Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Associate descriptor metadata with thread flow locations #381

Closed
michaelcfanning opened this issue Apr 17, 2019 · 3 comments
Closed

Associate descriptor metadata with thread flow locations #381

michaelcfanning opened this issue Apr 17, 2019 · 3 comments
Labels
2.1.0-CSD.1 Will be fixed in SARIF v2.1.0 CSD.1. design-approved The TC approved the design and I can write the change draft enhancement impact-non-breaking-change merged Changes merged into provisional draft. resolved-fixed

Comments

@michaelcfanning
Copy link
Contributor

michaelcfanning commented Apr 17, 2019
edited by ghost

TC approves:

Add threadFlowLocation.taxa, an array of reportingDescriptorReferences, the default location of which (in case where only the RDR index is provided) is the relevant tool component rules data.
@michaelcfanning
Copy link
Contributor Author

michaelcfanning commented Apr 17, 2019
edited by ghost

@lgolding to author example using MicroFocus inputs. Follow up with Chris Meyer and Scott Louvau to get substantive examples.

From Larry: I got the sample from Yekaterina. Our design will work. I'll author the example as I write the spec text.

@ghost ghost self-assigned this Apr 17, 2019
@ghost ghost added 2.1.0-CSD.1 Will be fixed in SARIF v2.1.0 CSD.1. design-approved The TC approved the design and I can write the change draft enhancement impact-non-breaking-change to-be-written labels Apr 17, 2019
@ghost ghost changed the title Expand ability to associate reporting metadata with thread flow locations Associate descriptor metadata with thread flow locations Apr 17, 2019
@michaelcfanning michaelcfanning mentioned this issue Apr 17, 2019
Merged
@ghost ghost mentioned this issue Apr 18, 2019
Closed
ghost pushed a commit that referenced this issue Apr 18, 2019
Change draft + merge for #383, Yekaterina's feedback
655dfe6 
This draft contains only the editorial changes. I opened separate issues
#381 and #390 for her substantive suggestions.
@ghost ghost removed the schema-todo label Apr 25, 2019
ghost pushed a commit that referenced this issue Apr 25, 2019
Change draft + merge for #381, threadFlowLocation taxa (helper rules).
5bf3426
@ghost ghost added merged Changes merged into provisional draft. resolved-fixed and removed to-be-written labels Apr 25, 2019
@ghost
Copy link

ghost commented Apr 25, 2019

For completeness, here's the sample:

{                                # A run object (§3.14).
  "tool": {                      # See §3.14.6.
    "driver": {
      "name": "TaintDetector",
      "rules": [
        {
          "id": "TD0001",
          "name": "UntrustedDataStoredInDatabase",
          "shortDescription": {
            "text": "Data from an untrusted source was stored in a database."
          }
        },
        ...
      ],
      "taxa": [                  # Custom taxonomy (§3.19.3) for helper rules.
        {                        # A reportingDescriptor object (§3.48).
          "id": "HR0001",
          "name": "SubstrPropogatesTaint",
          "shortDescription": {
            "text": "If the input to String.Substr is tainted,
                     so is the return value."
          }
        },
        ...
      ]
    }
  },

  "results": [                   # See §3.14.22.
    {                            # A result object §3.26.
      "ruleId": "TD0001",
      ...
      "codeFlows": [             # See §3.26.18.
        {                        # A codeFlow object (§3.35).
          "threadFlows": [       # See §3.35.3.
            {                    # A threadFlow object (§3.36).
              "locations": [     # See §3.36.6.
                ...
                {                # A threadFlowLocation object.
                  "location": {  # See §3.37.3.
                    "physicalLocation": {
                      "artifactLocation": {
                        "uri": "io/input.c",
                        "uriBaseId": "SRCROOT"
                      },
                      "region": {
                        "startLine": 32
                      }
                    }
                  },
                  "taxa": [
                    {        # A reportingDescriptorReference object (§3.51).
                      "id": "TD0001",
                      "index": 0
                    }
                  ]
                },
                ...
              ]
            }
          ]
        }
      ]
    }
  ]
}

@ghost ghost closed this as completed Apr 25, 2019
@kupsch
Copy link

kupsch commented Apr 26, 2019

In the example above and in the draft for 381, should the taxa id value in the threadFlow be "HD0001" not "TD0001"?

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.1.0-CSD.1 Will be fixed in SARIF v2.1.0 CSD.1. design-approved The TC approved the design and I can write the change draft enhancement impact-non-breaking-change merged Changes merged into provisional draft. resolved-fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michaelcfanning @kupsch