SARIF 2.1.0 message string lookup #157
Comments
|
This will require the reportingDescriptor lookup mentioned in #154 (comment). There might be many reportingDescriptor objects with the same reportingDescriptor.id, and the SARIF consumer needs to use result.ruleIndex or reportingDescriptorReference.index to choose the correct reportingDescriptor object, so that it can locate the multiFormatMessageString object in the reportingDescriptor.messageStrings property. The identifiers of messages are not necessarily unique across reportingDescriptor objects; the validator in https://github.com/microsoft/sarif-sdk/ uses "Note_Default" for many different messages. |
|
I implemented this now. Not really sure how to handle the references within the |
|
Those should just be displayed as text. If the SARIF producer wants them to be displayed as hyperlinks, it needs to use Markdown link syntax and a separate object to refer to the link target. |
|
For hyperlinks to the analyzed files, the SARIF producer can use location objects as described in SARIF-v2.1.0 section 3.11.6. Syntax like For hyperlinks to objects in the SARIF log that contains the hyperlinks, the SARIF producer can use the |
|
I think this is fixed. |
SarifParser does not yet support
messageobjects that lack thetextandmarkdownproperties and instead have anidproperty. It would have to locate the message string that corresponds to theid, as specified in [SARIF-v2.1.0] §3.11.7 Message string lookup.Sample SARIF log that requires message string lookup
{ "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", "version": "2.1.0", "runs": [ { "results": [ { "ruleId": "SARIF2002", "ruleIndex": 0, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[0].message" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 11, "startColumn": 22 } } } ] }, { "ruleId": "SARIF2002", "ruleIndex": 0, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[1].message" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 22, "startColumn": 22 } } } ] }, { "ruleId": "SARIF2002", "ruleIndex": 0, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[2].message" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 53, "startColumn": 22 } } } ] }, { "ruleId": "SARIF2002", "ruleIndex": 0, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[3].message" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 79, "startColumn": 22 } } } ] }, { "ruleId": "SARIF2002", "ruleIndex": 0, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[4].message" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 105, "startColumn": 22 } } } ] }, { "ruleId": "SARIF2002", "ruleIndex": 0, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[5].message" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 131, "startColumn": 22 } } } ] }, { "ruleId": "SARIF2003", "ruleIndex": 1, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0]" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 5, "startColumn": 5 } } } ] }, { "ruleId": "SARIF2005", "ruleIndex": 2, "message": { "id": "Warning_ProvideConciseToolName", "arguments": [ "runs[0].tool.driver.name", "Microsoft (R) Visual C# Compiler", "5", "3" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 156, "startColumn": 52 } } } ] }, { "ruleId": "SARIF2005", "ruleIndex": 2, "message": { "id": "Warning_ProvideToolnformationUri", "arguments": [ "runs[0].tool.driver", "Microsoft (R) Visual C# Compiler" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 155, "startColumn": 19 } } } ] }, { "ruleId": "SARIF2010", "ruleIndex": 3, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[1].locations[0].physicalLocation.region" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 36, "startColumn": 27 } } } ] }, { "ruleId": "SARIF2010", "ruleIndex": 3, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[2].locations[0].physicalLocation.region" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 62, "startColumn": 27 } } } ] }, { "ruleId": "SARIF2010", "ruleIndex": 3, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[3].locations[0].physicalLocation.region" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 88, "startColumn": 27 } } } ] }, { "ruleId": "SARIF2010", "ruleIndex": 3, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[4].locations[0].physicalLocation.region" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 114, "startColumn": 27 } } } ] }, { "ruleId": "SARIF2010", "ruleIndex": 3, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[5].locations[0].physicalLocation.region" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 140, "startColumn": 27 } } } ] }, { "ruleId": "SARIF2011", "ruleIndex": 4, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[1].locations[0].physicalLocation" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 32, "startColumn": 35 } } } ] }, { "ruleId": "SARIF2011", "ruleIndex": 4, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[2].locations[0].physicalLocation" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 58, "startColumn": 35 } } } ] }, { "ruleId": "SARIF2011", "ruleIndex": 4, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[3].locations[0].physicalLocation" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 84, "startColumn": 35 } } } ] }, { "ruleId": "SARIF2011", "ruleIndex": 4, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[4].locations[0].physicalLocation" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 110, "startColumn": 35 } } } ] }, { "ruleId": "SARIF2011", "ruleIndex": 4, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[5].locations[0].physicalLocation" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 136, "startColumn": 35 } } } ] }, { "ruleId": "SARIF2012", "ruleIndex": 5, "level": "note", "message": { "id": "Note_ProvideFriendlyName", "arguments": [ "runs[0].tool.driver.rules[0]", "CA1014" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 162, "startColumn": 13 } } } ] }, { "ruleId": "SARIF2012", "ruleIndex": 5, "level": "note", "message": { "id": "Note_ProvideFriendlyName", "arguments": [ "runs[0].tool.driver.rules[1]", "CA1847" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 184, "startColumn": 13 } } } ] }, { "ruleId": "SARIF2012", "ruleIndex": 5, "level": "note", "message": { "id": "Note_ProvideFriendlyName", "arguments": [ "runs[0].tool.driver.rules[2]", "CA2201" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 204, "startColumn": 13 } } } ] }, { "ruleId": "SARIF2012", "ruleIndex": 5, "level": "note", "message": { "id": "Note_ProvideFriendlyName", "arguments": [ "runs[0].tool.driver.rules[3]", "CA1305" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 222, "startColumn": 13 } } } ] }, { "ruleId": "SARIF2012", "ruleIndex": 5, "level": "note", "message": { "id": "Note_ProvideFriendlyName", "arguments": [ "runs[0].tool.driver.rules[4]", "CA1307" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 240, "startColumn": 13 } } } ] }, { "ruleId": "SARIF2012", "ruleIndex": 5, "level": "note", "message": { "id": "Note_ProvideFriendlyName", "arguments": [ "runs[0].tool.driver.rules[5]", "CA1822" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 261, "startColumn": 13 } } } ] }, { "ruleId": "SARIF2016", "ruleIndex": 6, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[1].locations[0].physicalLocation.artifactLocation.uri", "file:///C:/Projects/SarifCategoryDemo/Class1.cs" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 34, "startColumn": 74 } } } ] }, { "ruleId": "SARIF2016", "ruleIndex": 6, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[2].locations[0].physicalLocation.artifactLocation.uri", "file:///C:/Projects/SarifCategoryDemo/Class1.cs" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 60, "startColumn": 74 } } } ] }, { "ruleId": "SARIF2016", "ruleIndex": 6, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[3].locations[0].physicalLocation.artifactLocation.uri", "file:///C:/Projects/SarifCategoryDemo/Class1.cs" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 86, "startColumn": 74 } } } ] }, { "ruleId": "SARIF2016", "ruleIndex": 6, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[4].locations[0].physicalLocation.artifactLocation.uri", "file:///C:/Projects/SarifCategoryDemo/Class1.cs" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 112, "startColumn": 74 } } } ] }, { "ruleId": "SARIF2016", "ruleIndex": 6, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0].results[5].locations[0].physicalLocation.artifactLocation.uri", "file:///C:/Projects/SarifCategoryDemo/Class1.cs" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/TEMP/log.sarif", "index": 0 }, "region": { "startLine": 138, "startColumn": 74 } } } ] } ], "tool": { "driver": { "name": "Sarif.Multitool", "organization": "Microsoft", "product": "Microsoft SARIF SDK", "fullName": "Sarif.Multitool 2.4.16.0", "version": "2.4.16.0", "semanticVersion": "2.4.16", "rules": [ { "id": "SARIF2002", "name": "ProvideMessageArguments", "fullDescription": { "text": "In result messages, use the 'message.id' and 'message.arguments' properties rather than 'message.text'. This has several advantages. If 'text' is lengthy, using 'id' and 'arguments' makes the SARIF file smaller. If the rule metadata is stored externally to the SARIF log file, the message text can be improved (for example, by adding more text, clarifying the phrasing, or fixing typos), and the result messages will pick up the improvements the next time it is displayed. Finally, SARIF supports localizing messages into different languages, which is possible if the SARIF file contains 'message.id' and 'message.arguments', but not if it contains 'message.text' directly." }, "messageStrings": { "Note_Default": { "text": "{0}: The 'message' property of this result contains a 'text' property. Consider replacing it with 'id' and 'arguments' properties. This potentially reduces the log file size, allows the message text to be improved without modifying the log file, and enables localization." } }, "defaultConfiguration": { "level": "note" }, "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" }, { "id": "SARIF2003", "name": "ProvideVersionControlProvenance", "fullDescription": { "text": "Provide 'versionControlProvenance' to record which version of the code was analyzed, and to enable paths to be expressed relative to the root of the repository." }, "messageStrings": { "Note_Default": { "text": "{0}: This run does not provide 'versionControlProvenance'. As a result, it is not possible to determine which version of code was analyzed, nor to map relative paths to their locations within the repository." } }, "defaultConfiguration": { "level": "note" }, "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" }, { "id": "SARIF2005", "name": "ProvideToolProperties", "fullDescription": { "text": "Provide information that makes it easy to identify the name and version of your tool.\r\n\r\nThe tool's 'name' property should be no more than three words long. This makes it easy to remember and allows it to fit into a narrow column when displaying a list of results. If you need to provide more information about your tool, use the 'fullName' property.\r\n\r\nThe tool should provide either or both of the 'version' and 'semanticVersion' properties. This enables the log file consumer to determine whether the file was produced by an up to date version, and to avoid accidentally comparing log files produced by different tool versions.\r\n\r\nIf 'version' is used, facilitate comparison between versions by specifying a version number that starts with an integer, optionally followed by any desired characters." }, "messageStrings": { "Warning_ProvideToolVersion": { "text": "{0}: The tool '{1}' does not provide any of the version-related properties {2}. Providing version information enables the log file consumer to determine whether the file was produced by an up to date version, and to avoid accidentally comparing log files produced by different tool versions." }, "Warning_ProvideConciseToolName": { "text": "{0}: The tool name '{1}' contains {2} words, which is more than the recommended maximum of {3} words. A short tool name is easy to remember and fits into a narrow column when displaying a list of results. If you need to provide more information about your tool, use the 'fullName' property." }, "Warning_UseNumericToolVersions": { "text": "{0}: The tool '{1}' contains the 'version' property '{2}', which is not numeric. To facilitate comparison between versions, specify a 'version' that starts with an integer, optionally followed by any desired characters." }, "Warning_ProvideToolnformationUri": { "text": "{0}: The tool '{1}' does not provide 'informationUri'. This property helps the developer responsible for addessing a result by providing a way to learn more about the tool." } }, "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" }, { "id": "SARIF2010", "name": "ProvideCodeSnippets", "fullDescription": { "text": "Provide code snippets to enable users to see the code that triggered each result, even if they are not enlisted in the code." }, "messageStrings": { "Note_Default": { "text": "{0}: The 'region' object in this result location does not provide a 'snippet' property. Providing a code snippet enables users to see the code that triggered the result, even if they are not enlisted in the code." } }, "defaultConfiguration": { "level": "note" }, "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" }, { "id": "SARIF2011", "name": "ProvideContextRegion", "fullDescription": { "text": "Provide context regions to enable users to see a portion of the code that surrounds each result, even if they are not enlisted in the code." }, "messageStrings": { "Note_Default": { "text": "{0}: This result location does not provide a 'contextRegion' property. Providing a context region enables users to see a portion of the code that surrounds the result, even if they are not enlisted in the code." } }, "defaultConfiguration": { "level": "note" }, "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" }, { "id": "SARIF2012", "name": "ProvideRuleProperties", "fullDescription": { "text": "Rule metadata should provide information that makes it easy to understand and fix the problem.\r\n\r\nProvide the 'name' property, which contains a \"friendly name\" that helps users see at a glance the purpose of the rule. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'.\r\n\r\nProvide the 'helpUri' property, which contains a URI where users can find detailed information about the rule. This information should include a detailed description of the invalid pattern, an explanation of why the pattern is poor practice (particularly in contexts such as security or accessibility where driving considerations might not be readily apparent), guidance for resolving the problem (including describing circumstances in which ignoring the problem altogether might be appropriate), examples of invalid and valid patterns, and special considerations (such as noting when a violation should never be ignored or suppressed, noting when a violation could cause downstream tool noise, and noting when a rule can be configured in some way to refine or alter the analysis)." }, "messageStrings": { "Note_FriendlyNameNotAPascalIdentifier": { "text": "{0}: '{1}' is not a Pascal-case identifier. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'." }, "Note_ProvideFriendlyName": { "text": "{0}: The rule '{1}' does not provide a \"friendly name\" in its 'name' property. The friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName', that helps users see at a glance the purpose of the analysis rule." }, "Note_ProvideHelpUri": { "text": "{0}: The rule '{1}' does not provide a help URI. Providing a URI where users can find detailed information about the rule helps users to understand the result and how they can best address it." }, "Note_ProvideMetadataForAllViolatedRules": { "text": "'{0}' does not provide a 'rules' property. 'rules' contain information that helps users understand why each rule fires and what the user can do to fix it." }, "Note_ProvideRuleMetadata": { "text": "'{0}' does not provide metadata for rule '{1}'. Rule metadata contains information that helps the user understand why each rule fires and what the user can do to fix it." } }, "defaultConfiguration": { "level": "note" }, "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" }, { "id": "SARIF2016", "name": "FileUrisShouldBeRelative", "fullDescription": { "text": "When an artifact location refers to a file on the local file system, specify a relative reference for the uri property and provide a uriBaseId property, rather than specifying an absolute URI.\r\n\r\nThere are several advantages to this approach:\r\n\r\nPortability: A log file that contains relative references together with uriBaseI properties can be interpreted on a machine where the files are located at a different absolute location.\r\n\r\nDeterminism: A log file that uses uriBaseId properties has a better chance of being 'deterministic'; that is, of being identical from run to run if none of its inputs have changed, even if those runs occur on machines where the files are located at different absolute locations.\r\n\r\nSecurity: The use of uriBaseId properties avoids the persistence of absolute path names in the log file. Absolute path names can reveal information that might be sensitive.\r\n\r\nSemantics: Assuming the reader of the log file (an end user or another tool) has the necessary context, they can understand the meaning of the location specified by the uri property, for example, 'this is a source file'." }, "messageStrings": { "Note_Default": { "text": "{0}: The file location '{1}' is specified with absolute URI. Prefer a relative reference together with a uriBaseId property." }, "Note_ShouldNotContainBackSlash": { "text": "{0}: The relative file URL '{1}' contains one or more backslashes, which will be preserved when concatenating to an absolute URL. This can result in inconsistent representations, compared to URLs created from an absolute file path, which may be regarded as not equivalent. Replace all backslashes with forward slashes." }, "Note_ShouldNotStartWithSlash": { "text": "{0}: The relative file URL '{1}' is prefixed with a leading slash, which can lead to unintended behavior when concatenating with absolute URLs. Remove the leading slash." } }, "defaultConfiguration": { "level": "note" }, "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" } ], "properties": { "Comments": "Command line tool to manipulate SARIF files." } } }, "invocations": [ { "startTimeUtc": "2022-07-25T10:02:48.492Z", "endTimeUtc": "2022-07-25T10:02:52.300Z", "executionSuccessful": true } ], "artifacts": [ { "location": { "uri": "file:///C:/TEMP/log.sarif" } } ], "columnKind": "utf16CodeUnits" } ] }(This log was generated by running the https://github.com/microsoft/sarif-sdk/ validator on the SARIF log in #155 (comment). The
SARIF2002notes recommend formatting SARIF logs in such a way that they require message string lookup.)The text was updated successfully, but these errors were encountered: