-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GHAS validation rule - Message must be flattened #2580
Conversation
"tool": { | ||
"driver": { | ||
"name": "SARIF Functional Testing" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the _Invalid test has the not flatten message,
the _Valid should have the flatten message.
or, a valid test with results with flatten message,
another valid test that has no result at all like this one.
#Closed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is output SARIF file generated by test, do you mean the input test SARIF file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are right!
@@ -47,6 +47,7 @@ public static class RuleId | |||
public const string ReviewArraysThatExceedConfigurableDefaults = "GH1004"; | |||
public const string LocationsMustBeRelativeUrisOrFilePaths = "GH1005"; | |||
public const string ProvideCheckoutPath = "GH1006"; | |||
public const string MessageMustBeFlattened = "GH1007"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the other names start with the verb when possible. So maybe this on could be "FlattenMessage"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to "FlattenResultMessage"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right these 2 rules are opposite to each other.
SARIF validation rules are common for all SARIF files.
GH rules only for SARIF files need to be ingested by GHAS, should be fine if the GH rule conflicts with SARIF rules. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know that 'flatten' is our special jargon but I wonder if something like 'ProvideFullyFormattedMessageStrings' is more descriptive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
public override bool EnabledByDefault => false; | ||
|
||
protected override void Analyze(Result result, string resultPointer) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about adding a Set property to Skimmer
class, e.g. ConflictSkimmerSet
. In AnalyzeCommandBase.AnalyzeTarget()
method, iterates available skimmer and add the ConflictSkimmerSet
value to disabledSkimmers
set if has value.
this way the rule author can override existing old rule conflicts with the new rule.
what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting! And so the skimmers just need a dependency on rule ids it replaces. Yes, I think this could work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, so I thought about your idea a bit more.
Rules should be able to declare an 'IncompatibleRuleIds' set or something similar, All the rule does is to publish this data.
Then we update the analysis engine, which, when instantiating skimmers, makes sure that no new enabled skimmers have a rule id that conflicts with the set of loaded skimmers so far. The analysis engine could raise an error-level configuration notification and exit.
This approach would require users to properly configure analysis to account for the configuration problem. I think everything would drop in pretty cleanly by doing this, we need a low-level update to rules metadata and a simple update to the default skimmer loading behavior.
btw - I'm approving this change, we can take on the above or continue to refine the idea in further work items/PRs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks created the issue #2591
regarding "The analysis engine could raise an error-level configuration notification and exit.", should we raise an configuration notification error and disable the incompatible rules then continue the analysis instead exiting?
am thinking about the web validator scenario, user can run only SARIF validator rules, or all SARIF + GH validator rules, if adding a new GH rule which is not compatible with a SARIF rule, we may raise the configuration error and continue analysis without a config file change. If exits right away, the web validator stops getting results until config file is fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description
Now GHAS code scanning will only accept a SARIF log containing results messages expressed by "message.text" and reject if the results messages use "message.id" and "message.arguments".
Without message text GitHub will fail the upload with message: “Error: Code Scanning could not process the submitted SARIF file: expected a result message, expected a result message…”
Creating the GitHub validator rule for this case.