-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make result.ruleId a hierarchical string to accommodate "sub-rules" #146
Comments
I will propose a format for this soon. |
Simplest idea here would be to allow for the id to be a hierarchical string. We should perform some due diligence to make sure this doesn't break current static analysis providers. |
@lgolding, can we author a change draft for this triage-approved item, at your convenience? |
I marked it |
This is a good idea. There are some complications to consider:
Or is it ok to do this:
The latter has the disadvantage that the producer needs to make sure that the message arguments are consistent with the specified sub-rule. |
Following up on point #3 above, some rule metadata might be common to all the sub-rules. Is it ok to do the following, which would require the
|
My opinions are:
The advantage of my answers to #2 and #3 is that it's the simplest to implement, and if we change our mind later, it's a non-breaking change. |
FxCop.DoNotUseBrokenCryptopgraphyAlgorithms.Md5 is what FxCop refers to as a readable id. That is, it is intended to function as an opaque rule id does but also encode some readable information on the function of the rule. You're right, of course, rule.name is the SARIF place where this data would be persisted. Let me clarify the request, which is for the result only to provide the ability to further qualify a result so that a more precise suppression can be applied. The request isn't intended to allow further granularity to be provided when populating the rules table. IOW, you have proposed a new feature request. :) If you think this is valuable, create a tracking issue. Here's the precise scenario this issue addresses:
See the SuppressMessageAttribute.MessageId property for an explanation of the scenario. https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.suppressmessageattribute.messageid?view=netframework-4.7.2 This doc makes it clearer than I have that this sub-id is a qualifier on the message itself. Imagine a second scenario 'DoNotUseDangerousApi', which flags call sites to both strcpy and memcpy. In this case, you could use the API name as a way to create more suppressions precision, DoNotUserDangerousApi/memcpy and DoNotUseDangerousApi/strlen. As always, a suppression can also be viewed as a configuration. i.e., you could imagine configuring a rule not to fire for DoNotUseDangerousApi/memcpy. |
btw - if all the above isn't very clear or if our lack of clarity has opened new design fronts you'd like to pursue, we can table this issue for tomorrow's TC. |
I get it. So in Visual Studio, if you right-clicked a result whose
I'm curious how the Error List would know to populate the |
@michaelcfanning I'm going to start writing this, but please do take a look at my most recent comment, which asks how the"selective in-source suppression mechanism" that you describe in a previous comment would work in VS. |
Changes merged to provisional draft. |
Consider this case, a check such as 'Do Not Use Broken Cryptography Algorithms'. This check flags both Md5 and Sha1 usage. A method contains references to both algorithms. The user would like to suppress the MD5 use (because it is simply used for fast hashing purposes in a non-cryptographic context) without suppressing the SHA1 use (which, in fact, needs to be changed).
For this case, a baselining system needs to qualify the rule id that is used to create the suppression, for example:
FxCop.DoNotUseBrokenCryptopgraphyAlgorithms.Md5
Note that we previously used the 'toolFingerprintContribution' for this data. This concept really is a qualification of the rule id, however. Consider how this compares to an actual fingerprint contribution (such as when a tool grabs an encapsulating region of text surrounding an issue). The latter is, in fact, a partial fingerprint. The rule qualifier is a subtly different idea.
The text was updated successfully, but these errors were encountered: