sarif: initial implementation of csdiff fingerprints #168
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kdudka
added a commit
to kdudka/csdiff
that referenced
this pull request
Mar 29, 2024
It hashes the data that csdiff uses in its matching algorithm and the line content without spaces. For this fingerprint to be computed, the results need to include the line content for the key event in the format produced by `csgrep --embed-context`. Related: https://issues.redhat.com/browse/OSH-9 Resolves: csutils#98 Closes: csutils#168
kdudka
force-pushed
the
sarif-fingerprints
branch
from
73afae8
to
9ef8967
Compare
kdudka
added a commit
to kdudka/csdiff
that referenced
this pull request
Apr 1, 2024
kdudka
force-pushed
the
sarif-fingerprints
branch
from
4364c7d
to
4e4c284
Compare
kdudka
added a commit
to kdudka/csdiff
that referenced
this pull request
Apr 1, 2024
kdudka
added a commit
to kdudka/csdiff
that referenced
this pull request
Apr 1, 2024
kdudka
force-pushed
the
sarif-fingerprints
branch
from
4e4c284
to
d6af004
Compare
kdudka
added a commit
to kdudka/csdiff
that referenced
this pull request
Apr 1, 2024
kdudka
force-pushed
the
sarif-fingerprints
branch
2 times, most recently
from
53621d0
to
05db189
Compare
kdudka
added a commit
to kdudka/csdiff
that referenced
this pull request
Apr 1, 2024
kdudka
force-pushed
the
sarif-fingerprints
branch
from
05db189
to
1197c75
Compare
kdudka
added a commit
to kdudka/csdiff
that referenced
this pull request
Apr 9, 2024
kdudka
added a commit
to kdudka/csdiff
that referenced
this pull request
Apr 19, 2024
kdudka
force-pushed
the
sarif-fingerprints
branch
from
1197c75
to
0308d93
Compare
kdudka
added a commit
to kdudka/csdiff
that referenced
this pull request
Apr 23, 2024
kdudka
force-pushed
the
sarif-fingerprints
branch
from
0308d93
to
596864f
Compare
kdudka
added a commit
to kdudka/csdiff
that referenced
this pull request
Apr 23, 2024
kdudka
force-pushed
the
sarif-fingerprints
branch
from
596864f
to
b463599
Compare
|
Great example when codeql fingerprints work: ✋ Defects, NEEDS INSPECTION
Error: SHELLCHECK_WARNING:
./src/functions.sh:309:46: warning[SC2154]: GITHUB_REF is referenced but not assigned.
# 306| uploadSARIF () {
# 307| is_debug && local verbose=--verbose
# 308|
# 309|-> echo '{"commit_oid":"'"${HEAD}"'","ref":"'"${GITHUB_REF//merge/head}"'","analysis_key":"differential-shellcheck","sarif":"'"$(gzip -c output.sarif | base64 -w0)"'","tool_names":["differential-shellcheck"]}' > payload.json
# 310|
# 311| local curl_args=(
# 312| "${verbose:---silent}"
Error: SHELLCHECK_WARNING:
./src/functions.sh:331:24: info[SC2312]: Consider invoking this command separately to avoid masking its return value (or use '|| true' to ignore).
# 328|
# 329| get_shellcheck_version () {
# 330| local shellcheck_version
# 331|-> shellcheck_version=$(shellcheck --version | grep -w "version:" | cut -s -d ' ' -f 2)
# 332|
# 333| echo "${shellcheck_version}"
# 334| }
Error: SHELLCHECK_WARNING:
./src/functions.sh:331:47: info[SC2312]: Consider invoking this command separately to avoid masking its return value (or use '|| true' to ignore).
# 328|
# 329| get_shellcheck_version () {
# 330| local shellcheck_version
# 331|-> shellcheck_version=$(shellcheck --version | grep -w "version:" | cut -s -d ' ' -f 2)
# 332|
# 333| echo "${shellcheck_version}"
# 334| }The code hasn't changed for the last two defects, but they were still reported by csdiff. I'll try to check if csdiff fingerprints would give the same results as codeql. |
|
Here is the You should be able to reproduce the above situation form: |
kdudka
pushed a commit
to kdudka/csdiff
that referenced
this pull request
Apr 26, 2024
... taken from a real-world example encountered by differential-shellcheck: redhat-plumbers-in-action/differential-shellcheck#376 Related: csutils#98 Closes: csutils#168
kdudka
force-pushed
the
sarif-fingerprints
branch
from
b463599
to
95e35d3
Compare
jamacku
approved these changes
Apr 26, 2024
lzaoral
requested changes
May 2, 2024
kdudka
pushed a commit
to kdudka/csdiff
that referenced
this pull request
May 2, 2024
... taken from a real-world example encountered by differential-shellcheck: redhat-plumbers-in-action/differential-shellcheck#376 Related: csutils#98 Closes: csutils#168
|
Somehow, the comment I've just written is not here. Reposting: |
lzaoral
reviewed
May 2, 2024
lzaoral
approved these changes
May 2, 2024
jamacku
added a commit
to jamacku/differential-shellcheck
that referenced
this pull request
May 3, 2024
This is preparation for Fingerprints that are coming in next version of csdiff. csutils/csdiff#168 > It hashes the data that csdiff uses in its matching algorithm > and the line content without spaces. For this fingerprint to > be computed, the results need to include the line content for > the key event in the format produced by `csgrep --embed-context`.
jamacku
added a commit
to redhat-plumbers-in-action/differential-shellcheck
that referenced
this pull request
May 3, 2024
This is preparation for Fingerprints that are coming in next version of csdiff. csutils/csdiff#168 > It hashes the data that csdiff uses in its matching algorithm > and the line content without spaces. For this fingerprint to > be computed, the results need to include the line content for > the key event in the format produced by `csgrep --embed-context`.
It hashes the data that csdiff uses in its matching algorithm. The interfaces are already prepared for csdiff/v1, which will also take the line content into account when available. From the updated tests it is obvious that these hashes already have numerous collisions on the existing test data. Related: https://issues.redhat.com/browse/OSH-9 Related: csutils#98
It hashes the data that csdiff uses in its matching algorithm and the line content without spaces. For this fingerprint to be computed, the results need to include the line content for the key event in the format produced by `csgrep --embed-context`. Related: https://issues.redhat.com/browse/OSH-9 Resolves: csutils#98
... to make the code easier to follow. No change in behavior intended with this commit. Related: csutils#98
... when the line content in the `csgrep --embed-context` format is available. Out of the 1783 fingerprints generated for the csgrep regression tests we got 115 collisions, which need to be analyzed. Some of them look undesired as, for example: ``` Error: CERT EXP40-C (CWE-758): wget-1.21.1/src/http.c:256: cert_exp40_c_violation: Casting pointer "value" with type "char const *" to type "void *" allows an object defined with a const-qualified type to be modified through use of an lvalue with non-const-qualified type. # 254| release_header (hdr); # 255| hdr->name = (void *)name; # 256|-> hdr->value = (void *)value; # 257| hdr->release_policy = release_policy; # 258| return; Error: CERT EXP40-C (CWE-758): wget-1.21.1/src/http.c:271: cert_exp40_c_violation: Casting pointer "value" with type "char const *" to type "void *" allows an object defined with a const-qualified type to be modified through use of an lvalue with non-const-qualified type. # 269| hdr = &req->headers[req->hcount++]; # 270| hdr->name = (void *)name; # 271|-> hdr->value = (void *)value; # 272| hdr->release_policy = release_policy; # 273| } ``` Related: csutils#98
No change in behavior intended with this commit. Related: csutils#98
... to make the code easier to follow. No change in behavior intended with this commit. Related: csutils#98
kdudka
pushed a commit
to kdudka/csdiff
that referenced
this pull request
May 3, 2024
... taken from a real-world example encountered by differential-shellcheck: redhat-plumbers-in-action/differential-shellcheck#376 Related: csutils#98 Closes: csutils#168
... taken from a real-world example encountered by differential-shellcheck: redhat-plumbers-in-action/differential-shellcheck#376 Related: csutils#98
We use boost-1.69 in our EPEL-7 builds. Related: csutils#98 Closes: csutils#168
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
csdiff/v0 fingerprints
It hashes the data that csdiff uses in its matching algorithm.
From the updated tests it is obvious that these hashes already
have numerous collisions on the existing test data.
csdiff/v1 fingerprints
It hashes the data that csdiff uses in its matching algorithm
and the line content without spaces. For this fingerprint to
be computed, the results need to include the line content for
the key event in the format produced by
csgrep --embed-context.Related: https://issues.redhat.com/browse/OSH-9
Resolves: #98