006 and 1009 * house keeping changes for 1001 * more cleanup- remove fulldecsription private field * updates after decisions on resx naming * sarif file rule name should be shorter Co-authored-by: Harleen Kaur Kohli <erferferfg> * sarif validation rules 1002 1006 2001 (#1918) * changing rule ids only * updating rule names and message ids Co-authored-by: Harleen Kaur Kohli <erferferfg> * Validation rules: 1005 1008 1009 1010 (#1920) * rules 1011 2008 (split from original) (#1921) * rule id changed and tested * changing rule name and tested * description resx id updated * resx updated and test cases regened * final changes after splitting the rule in two. * reviews++ * fix one thing Co-authored-by: Harleen Kaur Kohli <erferferfg> * rule 1007 (combine) (#1922) Co-authored-by: Harleen Kaur Kohli <erferferfg> * validation rule 1004 (#1923) * renaming ruleid and tested * rulename changed and tested * description resx changed * merged test cases into one rule * cleanup and reordering Co-authored-by: Harleen Kaur Kohli <erferferfg> * Adding rule SARIF2005.ProvideHelpfulToolInformation (#1926) * Adding ContextRegionMustBeProperSupersetOfRegion to SARIF1008. (#1925) * Fix test break to due failure to pre-merge. (#1928) * validation rule sarif1004 (#1930) * changing file contents to follow conventions * validation rule 1004 * reviews++ * tiny thing ;) * another tiny thing! Co-authored-by: Harleen Kaur Kohli <erferferfg> * Add rules spreadsheet and document. (#1931) * Provide messages for SARIF1005. (#1934) * validation rule sarif1002 (part 1) (#1933) * formatting changes only * sub-rule: FileUrisMustNotIncludeDotDotSegments * another test case output * removing brnach comments from newly wrtiten rules. Co-authored-by: Harleen Kaur Kohli <erferferfg> * Adding rule SARIF2001.AuthorHighQualityMessages (#1929) * sarif1007 subrule: RegionStartPropertyMustBePresent (#1935) * changing file formatting per convention * adding sub-rule: RegionStartPropertyMustBePresent Co-authored-by: Harleen Kaur Kohli <erferferfg> * Update rules factoring spreadsheet. (#1936) * Update version-related comment in rules spreadsheet. (#1937) * Update coding status on spreadsheet. * Adding Rule SARIF2009 Adding tests * Update rule status spreadsheet. * code review - 1 * code review - 2 * code review - 3 * code review - 4 * code review - 5 * code review - 6 * Standardize and add messages to SARIF1001. * Provide messages for SARIF1002 (except for the RFC 8089 message). * Provide messages for SARIF1007. * Rename SARIF2005 to ProvideToolProperties. * Adding rule SARIF2004.OptimizeFileSize: EliminateLocationOnlyArtifacts (#1939) * Provide messages for SARIF2001; update code to populate arguments. * Provide message strings for SARIF1006. * Move a rule description message to the right place. * Standardize and provide messages for SARIF1009. * Add description for SARIF1009. * Reformat SARIF1005, update spreadsheet. (#1940) * Author "Principles" section. (#1941) * More about tool information. * Copy edits to "Principles" section. * More spreadsheet updates. * More spreadsheet updates. * More spreadsheet updates. * More spreadsheet updates. * More spreadsheet updates. * adding placeholders for all resource strings and rule ids. (#1943) * adding placeholders for all resource strings and rule ids. * remove unneeded using refernece Co-authored-by: Harleen Kaur Kohli <erferferfg> * Adding rule SARIF1012 (#1944) * More spreadsheet updates. * Adding Rule SARIF2006 (#1942) * Adding rule SARIF2002 (#1946) * More spreadsheet updates, a little document work. * Adding Rule SARIF2003 (#1947) * More spreadsheet updates and document work. * Adding Rule SARIF2011 (#1948) * split rule sarif2001 into multiple (#1945) * rename original rule - tested * copies of the same rule created * added test cases * cleaned up resx strings * pushing changes so far - 2 test cases fail * expected outputs * fixes for test cases Co-authored-by: Harleen Kaur Kohli <erferferfg> * More spreadsheet updates and document work. * Adding Rule SARIF2012 (#1949) * More spreadsheet updates and document work. * Add rule SARIF2004.OptimizeFileSize.EliminateIdOnlyRules (#1950) * sub-rule added * reviews answered and merge from latest faetures branch Co-authored-by: Harleen Kaur Kohli <erferferfg> * More spreadsheet updates and document work. * More spreadsheet updates and document work. * More spreadsheet updates and document work. * Adding rule SARIF2013 (#1951) * More spreadsheet updates and document work. * Updating Rule SARIF2009 and SARIF2014 (#1954) * Update spreadsheet. * sarif validation rule 2010 - provide code snippets (#1953) * rule + test cases * reviews++ * remove blank line Co-authored-by: Harleen Kaur Kohli <erferferfg> * Updating rules based on the guidelines (#1955) * More spreadsheet updates and document work. * Update spreadsheet. * Document: "high quality" => "effective" everywhere. * Document: Split up "enriched SARIF" rule. * Author messages for SARIF2008.ProvideSchema. * Remove obsolete "uriBaseId conventions" text. * Rule description for SARIF2007.ExpressPathsRelativeToRepoRoot * Fix ExpressUriBaseIdsCorrectly messages. * Fix doc errors; update spreadsheet. * user msgs verified for 1006 to 1010 (#1957) * user messages updated for 1006 to 1010 * adding period back for 1008 description Co-authored-by: Harleen Kaur Kohli <erferferfg> * Adding Rule SARIF2007 (#1958) * Bugfix null reference Rule SARIF2007 (#1959) * Update spreadsheet: last rule written! * Introduce SARIF1003 in spreadsheet. * user msgs verified for 1001 to 1005 (#1956) * usewr msgs verified for 1001 to 1005 * changing implementation for one sub-rule Co-authored-by: Harleen Kaur Kohli <erferferfg> * Fix missing cross-ref in doc. * Remove backticks from plain text message. * user messages for rules 1011, 1012, 2001, 2002. (#1960) * user messages for rules 1011, 1012, 2001, 2002. * fixing wrong message * fixed updated string and merge from features Co-authored-by: Harleen Kaur Kohli <erferferfg> * Fix 2005 messages. * user msgs verified for 2005 2008 2009 (#1961) * user msgs verified for 2005, 2008, 2009 * 2005 msgs updated * proof read 2008 & 2009 Co-authored-by: Harleen Kaur Kohli <erferferfg> * Doc update for 2005/8/9. * user msgs verified for 2014 & 2015 (#1965) * user msgs verified for 2014 & 2015 * proof read 2014 and 2015 Co-authored-by: Harleen Kaur Kohli <erferferfg> * Doc update for 2014/15. * Restoring original functionality for sub rule: UriBaseIdRequiresRelativeUri (#1967) Authored-by: Harleen Kaur Kohli * Spreadsheet update for 1004. * Update messages and code for SARIF1004. (#1968) * Fix bug in 1012. (#1969) * Provide messages for SARIF2003.ProvideVersionControlProvenance. (#1970) * Provide messages for SARIF2004.OptimizeFileSize. (#1973) * Provide messages for SARIF2006.MessagesShouldBeReachable. (#1974) * Provide messages for SARIF2007.ExpressLocationsRelativeToRepoRoot. (#1975) * Provide messages for SARIF1012.ProvideHelpUris. (#1976) * Provide messages for SARIF2013.ProvideEmbeddedFileContent. (#1977) * Fix broken functional test due to typo in message. (#1978) * Provide messages for SARIF2010.ProvideCodeSnippets. (#1979) * Provide messages for SARIF2011.ProvideContextRegion. (#1980) * Remove overactive assertion. (#1981) * Fix empty 2005 message (wrong argument order to LogResult). (#1982) * Update release history and bump minor version number. (#1983) * Update version Co-authored-by: Harleen Kaur Kohli <hakohli@microsoft.com> Co-authored-by: Eddy Nakamura <eddynaka@gmail.com> Co-authored-by: Larry Golding (Myriad Consulting Inc) <v-lgold@microsoft.com> Co-authored-by: Larry Golding <lgolding@comcast.net> Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com> Co-authored-by: Michael Fanning <mikefan@microsoft.com> * marking webrequest perf test to be ignored due to its flakiness. (#1987) * marking perf test to be ignored due to its flakiness. * Update skip description.: Co-authored-by: Harleen Kaur Kohli <erferferfg> Co-authored-by: Michael Fanning <mikefan@microsoft.com> * Make all Multitool command and options classes public, (#1988) Co-authored-by: Larry Golding <lgolding@comcast.net> * Bump lodash from 4.17.14 to 4.17.19 in /src/ESLint.Formatter (#1999) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.14 to 4.17.19. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.14...4.17.19) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Updating SARIF2004 (#1995) * Updating SARIF2004 * code review - 1 * code review - 2 * code review - 3 * Adding Extension and tests * Updating tests and sarif files * adding more cases to unit test * code review - 4 * code review - 5 * updating order * updating texts * updating texts * Bump version to 2.3.3; update release history. (#2006) Co-authored-by: Larry Golding <lgolding@comcast.net> * Adding rule SARIF2016 (#1996) * Adding rule SARIF2016 * updating tests * Modify sample to use uriBaseIds (#2002) * Modify sample to use uriBaseIds. * Add TryReconstructAbsoluteUri unit test for missing trailing slash. * Shorten and move comment. * Introduce string constants. * Add SarifLogger tests for run enhancement. * Add a period. * Test population of artifact contents in presence of uriBaseId. * Add tests for GetEncodingFromName. * Remove renamed-and-mostly-changed file. * Fix file-scheme-related bug in UriConverter. * Test for analysis targets with encoding and contents. * DRY out "file" scheme constant. * Mentioned fix for #2001 in release history. * Remove extra blank line. * Fix typo in comment. * Fix another typo. * Add version control provenance; change to REPO_ROOT. * Visit results to provide region snippets. * Clean up InsertOptionalDataVisitorTests * Add unit test for visiting individual result. * Add rule help URIs to test data. Co-authored-by: Larry Golding <lgolding@comcast.net> Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com> * Update release history for SARIF2016. (#2010) Co-authored-by: Larry Golding <lgolding@comcast.net> * Sarif SDK fixes during Fortify conversion comparison testing (#2011) * Fix Sarif.Multitool duplicate files in nupkg issue! * Update SarifTrim to match new Newtonsoft reference version. * Fix SarifLogger NullRefException when Results don't have a RuleId set. * FortifyFprConverter: More efficient code when ContextRegions excluded. * switching test cases titles and adding a new case (#2012) Co-authored-by: Harleen Kaur Kohli <erferferfg> * Fortify FPR converter fixes (#2014) * FortifyFpr converter improvements. * Fix typo in file. * Code changes to convrter * Add DSP ingestion visitor. * Files to demonstrate Fortify DSP progress. * Update script to auto-gen drive letter based on script path. * Update replacement logic. * Update tests based on foritfy fopr converter and page command improvements. * Remove test files for now. * Delete test files.: * Fix #2009: Don't require per-test config files in validator functional tests. (#2013) * Don't disable rules in the default configuration file. * Eliminate config files. * Finish refactoring. * Fix #2009: Don't break tests when new rules are introduced. Co-authored-by: Larry Golding <lgolding@comcast.net> * Fix #2003: Don't report missing snippet if file content is present. (#2019) * Checking artifacts before snippet * code review - 1 * code review - 1 * code review - 2 * Code review - 2 * code review - 3 * code review - 3 * Fix broken functional test. (#2020) Co-authored-by: Larry Golding <lgolding@comcast.net> * Update merge command to allow splitting merged results again along a rule boundary. (#2023) * Introduce GitHub DSP analysis rules (#2021) * Bump version; update release history. * Add GitHub DSP policy file. * Fix broken functional test. * Add user-facing strings for SARIF2017. * Define rule id for SARIF2017. * Introduce SARIF2017.LocationsMustHaveRequiredProperties. * Add "valid" functional test for SARIF2017.LocationsMustHaveRequiredProperties. * Add "invalid" functional test for SARIF2017.LocationsMustHaveRequiredProperties. * Cover case where result.locations is empty. * Move location property bags up to expose JPointer bug. * Introduce Skimmer.EnabledByDefault * Skimmer: Populate DefaultConfiguration so it appears in rule metadata. * Don't execute default-disabled rules unless the configuration enables them. * Add first rule to policy file; add file to solution. * Add DSP XML config file. * Remove associated tool GUID from SARIF config file. * Update solution file for renamed policy file. * Adjust line numbers to fix test broken by JPointer bug. * Update a comment. * Rename misnamed resource strings. * Implement SARIF2018.InlineThreadFlowLocations. * Implement SARIF2019.RegionsMustProvideRequiredProperties. * Update policy files for SARIF2019. * Implement SARIF2020.ReviewArraysThatExceedConfigurableDefaults. * Fix broken formatted messages; improve messages. * Fix naming errors in policy files and a bug in SARIF2019. * Implement SARIF2021.LocationsMustBeRelativeUrisOrFilePaths. * Implement SARIF2022.ProvideCheckoutPath. * SARIF2017 now covers related locations. * SARIF2017: Add tests for relatedLocations. * SARIF2017: Really add relatedLocations logic this time. * Rename "policy" files to "config". * Protect SARIF1004 against a null ref. * Correct user-facing strings for SARIF2019 to match DSP behavior. * Improve user-facing strings for SARIF2021. * Avoid null ref in SARIF2022. * Implement SARIF2023.RelatedLocationsMustProvideRequiredProperties. * Update test for changed message. * Fix typo in summary comment. * Refactor SARIF2021 to prepare for related locations. * Apply SARIF2021 to related locations. Co-authored-by: Larry Golding <lgolding@comcast.net> * Include GitHub DSP policy file in MultiTool NuGet package. (#2030) Co-authored-by: Larry Golding <lgolding@comcast.net> * Defer loading of the filing client until it's used. (#2038) * Rename the 'guid' property to 'logId'. (#2037) LogId is more descriptive and easier to understand. * Add GitInformation helper. (#2035) * Add GitInformation helper. * Add unit test for ArtifactLocation.ToLocation. * Add VersionControlInformation to OptionallyEmittedData. * Add comment explaining path replacement. * DRY out calculation of repo root. * Compensate for varying repo root. * Compensate for enlistment root's artifact. * PR feedback. Co-authored-by: Larry Golding <lgolding@comcast.net> * Improve package creation (#2032) * DRY out declaration of TargetFrameworks. * Ensure Multitool netcoreapp3.1 publishing directory is created. * Create a dependency package for Multitool. * Create WorkItems package, needed by Multitool.Library package. * Address PR feedback. Co-authored-by: Larry Golding <lgolding@comcast.net> * Revert "Improve package creation (#2032)" (#2048) This reverts commit ee6ab47. Co-authored-by: Larry Golding <lgolding@comcast.net> * SARIF2005.ProvideToolProperties: Allow dottedQuadFileVersion; require informationUri. (#2044) The following requirements on rule `SARIF2005.ProvideToolProperties` are related to ensuring that SARIF log files are "fit for purpose" for automatic bug filing: - Allow `dottedQuadFileVersion` to satisfy the requirement that version information be present. - Require `informationUri`. The set of version properties that satisfy the version information requirement is configurable. By default, any of the three properties `version`, `semanticVersion`, or `dottedQuadFileVersion` will do. The requirement that `informationUri` be present can also be turned off in the rule configuration. See [Appendix: Fitness for purpose: Automatic bug filing](https://github.com/microsoft/sarif-tutorials/blob/users/lgolding/fitness-for-purpose/docs/Fitness-for-purpose-automatic-bug-filing.md) in the [SARIF Tutorials](https://github.com/microsoft/sarif-tutorials) * Rebase absolute URIs relative to the closest enclosing repo root. (#2047) * Renaming DSP rules (#2049) Rename the analysis rules that ensure compatibility with the GitHub Developer Security Portal (DSP). Give them the prefix "DSP". This way we don't have to worry about reserving a numeric range for them. * Rename SARIF2012 and add check for friendly name (#2031) Rename `SARIF2012` from `ProvideHelpUris` to `ProvideRuleProperties`. In addition to checking for the `helpUri` property, it now also checks for the `name` property, and checks whether `name` is in the form of a single Pascal case identifier. * Mention VersionControlInformation to Multitool help (#2051) As of cef88f8, the `rewrite` command's `--insert` option accepts the value `VersionControlInformation`. When this value is specified, the command populates `run.versionControlProvenance`. In addition, any absolute URI that points into a Git repo is rewritten as a relative reference with respect to the nearest enclosing repo root. We neglected to mention the new value in the command line help; do that now. Also, we note that the descrption of the `rewrite` command did not at all say what the command actually does. Fix that. Co-authored-by: Larry Golding <lgolding@comcast.net> * Enable rule documentation export in multitool (#2052) Add a multitool command `export-rule-documentation` that creates a Markdown file containing information from the rule metadata, driven by the set of `SarifValidationSkimmerBase`-derived classes in the multitool assembly. * Minor change in ESLint.Formatter/readme.MD (#2059) * Fix GitHubDspIngestionVisitor (#2061) Add file-based unit tests for the `GitHubDspIngestionVisitor` and fix the bugs that they reveal: - #2058: GitHubDspIngestionVisitor limits number of results only if some of them are non-errors - #2060: GitHubDspIngestionVisitor removes codeFlows entirely rather than inlining threadFlowLocations When inlining `threadFlowLocations`, we have to take care to distinguish those properties that are shared among all usages of a given location (for example, the `location` and `module` properties) from those properties that vary across usages (for example, `executionTimeUtc` and `state`). The `location.message` requires special handling because we do want to take `location` from the shared object, but we don't necessarily want to take `location.message`. Finally, we merge the property bags, preferring the values in the per-usage property bag if there are any overlaps. We also have to merge property bags when inlining artifact locations. * Extract Sarif.Multitool.Library from Sarif.Multitool (#2054) We extract almost all the functionality from the `Sarif.Multitool` exe project into a separate library project `Sarif.Multitool.Library`. We continue to build a "DotnetTool package" from `Sarif.Multitool`, but now we also build a "Dependency" package from `Sarif.Multitool.Library`. This allows other projects to consume the library and access its public API. The motivation for all this is to expose the "normalization API" (which is actually just an invocation of the `RewriteCommand` with certain options) so that it can be consumed. NOTE: We ended up having to create a package from the `WorkItems` project, which we hadn't previously done, to get the `Sarif.Multitool.Library` package to build. * Update GitHub brand names (#2069) This resolves some brand inconsistencies in the SARIF SDK for some of the GitHub-specific validation rules. DSP is our internal organization name, but not our official product name, so I went and made a bunch of changes to align with the guidance from marketing. Changes tweaked by @lgolding: Rule prefix is now `GH`, all test files now have the appropriate prefix, and I polished a few user-facing strings. * Fix a couple of edge cases that cause the ESLint formatter to create invalid SARIF files (#2068) * Only add shortDescription to a rule if a description exists. Otherwise the output is an invalid SARIF file with a missing text field. * Add a test for valid SARIF from a custom rule with no description. * Only add `startLine` / `startColumn` if they are > 0. * Add a test for invalid column number. * Moving ExportRuleDocumentationCommand to Driver (#2066) * Update nuget.exe. Remove duplicate files from package. Resolve nuget.exe warning re: icon use. (#2074) * Update release file and version for 2.3.6 (#2076) * Remove package file contents duplication. (#2078) * ESLint.Formatter - Add ESLint version to run.tool.driver #2070 (#2071) Also: * Bump SARIF schema version to 2.1.0-rtm.5 (final public standard version). * Move chai and mocha into devDependencies. * Refactor the SARIF Multitool unit tests (#2075) Since we have factored a library out of `Sarif.Multitool`, we should factor the tests as well. At first I thought this was a pure rename, since the only file left in `Sarif.Multitool` was `Program.cs`, and (as far as I knew) there were no tests for `Program.cs` (which does nothing but dispatch the verb to the appropriate command class). But it turns out that there is exactly one test which does call `Program.cs` directly (whether it _should_ is another question), so I have retained the project `Test.UnitTests.Sarif.Multitool` to hold that one test, and moved all the others into `Test.UnitTests.Sarif.Multitool.Library`. Only two test classes required changes due to the move: - `GenericCommandTests.cs` - `MergeCommandTests.cs` * Exposing commands to multitool (#2073) * Exposing commands to multitool * code review - 1 * renaming commands Co-authored-by: Michael Fanning <mikefan@microsoft.com> * Adding Delete in IFileSystem (#2072) * Adding Delete in IFileSystem updating text * code review - 1 * renaming methods * renaming methods * Fix #2062: LGTM "could not build merge commit" (#2067) * Fix LGTM by adding new Multitool library project to CodeQL solution. * Add explicit reference to newtonsoft JSON package. Co-authored-by: Larry Golding <lgolding@comcast.net> Co-authored-by: Michael Fanning <mikefan@microsoft.com> * Add explicit reference to newtonsoft. Update to 11.0.2. Update to minimist 1.2.3 (#2093) * Add explicit reference to newtonsoft. Update to 11.0.2. Update to minimist 1.2.3. * Restore fluent assertions reference.: * Implement converter from FlawFinder's CSV output format (#2088) * Update option help text. * Introduce NYI exception-throwing converter. * Require input stream. * Require result log writer. * Converter creates empty log file -- test incomplete. * "No results" test passes. * Convert each CSV row to a dummy SARIF result. * Populate ruleId. * Populate message. * Populate level. * Extract a method. * Rename a method. * Populate locations (and thus artifacts). * Populate result.properties["Level"]. * Refactor to carve out a place for rules production. * Populate rules. * Populate partial fingerprints. * Remove unused resources. * Bump version and update release history. * Populate snippets. * Use Category/Name as the rule id. Co-authored-by: Larry Golding <lgolding@comcast.net> * Fix #2084 (GitHub related location message); Fix #2085 (GitHub invocations) (#2086) * Remove GH1007.ProvideRequiredRelatedLocationProperties. * Rename file GitHubDspIngestionVisitor.cs to GitHubIngestionVisitor.cs (class already has correct name). * Don't insert placedholder related locations message. * Remove obsolete test. * Don't remove invocations. Co-authored-by: Larry Golding <lgolding@comcast.net> * Fixing index out of range in baseliner (#2102) * Fixing index out of range in baseliner * Adding resultmatching test to validate before/after change * Addressing michael's comments * Adding setter to GitExePath (#2110) * Adding setter to GitExePath * adding tests and change to changelog * Checking PATH environment variable (#2107) * Checking PATH environment variable * creating file searcher helper, adding tests * code review & update in changelog * updating error comment * fixing tests * Fix #2089: GitHub policy should not turn off any note level rules (#2096) * Fix #2089: GitHub policy should not turn off any note level rules * Elevate two rules and (correctly) disable one. * Update release history. Co-authored-by: Larry Golding <lgolding@comcast.net> Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com> * Export docs when packing (#2087) * Generalize and harden docs exporter (#2082) * Generalize and harden docs exporter merge * code review - 1 * code review - 2 Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com> * Fix #2090: Validator should warn of leading / in relative artifact location URIs (#2095) * Fix #2090: Validator should warn of leading / in relative artifact location URIs * Update release history. * Remove unnecessary "== true". Co-authored-by: Larry Golding <lgolding@comcast.net> Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com> * Fix up test break. Mark doc comment warnings as silent for now. (#2112) * Fix #2098: Make pretty-print the default output format (#2100) * Fix #2098: Make pretty-print the default output format Introduce a new command line option `--minify`. If neither `--minify` nor `--pretty-print` is specified, `--pretty-print` is set to true. If both `--minify` and `--pretty-print` is specified, parameter validation fails. * Minor cleanups. * Fix up root namespace in a test project. * Introduce fit-for-purpose error message. * DRY out options validation. * Avoid writing a file just to verify command line options. * Remove unused static field. * Update release history. Co-authored-by: Larry Golding <lgolding@comcast.net> * Support queries against properties in the result's and the rule's property bags (#2065) * Introduce a test file for property bag queries. * Support string-valued result properties. * Support string-valued rule properties. * Clarify property bag query syntax and restore ability to recognize invalid property names. * Compare property bag properties case-insensitively. * Handle integer-valued properties. * Update version number and release history. * Handle float properties. * Generalize exception messages. * Separate property bag tests. * DRY out test setup into a fixture. * Restore erroneously edited comment. * Simplify query syntax by inferring whether string or numeric comparison was desired. * Fix up test project file. * Remove unnecessary else. * Case-sensitive property name comparison with minimal code change. * Simplify code. * Bump version, correct release history. Co-authored-by: Larry Golding <lgolding@comcast.net> Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com> * Compute and Apply policies (#2109) * Compute and Apply policies * adding tests + reorganization * michael's code review - 1 * adding parameter names and renamings * Policies won't be static, because it can lead to errors * updating changelog Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com> * Simplifying tests and adding fix in changelog (#2111) * Simplifying tests and adding fix in changelog * Renaming parameters and changing to show literals * fixing test Co-authored-by: Michael Fanning <mikefan@microsoft.com> * Creating FileSystem singleton (#2115) * Creating FileSystem singleton * Larry's code review - 1 * Larry's code review - 2 * updating last filesystem * Implementing Formatting property+ fixes (#2121) * Implementing GetFormatting helper + fixes * from method to property * changing from "" to string.empty * Adding command policy to multitool (#2118) * Adding command policy to multitool * updating changelog * Larry's code review - 1 * fixing ordering * Fixing xml when that doesn't contain location (#2119) * Fixing xml when that doesn't contain location * Larry's code review - 1 * removing unused resource * Revert "removing unused resource" This reverts commit 4bbd4d1. * Larry's code review - 2 * fixing tests * adding comment why we need this condition * fixing issue with parser * updating tests * checking capacity in AddLocationToResult method * Fixing FileSpecifier for Linux/Windows environment (#2122) * Fixing linux tests * fixing FileSpecifierTests * fixing files * replacng \r\n for environment.newline * Enforcing file normalization (#2116) * Enforcing file normalization * enforcing header * reverting * enforcing file normalization * ignoring cs15xx for autogenerated files * removing editorconfig from autogerated folder * applying format * Enabling dotnet-format in pipeline (#2123) updating script to execute every time using windows environment updating path * Reversion to 2.3.8. (#2125) * Reversion to 2.3.8. * fixing grouping + end of line in versionConstants file Co-authored-by: Eddy Nakamura <eddynaka@gmail.com> Co-authored-by: Eddy Nakamura <ednakamu@microsoft.com> * Updating badge and pre-requisites to build sarif-sdk (#2126) * Improve FileRegionsCache testability (#2131) * Improve FileRegionsCache testability * updating release history * Revert "updating release history" This reverts commit 0d79902. * Merge correct current JSON1002 expected (one result) * Fix Skimmer translation to be more consistent with previous conversion. DefaultConfiguration needs to be initialized. Pass additional arguments down to Skimmer.BuildRule(). * Set hint to serialize Result.Locations when empty. * Update SARIF1004 Invalid example so input has same attribute order as roundtripped version after PrereleaseTransformer. Newtonsoft seems to usually put "originalUriBaseIds" in the same order as the Run class declarations (and the schema from which it was generated) but not in this particular case. Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com> Co-authored-by: Harleen Kaur Kohli <hakohli@microsoft.com> Co-authored-by: Larry Golding <lgolding@microsoft.com> Co-authored-by: Eddy Nakamura <eddynaka@gmail.com> Co-authored-by: Larry Golding <lgolding@comcast.net> Co-authored-by: Jeff King <jeffking@gmail.com> Co-authored-by: Larry Golding (Myriad Consulting Inc) <v-lgold@microsoft.com> Co-authored-by: Michael Fanning <mikefan@microsoft.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: rtaket <rtaket@microsoft.com> Co-authored-by: tosmolka <37370256+tosmolka@users.noreply.github.com> Co-authored-by: Justin Hutchings <jhutchings1@users.noreply.github.com> Co-authored-by: Chris Raynor <cbraynor@github.com> Co-authored-by: Eddy Nakamura <ednakamu@microsoft.com>
NOTE: Possible issue on how to write tests for one of the rules (See comments)
In this PR: