FEATURE: Add --normalize-for-ghas argument to the rewrite command
#2581
Conversation
shaopeng-gh
requested review from
michaelcfanning,
EasyRhinoMSFT,
marmegh and
cfaucon
as code owners
| } | ||
|
|
||
| node.Results = errors; | ||
| } |
There was a problem hiding this comment.
please also see the test file "NonErrorResults.sarif'.
This does not seem right, why do we want to remove warning results?
#Closed
There was a problem hiding this comment.
Perhaps GitHub only used to process errors? Have you tested this in their system?
There was a problem hiding this comment.
This is from the current SDK repo:
and also those linters works I had been using warning to upload to GHAS, shows similar to above.
| @@ -16,5 +16,33 @@ public class RewriteOptions : SingleFileOptionsBase | |||
| Default = false, | |||
| HelpText = "Sort results in the final output file.")] | |||
| public bool SortResults { get; set; } | |||
|
|
|||
| [Option( | |||
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| this.run.Tool.Driver.GlobalMessageStrings?.TryGetValue(node.Id, out formatString) == true) | ||
| { | ||
| node.Text = node.Arguments?.Count > 0 | ||
| ? string.Format(CultureInfo.CurrentCulture, formatString.Text, node.Arguments.ToArray()) |
Check warning
Code scanning / CodeQL
Dereferenced variable may be null
There was a problem hiding this comment.
Seems like a false alarm to me
| } | ||
| } | ||
| ], | ||
| "artifacts": [ |
| { | ||
| if (node.Text == null) | ||
| { | ||
| ReportingDescriptor rule = this.ruleIndex != -1 ? this.run.Tool.Driver.Rules[this.ruleIndex] : null; |
There was a problem hiding this comment.
This doesn't fully implement SARIF-2.1.0 §3.11.7 Message string lookup. I think this won't find messages of tool extensions. #Resolved
There was a problem hiding this comment.
you are correct, created an issue to track.
| node.Text = node.Arguments?.Count > 0 | ||
| ? rule.Format(node.Id, node.Arguments) | ||
| : formatString?.Text; |
There was a problem hiding this comment.
If the result of string.Format still contains substrings like "{0}", should this double the braces, in order to prevent the SARIF consumer from treating those as placeholders and attempting to expand them again? Also, should this reset node.Arguments to null? #Resolved
There was a problem hiding this comment.
the result is put in .Text.
.Text is for plain text, consumer should not try to expand any placeholders in it.
should this reset node.Arguments to null ---- currently, .text is added side by side with .id and .arguments.
The information is duplicated, the benefit is we can un-flatten if needed by simply remove the .text field.
There was a problem hiding this comment.
.Textis for plain text, consumer should not try to expand any placeholders in it.
That's not how I read the standard.
-
SARIF-2.1.0 §3.11.8 (text property): "A
messageobject MAY contain a property namedtextwhose value is a non-empty string containing a plain text message (§3.11.3)." -
SARIF-2.1.0 §3.11.3 (Plain text messages): "The message string MAY contain placeholders (§3.11.5) and embedded links (§3.11.6)."
So the text property of a message object may contain placeholders. Does the SARIF consumer in GitHub Advanced Security deviate from the standard in this respect?
There was a problem hiding this comment.
With more reading I think you are right! The Text can contain placeholder again!
Within both plain text and formatted message strings, the characters “{” and “}” SHALL be represented by the character sequences “{{” and “}}” respectively. ----- so, I think I will replace { with {{ and } with }}, let me know if sounds good to you.
There was a problem hiding this comment.
I will replace { with {{ and } with }} -- this is done and updated the test case.
| this.run.Tool.Driver.GlobalMessageStrings?.TryGetValue(node.Id, out formatString) == true) | ||
| { | ||
| node.Text = node.Arguments?.Count > 0 | ||
| ? string.Format(CultureInfo.CurrentCulture, formatString.Text, node.Arguments.ToArray()) |
There was a problem hiding this comment.
Seems like a false alarm to me
| @@ -161,6 +138,32 @@ public override Result VisitResult(Result node) | |||
| return base.VisitResult(node); | |||
| } | |||
|
|
|||
| public override Message VisitMessage(Message node) | |||
| { | |||
| if (node.Text == null) | |||
There was a problem hiding this comment.
Does this need the same for node.Markdown? #Closed
There was a problem hiding this comment.
this is form GitHub, I think GitHub requires .Text only
src/ReleaseHistory.md
Outdated
| @@ -12,6 +12,7 @@ | |||
| * BUGFIX: Eliminate `IOException` and `DirectoryNotFoundException` exceptions thrown by `merge` command when splitting by rule (due to invalid file characters in rule ids). [#2513](https://github.com/microsoft/sarif-sdk/pull/2513) | |||
| * BUGFIX: Fix classes inside NotYetAutoGenerated folder missing `virtual` keyword for public methods and properties, by regenerate and manually sync the changes. [#2537](https://github.com/microsoft/sarif-sdk/pull/2537) | |||
| * FEATURE: Allow external set of `MaxFileSizeInKilobytes`, which will allow SDK users to change the value. (Default value is 1024) [#2578](https://github.com/microsoft/sarif-sdk/pull/2578) | |||
| * FEATURE: Add `--normalize-for-github` argument to the `rewrite` command to get GitHub supported SARIF format. [#2581](https://github.com/microsoft/sarif-sdk/pull/2581) | |||
There was a problem hiding this comment.
Good release note item but let me add a bit more detail, try this:
- FEATURE: Add
--normalize-for-githubargument to therewritecommand to ensure rewritten SARIF is compatible with GitHub Advanced Security ingestion requirements. #2581 #Closed
| this.artifacts = node.Artifacts; | ||
| this.threadFlowLocations = node.ThreadFlowLocations; | ||
|
|
||
| if (node.Results != null) | ||
| { | ||
| int errorsCount = 0; |
There was a problem hiding this comment.
yes i think it supports warning, please see my other reply with screenshot.
| @@ -144,6 +119,8 @@ | |||
|
|
|||
| public override Result VisitResult(Result node) | |||
| { | |||
| this.ruleIndex = node.RuleIndex; | |||
|
|
|||
| if (node.Fingerprints != null) | |||
| { | |||
| // GitHub appears to require that fingerprints be emitted to the | |||
There was a problem hiding this comment.
We have a message string look-up helper that you should use. As Kalle notes, this is a pretty complex operation.
OK, I see you grabbed this code from the insert optional data visitor. We shouldn't copy code like this, minimally, it should be in a common helper somewhere (you could have created a static in the other visitor, for example).
Let me keep looking for a better helper, I could swear we have one. #Closed
There was a problem hiding this comment.
OK, nope. It appears that we don't. So the correct course here is to please create a common helper for both this code and the insert optional data visitor to call. Second, create an issue for the problem that Kalle notes: 'Message creation logic does not properly search tool extensions for format strings.'
There was a problem hiding this comment.
got it, will work on this.
There was a problem hiding this comment.
done both add helper method and create an issue
#2582
| @@ -64,6 +65,25 @@ public int Run(RewriteOptions options) | |||
| reformattedLog = new SortingVisitor().VisitSarifLog(reformattedLog); | |||
| } | |||
|
|
|||
| if (options.NormalizeForGitHub) | |||
| { | |||
| if ((reformattedLog.Runs?.Any(r => r.Artifacts?.Any(a => a.Location?.Uri?.IsAbsoluteUri == true) == true) == true) || | |||
There was a problem hiding this comment.
So I don't like these two lines of code which will traverse the log file twice.
Can't we simply invoke the RebaseUriVisitor in cases when those args are non-null.
And then make the GitHubIngestionVisitor throw new arg exception on encountering the any absolute uri as you detect here.
#Closed
There was a problem hiding this comment.
made the suggested change.
Though we can not simply throw in GitHubIngestionVisitor, because it is a same method VisitArtifactLocation to visit both of it in result and also the originalUriBaseIds,
we allow one and not the other to be absolute.
Currently I does not check and throw, let me know your instruction.
|
This pull request fixes 1 alert when merging b17469e into 3fa7f43 - view on LGTM.com fixed alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog. |
shaopeng-gh
requested review from
KalleOlaviNiemitalo and
michaelcfanning
and removed request for
KalleOlaviNiemitalo
| @@ -16,5 +16,33 @@ public class RewriteOptions : SingleFileOptionsBase | |||
| Default = false, | |||
| HelpText = "Sort results in the final output file.")] | |||
| public bool SortResults { get; set; } | |||
|
|
|||
| [Option( | |||
| "normalize-for-github", | |||
There was a problem hiding this comment.
Convert means 'convert from some other non-SARIF format to SARIF.' This operation is a SARIF->SARIF transformation, not a 'conversion'.
One thing, we could use 'normalize-for-ghas' instead as a more precise designation (though 'ghas' may be more opaque to users.
I'm fine with either choice.
There was a problem hiding this comment.
use 'normalize-for-ghas' instead as a more precise designation
---- sounds good, will change it.
There was a problem hiding this comment.
use 'normalize-for-ghas' instead as a more precise designation
---- done.
michaelcfanning
changed the title
--normalize-for-github argument to the rewrite command--normalize-for-ghas argument to the rewrite command
src/ReleaseHistory.md
Outdated
| @@ -28,6 +28,8 @@ | |||
| * FEATURE : Allow initialization of file regions cache in `InsertOptionalDataVisitor` (previously initialized exclusively from `FileRegionsCache.Instance`). | |||
| * FEATURE : Provide 'RuleScanTime` trace and emitted timing data. Provide `ScanExecution` trace with no utilization. | |||
| * FEATURE : Populate associated rule data in `LogToolNotification` as called from `SarifLogger`. [#2604](https://github.com/microsoft/sarif-sdk/pull/2604) | |||
| * FEATURE : Add `--normalize-for-ghas` argument to the `rewrite` command to ensure rewritten SARIF is compatible with GitHub Advanced Security (GHAS) ingestion requirements. [#2581](https://github.com/microsoft/sarif-sdk/pull/2581) | |||
| * BREAKING: Rename `--normalize-for-github` argument to `--normalize-for-ghas` for `convert` command. [#2581](https://github.com/microsoft/sarif-sdk/pull/2581) | |||
| @@ -161,6 +137,15 @@ | |||
| return base.VisitResult(node); | |||
| } | |||
|
|
|||
| public override Message VisitMessage(Message node) | |||
| { | |||
| @@ -144,6 +118,8 @@ | |||
|
|
|||
| public override Result VisitResult(Result node) | |||
| { | |||
| this.ruleIndex = node.RuleIndex; | |||
|
|
|||
| if (node.Fingerprints != null) | |||
| { | |||
| // GitHub appears to require that fingerprints be emitted to the | |||
src/Sarif/Visitors/VisitorHelper.cs
Outdated
| { | ||
| public static class VisitorHelper | ||
| { | ||
| public static void FlattenMessage(Message node, int ruleIndex, Run run) |
| @@ -24,8 +24,8 @@ public class ConvertOptions : SingleFileOptionsBase | |||
| public string PluginAssemblyPath { get; set; } | |||
|
|
|||
| [Option( | |||
| "normalize-for-github", | |||
| HelpText = "Normalize converted output to conform to GitHub Advanced Security code scanning ingestion requirements.")] | |||
| public bool NormalizeForGitHub { get; set; } | |||
There was a problem hiding this comment.
let's go and remove it, per hulon.
There was a problem hiding this comment.
added it back as obsolete, per the last decision from Michael:
| @@ -16,5 +16,33 @@ public class RewriteOptions : SingleFileOptionsBase | |||
| Default = false, | |||
| HelpText = "Sort results in the final output file.")] | |||
| public bool SortResults { get; set; } | |||
|
|
|||
| [Option( | |||
| "normalize-for-ghas", | |||
There was a problem hiding this comment.
@shaopeng-gh Sorry if I missed this: this is a required argument?
| @@ -28,6 +28,8 @@ | |||
| * FEATURE : Allow initialization of file regions cache in `InsertOptionalDataVisitor` (previously initialized exclusively from `FileRegionsCache.Instance`). | |||
| * FEATURE : Provide 'RuleScanTime` trace and emitted timing data. Provide `ScanExecution` trace with no utilization. | |||
| * FEATURE : Populate associated rule data in `LogToolNotification` as called from `SarifLogger`. [#2604](https://github.com/microsoft/sarif-sdk/pull/2604) | |||
| * FEATURE : Add `--normalize-for-ghas` argument to the `rewrite` command to ensure rewritten SARIF is compatible with GitHub Advanced Security (GHAS) ingestion requirements. [#2581](https://github.com/microsoft/sarif-sdk/pull/2581) | |||
There was a problem hiding this comment.
@shaopeng-gh Can you add some more details on what these requirements are? That would make the PR self-contained, otherwise it is a little opaque to me why we are making these changes.
There was a problem hiding this comment.
per Yong in the PR meeting, it is from the task
"Binskim action send log file to GHAS".
| @@ -16,5 +16,33 @@ public class RewriteOptions : SingleFileOptionsBase | |||
| Default = false, | |||
| HelpText = "Sort results in the final output file.")] | |||
| public bool SortResults { get; set; } | |||
|
|
|||
| [Option( | |||
| "normalize-for-ghas", | |||
| Default = false, | ||
| HelpText = "All relative uris will be rebased to the base-path-value if true. Default is false." | ||
| )] | ||
| public bool RebaseRelativeUris { get; set; } |
This adds the function to rewrite a SARIF file to meet requirement of GitHub / GHAS.