Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating SARIF2004 #1995

Merged
merged 12 commits into from
Jul 20, 2020
Merged

Updating SARIF2004 #1995

merged 12 commits into from
Jul 20, 2020

Conversation

eddynaka
Copy link
Collaborator

Fixes #1994

@eddynaka eddynaka requested a review from a user July 14, 2020 23:27
@eddynaka eddynaka self-assigned this Jul 14, 2020
LogResult(
resultPointer.AtProperty(SarifPropertyName.AnalysisTarget),
nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_AvoidDuplicativeAnalysisTarget_Text),
result.AnalysisTarget.Uri.ToString());
Copy link

@ghost ghost Jul 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ToString() [](start = 54, length = 10)

I'm not sure whether ToString() or OriginalString is better. #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to OriginalString


In reply to: 454705359 [](ancestors = 454705359)

@@ -142,7 +218,6 @@ private void AnalyzeIdOnlyRules(Run run, string runPointer)
nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_EliminateIdOnlyRules_Text));
}
}

private bool HasIdOnlyRules(string rulePointer)
Copy link

@ghost ghost Jul 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

p [](start = 8, length = 1)

Restore the blank line. (Our coding standard is "blank line after closing brace".) #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops


In reply to: 454705570 [](ancestors = 454705570)

},
{
"ruleIndex": -1,
"rule": {
Copy link

@ghost ghost Jul 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't specify ruleIndex here. The default is -1, so if it it missing, it will be set to -1 when we deserialize the log file. #Closed

}
],
"analysisTarget": { "uri": "local/test/code/src/file1.c" },
"message": { "text": "Good result: artifacts array provides additional useful information." }
Copy link

@ghost ghost Jul 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

artifacts array provides additional useful information [](start = 45, length = 54)

The artifacts array doesn't contain additional information. All it has is a location. (I understand that Line 62 doesn't have uriBaseId, and the artifacts array does, but still, the intent of the rule is that the artifacts array should provide something besides location information. In any case, why are we adding this test? Don't we already have tests for non-useful artifacts arrays? #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides the point that i added a non-absoluteuri, this testing is a good one saying that we have a location.physicallocation.artifactlocation.uri != analysisTarget. The message is wrong and i will solve it


In reply to: 454706843 [](ancestors = 454706843)

@@ -47,7 +77,54 @@
}
}
],
"results": [],
"results": [
Copy link

@ghost ghost Jul 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

results [](start = 7, length = 7)

The "expected output" from a "valid" test shouldn't have any results. Something must be wrong in the logic. #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem here is that the rule 1010 and 2004 overlap in one scenario. Should i remove that scenario (when result.ruleId exists and result.rule.Id exists)


In reply to: 454707521 [](ancestors = 454707521)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, just disable 2004 for this test.


In reply to: 454713672 [](ancestors = 454713672,454707521)


if (run.Results != null)
{
AnalyzeResults(run.Results, runPointer.AtProperty(SarifPropertyName.Results));
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AnalyzeResults [](start = 16, length = 14)

You don't need to write AnalyzeResults and call it from here. Just override Analyze(Result result, string resultPointer), and call your helpers ReportUnnecessaryAnalysisTarget and ReportRuleDuplication from there.

This works because you really want to analyze every result. This is unlike the cases where you only want to analyze certain physical locations, or certain URIs -- and so you have to navigate down from the parent to make sure that you only analyze the ones you care about.

Make sense? #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes!


In reply to: 455195243 [](ancestors = 455195243)

LogResult(
resultPointer.AtProperty(SarifPropertyName.AnalysisTarget),
nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_AvoidDuplicativeAnalysisTarget_Text),
result.AnalysisTarget.Uri.OriginalString);
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

result [](start = 28, length = 6)

I would break after logging the first one. If you discover that "analysisTarget isn't necessary because it's the same as location 0", there's no need to also report "analysisTarget isn't necessary because it's the same as location 1". #Closed

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was marked Resolved but it wasn't actually fixed. I think you tried to fix it with the return statements above, but that's not what I meant.


In reply to: 455252796 [](ancestors = 455252796)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i see! i though it was in another place.


In reply to: 455344867 [](ancestors = 455344867,455252796)

"id": "TEST1001",
"toolComponent": { "name": "Plugin01" }
},
"message": { "text": "Good result: artifacts array provides additional useful information." }
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good result: artifacts array provides additional useful information [](start = 32, length = 67)

This comment isn't right. The reason this is valid is that rule.toolComponent is present. #Closed

{
"ruleId": "TEST1001",
"ruleIndex": 0,
"message": { "text": "Bad result: artifacts array does not provide any additional useful information." },
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

artifacts array does not provide any additional useful information [](start = 44, length = 66)

Comment is wrong. This result is bad because analysisTarget is the same as one of the locations. #Closed

},
{
"ruleIndex": -1,
"rule": {
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not include "ruleIndex": -1 #Closed

"rule": {
"id": "TEST1001"
},
"message": { "text": "Bad result: artifacts array does not provide any additional useful information." }
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

artifacts array does not provide any additional useful information [](start = 44, length = 66)

Comment is wrong: This is invalid because ruleIndex and rule are both present. #Closed

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. It is legal to "not have enough information to locate the rule metadata". Rule metadata is entirely optional in SARIF.
  2. But in any case, "not enough information to locate the rule metadata" is not one of the cases we are testing for with this new rule. So I don't understand why this test case is here.

In reply to: 455257253 [](ancestors = 455257253)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for this case, we are analyzing the rule where we don't have the ruleIndex AND we don't have the toolComponent. So thats a bad case. With that, i changed to not enough information. Isn't that right?


In reply to: 455342702 [](ancestors = 455342702,455257253)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is legal not to have rule index. I see now that this test case is "You should use result.ruleId instead of result.rule.id"


In reply to: 455382915 [](ancestors = 455382915,455342702,455257253)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment still doesn't describe this test case. In this test case, toolComponent does not refer to the driver, so result.rule is necessary. But since result.rule is present, result.ruleId should not be present. So the message might be "Bad result: ruleId duplicates information in rule."


In reply to: 455389470 [](ancestors = 455389470,455382915,455342702,455257253)

"rule": {
"id": "TEST1001"
},
"message": { "text": "Bad result: artifacts array does not provide any additional useful information." }
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bad [](start = 32, length = 3)

Same here. #Closed

@@ -118,6 +146,29 @@
}
}
]
},
{
"ruleId": "SARIF2004",
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SARIF2004 [](start = 21, length = 9)

Disable 2004 for this test, too. #Closed

@@ -69,35 +69,6 @@
}
],
"results": [
{
"ruleId": "SARIF1009",
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SARIF1009 [](start = 21, length = 9)

Why did this result disappear? #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i rollback my changes and added to ignore the rule 2004 as well.


In reply to: 455262015 [](ancestors = 455262015)

Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🕐

LogResult(
resultPointer,
nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_PreferRuleId_Text));
return;
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return [](start = 20, length = 6)

There is no need for either of these return statements. There is no loop here. No matter which branch the code takes, control will pass out of the end of the if statement and out of this function. I think you were trying to respond to my comment below... #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated the wrong place. removing that


In reply to: 455344319 [](ancestors = 455344319)

{
if (result.Rule.ToolComponent != null)
{
if (result.Rule.ToolComponent.RefersToDriver(this.driverGuid))
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can shorten this:

if (result.Rule.ToolComponent?.RefersToDriver(this.driverGuid) == true)

Note that you need the explicit comparison == true because the null-coalescing operator ?. causes the left-hand side to have the type Nullable<bool> -- and you can't do an implicit logical test on a Nullable<bool>. #Closed

{
// {0}: This result specifies both 'result.ruleId' and 'result.rule'.
// Prefer 'result.ruleId' because it is shorter and just as clear.
LogResult(
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LogResult [](start = 24, length = 9)

This logic is backwards. Take a look at the notes I attached to the chat. The idea is:

If toolComponent is present, and if it does not refer to the driver -- which means that it has to be present! -- then result.ruleId and result.ruleIndex should not also be present.

Here's what the notes said:

  if (result.Rule.ToolComponent != null && !result.Rule.ToolComponent.RefersToDriver(this.currentDriverGuid))
  {
    // We HAD to use result.Rule (because otherwise we couldn't have specified the extension component).
    if either result.ruleId or result.ruleIndex is present
        // Complain, because we should have put them in one place: under result.Rule along with the toolComponent.
        "This result provides the 'rule' property, but it also provides either or both of 'ruleId' and 'ruleIndex'. If 'rule' is present, then use 'rule.id' instead of 'ruleId', and use 'rule.index' instead of 'ruleIndex'."
  }
``` #Closed

public class ExtensionsTests
{
[Theory]
[InlineData(-1, "", "", true)]
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

InlineData [](start = 9, length = 10)

Need a test where guid is null. That is actually the more likely case -- the SARIF file doesn't even mention guid. It is less likely that guid is present and its value is the empty string. Keep the "empty string" test, though, by all means. #Closed

{
public class ExtensionsTests
{
[Theory]
Copy link

@ghost ghost Jul 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Theory [](start = 9, length = 6)

We don't use Theory in this code base because we had some bad perf experience with it some years ago. It might be much better now. We use another technique for data-driven tests. I'll go find an example and add it to this comment. Stand by... #Closed

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For an example of our pattern, see src\Test.UnitTests.Sarif.WorkItems\SarifWorkItemExtensionsTests.cs, Lines 118-186.


In reply to: 455431411 [](ancestors = 455431411)

Copy link

@ghost ghost Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The set of test cases is fine. Please use the pattern in src\Test.UnitTests.Sarif.WorkItems\SarifWorkItemExtensionsTests.cs, Lines 118-186:

  • This pattern accumulates failures across all test cases, and then displays them at the end.
  • Use FluentAssertions.
  • Define a struct to define the shape of the test data, so you can use object initializer syntax, and so you can refer to the test data with readable member names instead of "Item1", "Item2"...

In reply to: 455441780 [](ancestors = 455441780,455431411)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, we are now defining the test data according to the pattern in src\Test.UnitTests.Sarif.WorkItems\SarifWorkItemExtensionsTests.cs, Lines 118-186. We still need to do the following:

  • Accumulate the failing test cases. See how SarifWorkItemExtensions_PhraseToolNames_ConstructPhraseCorrectly accumulates a list of the failed test cases in a StringBuilder.
  • Use FluentAssertions. See how that test method uses sb.Length.Should().Be(0, "... message listing the failed test cases ...")

In reply to: 455806704 [](ancestors = 455806704,455441780,455431411)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason for accumulating the test cases is that you can report all the failures at once, instead of stopping at the first failure.


In reply to: 455835254 [](ancestors = 455835254,455806704,455441780,455431411)

if (!string.IsNullOrWhiteSpace(result.RuleId) || result.RuleIndex >= 0)
{
// {0}: This result specifies both 'result.ruleId' and 'result.rule'.
// Prefer 'result.ruleId' because it is shorter and just as clear.
Copy link

@ghost ghost Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will provide new strings. #Closed

Copy link

@ghost ghost Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New message:

The result at '{0}' uses the 'rule' property to specify the violated rule, so it is not necessary also to specify 'ruleId' or 'ruleIndex'. Remove the 'ruleId' and 'ruleIndex' properties.


In reply to: 455809589 [](ancestors = 455809589)

"guid": "686D3462-EC4F-499F-8738-9D6ED96F7A27"
}
},
"message": { "text": "Bad result: rule could be simplified, because it's pointing to default tool." }
Copy link

@ghost ghost Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

default tool [](start = 95, length = 12)

"default tool" => "tool.driver" #Closed

{
if (toolComponent.Index == -1)
{
if (string.IsNullOrWhiteSpace(toolComponent.Guid))
Copy link

@ghost ghost Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IsNullOrWhiteSpace [](start = 27, length = 18)

Just null. We are checking if toolComponent.guid is absent from the SARIF file. If it's absent from the SARIF file, toolComponent.guid will be null. #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok. i will remove the test cases where we test for "", because that won't exist


In reply to: 455816703 [](ancestors = 455816703)

// {0}: This result uses the 'rule' property to specify the rule
// metadata, but the 'ruleId' property suffices because the rule
// is defined by 'tool.driver'. Prefer 'result.ruleId' because it
// is shorter and just as clear.
Copy link

@ghost ghost Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New message:

The result at '{0}' uses the 'rule' property to specify the violated rule, but this is not necessary because the rule is defined by 'tool.driver'. Use the 'ruleId' and 'ruleIndex' instead, because they are shorter and just as clear. #Closed

// {0}: This result uses the 'rule' property to specify the rule
// metadata, but the 'ruleId' property suffices because the rule
// is defined by 'tool.driver'. Prefer 'result.ruleId' because it
// is shorter and just as clear.
Copy link

@ghost ghost Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same message as on Line 94 above ("The result at '{0}' uses the 'rule' property to specify the violated rule, but this is not necessary because ..."). #Closed

@@ -360,4 +366,13 @@ This is part of a set of authoring practices that make your rule messages more r
<data name="SARIF2007_ExpressPathsRelativeToRepoRoot_Warning_ExpressResultLocationsRelativeToMappedTo_Text" xml:space="preserve">
<value>{0}: This result location does not provide any of the 'uriBaseId' values that specify repository locations: '{1}'. As a result, it will not be possible to determine the location of the file containing this result relative to the root of the repository that contains it.</value>
</data>
<data name="SARIF2004_OptimizeFileSize_Warning_AvoidDuplicativeAnalysisTarget_Text" xml:space="preserve">
<value>{0}: The 'analysisTarget' property '{1}' is unnecessary because it is the same as the result location. Remove the 'analysisTarget' property.</value>
Copy link

@ghost ghost Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

{0}: [](start = 11, length = 5)

"In the result at '{0}', the 'analysisTarget' property '{1}' is unnecessary..." #Closed

if (location?.PhysicalLocation?.ArtifactLocation?.Uri == result.AnalysisTarget.Uri)
{
// {0}: The 'analysisTarget' property '{1}' is unnecessary because it is the same as
// the result location. Remove the 'analysisTarget' property.
Copy link

@ghost ghost Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the [](start = 27, length = 3)

The 'analysisTarget' property '{1}' at '{0}' is unnecessary because it is the same as the result location. Remove the 'analysisTarget' property. #Closed

@ghost
Copy link

ghost commented Jul 16, 2020

                firstArtifactPointer,

I want the new message to point to the artifacts array, not to the first element of the array. So define artifactPointer = runPointer.AtProperty(SarifPropertyName.Artifacts) and use it here. I'll provide the new message shortly. #Closed


Refers to: src/Sarif.Multitool/Rules/SARIF2004.OptimizeFileSize.cs:178 in 84bde22. [](commit_id = 84bde22, deletion_comment = False)

@ghost
Copy link

ghost commented Jul 16, 2020

                firstArtifactPointer,

Here you go:

The 'artifacts' array at '{0}' contains no information..."


In reply to: 659480012 [](ancestors = 659480012)


Refers to: src/Sarif.Multitool/Rules/SARIF2004.OptimizeFileSize.cs:178 in 84bde22. [](commit_id = 84bde22, deletion_comment = False)

@ghost
Copy link

ghost commented Jul 16, 2020

        if (HasIdOnlyRules(firstRulePointer))

Similarly here: define rulesPointer to point to the array (and calculate firstRulePointer from rulesPointer, and use rulesPointer in the new message:

"The 'rules' array at '{0}' contains no information..." #Closed


Refers to: src/Sarif.Multitool/Rules/SARIF2004.OptimizeFileSize.cs:219 in 84bde22. [](commit_id = 84bde22, deletion_comment = False)

@ghost
Copy link

ghost commented Jul 16, 2020

        // null check in not required.

"in" =>"is" #Closed


Refers to: src/Sarif.Multitool/Rules/SARIF2004.OptimizeFileSize.cs:205 in 84bde22. [](commit_id = 84bde22, deletion_comment = False)

// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

using FluentAssertions;
Copy link

@ghost ghost Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FluentAssertions [](start = 6, length = 16)

System usings come first. #Closed

Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@@ -393,13 +393,25 @@ Similarly, most 'result' objects contain at least one 'artifactLocation' object.

#### Messages

##### `AvoidDuplicativeAnalysisTarget`: warning
Copy link
Member

@michaelcfanning michaelcfanning Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have code that auto-emits this content, rather than maintaining it in three places (resource strings, as comments in rule source, and here). Action item for later. #Pending

@@ -393,13 +393,25 @@ Similarly, most 'result' objects contain at least one 'artifactLocation' object.

#### Messages

##### `AvoidDuplicativeAnalysisTarget`: warning

The 'analysisTarget' property '{1}' at '{0}' is unnecessary because it is the same as the result location. Remove the 'analysisTarget' property.
Copy link
Member

@michaelcfanning michaelcfanning Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unnecessary [](start = 48, length = 11)

Please add something like: 'The 'analysisTarget' property is used to distinguish cases when a result fires in a file (such as an included header) that is different than the file that was scanned (such as a .cpp file that included the header). This C++ example example is the canonical scenario that led to this design pattern.

Also, though it is implied, the reason we recommend removing it is to optimize file size.

The 'analysisTarget' property '{1}' at '{0}' can be removed because it is the same as the result location. This unnecessarily increases log file size. 'The 'analysisTarget' property is used to distinguish cases when a result fires in a file (such as an included header) that is different than the file that was scanned (such as a .cpp file that included the header).
#Closed

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eddynaka, +1 on Michael's rephrasing (the very last paragraph in his comment above).


In reply to: 455904829 [](ancestors = 455904829)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... except that instead of "when a result fires" I suggest "when a tool detects a result".


In reply to: 455907085 [](ancestors = 455907085,455904829)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't intend to take over reauthoring the words, just point you in the right direction. :) feel free to send Eddy updates after it goes through your wordsmithing process. Every string needs a pass in my estimation. I need the team to send me the logs you generated in testing so that I can see what your new output looks like in bulk. If we aren't yet doing that testing, it needs to be included in the formalized process.


In reply to: 455907934 [](ancestors = 455907934,455907085,455904829)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just updated this as well!


In reply to: 455913218 [](ancestors = 455913218,455907934,455907085,455904829)


#### `AvoidDuplicativeResultRuleInformation`: warning

The result at '{0}' uses the 'rule' property to specify the violated rule, so it is not necessary also to specify 'ruleId' or 'ruleIndex'. Remove the 'ruleId' and 'ruleIndex' properties.
Copy link
Member

@michaelcfanning michaelcfanning Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You have a tendency to introduce descriptive prefixes in rules that I find distracting. The '{0}' value tends to be sufficiently descriptive to illuminate what's under discussion. This is most easily seen when actually reviewing output of the tool (which I encourage you to do), particularly real world quantities of output, not just a small # of test messages. In this second example. we see that we're trying to evolve to a common output format string for duplicative information (and we should converge on a standard).

'{0}' uses the 'rule' property to specify the violated rule, so it is not necessary also to specify 'ruleId' or 'ruleIndex'. This unnecessarily increases log file size. Remove the 'ruleId' and 'ruleIndex' properties. #Closed

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm open to this but I ask you to consider the potential value of the descriptive prefixes. The problem is that the JSON paths can be very long, and without the prefix, the first thing that meets your eye is this long string. Consider an example where it's really long:

'/runs/0/results/0/locations/0/physicalLocation/artifactLocation/uri' contains an invalid URI 'fi:le:///C:/dev/'

I think this provides the reader with an easier entry to the message:

The URI 'fi:le:///C:/dev/' at '/runs/0/results/0/locations/0/physicalLocation/artifactLocation/uri' is invalid.

... because it says "I'm about to tell you something about a URI". Without the prefix, you have to scan to the end of the path string to learn that it's about a URI.


In reply to: 455907068 [](ancestors = 455907068)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your example doesn't correspond to my feedback, which notes that describing the SARIF JSON type is generally not required because the type information tends to be encoded in the JSON path. The term 'URI' isn't typically encoded in the URI and so it is useful to identify the string literal as one.


In reply to: 455936290 [](ancestors = 455936290,455907068)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I understand the distinction.


In reply to: 455941928 [](ancestors = 455941928,455936290,455907068)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just updated


In reply to: 455982124 [](ancestors = 455982124,455941928,455936290,455907068)


##### `EliminateIdOnlyRules`: warning

{0}: The 'rules' array contains no information beyond the ids of the rules. Removing this array might reduce the log file size without losing information. In some scenarios (for example, when assessing compliance with policy), the 'rules' array might be used to record the full set of rules that were evaluated. In such a scenario, the 'rules' array should be retained even if it contains only id information.
The 'rules' array at '{0}' contains no information beyond the ids of the rules. Removing this array might reduce the log file size without losing information. In some scenarios (for example, when assessing compliance with policy), the 'rules' array might be used to record the full set of rules that were evaluated. In such a scenario, the 'rules' array should be retained even if it contains only id information.
Copy link
Member

@michaelcfanning michaelcfanning Jul 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 'rules' array [](start = 0, length = 17)

I'd like to see actual instances of this rule output before approving. Can you provide some from your testing? Note that you have some language here 'Removing this array might reduce log file size' that should converge on a standard message. Also, why do we have the 'might'? This analysis s/be very clear whether our suggestion can be taken without implying information loss. If not, let's keep working on the analysis. #Resolved

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just sent you the output from running the validator on a SARIF file produced from scanning a significant repo.


In reply to: 455908031 [](ancestors = 455908031)

@michaelcfanning michaelcfanning merged commit d9f783d into master Jul 20, 2020
@michaelcfanning michaelcfanning deleted the users/ednakamu/sarif-2004-update branch July 20, 2020 17:18
ScottLouvau pushed a commit that referenced this pull request Oct 27, 2020
* Honor insert and remove arguments for rebase uri command. (#1927)

* Add data insert/removal to rebase uri command.

* Update release notes for rebase uri command.

* Remove console message.

* Rule validaton request template (github issue) (#1903)

* first draft for Rule Request template.

* updated - merged with Larry's version.

* deletin original

* reviews++

* removing stuff that "hits in the face" :D

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* rule validation template file (#1902)

* first draft

* improving comments and wordsmithing

* updates after Principles conversation this morning.

* reviews++

* typo :O

* another typo :)

* reviews++

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Create 'SARIF Validation Rule Authoring Principles' doc. (#1906)

* Create 'SARIF Validation Rule Authoring Principles' doc.

* Add periods to sentences; complete incomplete principle.

* Rewrite after discussion with Michael and team.

* Fix typos.

* Fix a typo.

* First half of rule factoring: existing rules.

* Correct description of rule number ranges.

* Fix a typo.

* Finish first draft.

* Add missing separator.

* Wordsmith a heading.

* Changes per HK review.

* Finish HK review.

* Incomplete 'Contributing a rule' doc, derived from BinSkim.

* Start rule factoring spreadsheet.

* Finish first cut at rule factoring spreadsheet.

* Fix typos.

* Update rules spreadsheet per MF review.

* Update rules spreadsheet; add Rule Messages doc.

* Finish strings for 2009; add 'Message status' column.

* Incorporate Introduction.

* Update Rule Messages with Introduction.

* Remove redundant file; rename real one.

* Message refinements.

* Rename 'Producing' doc and tweak intro.

* Author messages for SARIF2002.UseMessageArguments.

* Author messages for SARIF1012.MessagePropertiesMustBeConsistent.

* Serialization Consistency fixes (#1924)

* Serialization consistency fixes.
  - Ensure DateTimeConverter used for all DateTime properties.
  - Reimplement SerializedPropertyInfoConverter to copy tokens rather than loading to JToken and serializing again.
  - Make PropertyBagConverter use SerializedPropertyInfoConverter for values.

* Reset build.props to next logical version.

* Updated OM based on CodeGenHints.

* Release notes update

* Fix #1915: Allow result message to be truncated (#1932)

* Fix #1915: Allow result message to be truncated

* Address PR feedback; update release history.

* Restore accidentally deleted Autogenerated files.

* Restore erroneously deleted const.

* Add comments for "horizontal ellipsis".

* Upgrade netcoreapp from Multitool (#1962)

* Upgrade netcoreapp from Multitool

update

* adding system.runtime

* Remove extra version header from release history. (#1985)

* Remove extra version header from release history.

* Increase a test timeout.

* Increase timeout on a test that fails on one of the VMs.

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Guarantee "execute" permissions for NPM package. (#1986)

* Chmod for Darwin.

* Chmod for Linux.

* Fix.

* Merge feature branch with new SARIF validation rules (#1984)

* Users/hakohli/validation rules defaultmsgs (#1917)

* remove stale rule references - 1006 and 1009

* house keeping changes for 1001

* more cleanup- remove fulldecsription private field

* updates after decisions on resx naming

* sarif file rule name should be shorter

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* sarif validation rules 1002 1006 2001 (#1918)

* changing rule ids only

* updating rule names and message ids

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Validation rules: 1005 1008 1009 1010 (#1920)

* rules 1011 2008 (split from original) (#1921)

* rule id changed and tested

* changing rule name and tested

* description resx id updated

* resx updated and test cases regened

* final changes after splitting the rule in two.

* reviews++

* fix one thing

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* rule 1007 (combine) (#1922)

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* validation rule 1004 (#1923)

* renaming ruleid and tested

* rulename changed and tested

* description resx changed

* merged test cases into one rule

* cleanup and reordering

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Adding rule SARIF2005.ProvideHelpfulToolInformation (#1926)

* Adding ContextRegionMustBeProperSupersetOfRegion to SARIF1008. (#1925)

* Fix test break to due failure to pre-merge. (#1928)

* validation rule sarif1004 (#1930)

* changing file contents to follow conventions

* validation rule 1004

* reviews++

* tiny thing ;)

* another tiny thing!

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Add rules spreadsheet and document. (#1931)

* Provide messages for SARIF1005. (#1934)

* validation rule sarif1002 (part 1) (#1933)

* formatting changes only

* sub-rule: FileUrisMustNotIncludeDotDotSegments

* another test case output

* removing brnach comments from newly wrtiten rules.

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Adding rule SARIF2001.AuthorHighQualityMessages (#1929)

* sarif1007 subrule: RegionStartPropertyMustBePresent (#1935)

* changing file formatting per convention

* adding sub-rule: RegionStartPropertyMustBePresent

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Update rules factoring spreadsheet. (#1936)

* Update version-related comment in rules spreadsheet. (#1937)

* Update coding status on spreadsheet.

* Adding Rule SARIF2009

Adding tests

* Update rule status spreadsheet.

* code review - 1

* code review - 2

* code review - 3

* code review - 4

* code review - 5

* code review - 6

* Standardize and add messages to SARIF1001.

* Provide messages for SARIF1002 (except for the RFC 8089 message).

* Provide messages for SARIF1007.

* Rename SARIF2005 to ProvideToolProperties.

* Adding rule SARIF2004.OptimizeFileSize: EliminateLocationOnlyArtifacts (#1939)

* Provide messages for SARIF2001; update code to populate arguments.

* Provide message strings for SARIF1006.

* Move a rule description message to the right place.

* Standardize and provide messages for SARIF1009.

* Add description for SARIF1009.

* Reformat SARIF1005, update spreadsheet. (#1940)

* Author "Principles" section. (#1941)

* More about tool information.

* Copy edits to "Principles" section.

* More spreadsheet updates.

* More spreadsheet updates.

* More spreadsheet updates.

* More spreadsheet updates.

* More spreadsheet updates.

* adding placeholders for all resource strings and rule ids. (#1943)

* adding placeholders for all resource strings and rule ids.

* remove unneeded using refernece

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Adding rule SARIF1012 (#1944)

* More spreadsheet updates.

* Adding Rule SARIF2006 (#1942)

* Adding rule SARIF2002 (#1946)

* More spreadsheet updates, a little document work.

* Adding Rule SARIF2003 (#1947)

* More spreadsheet updates and document work.

* Adding Rule SARIF2011 (#1948)

* split rule sarif2001 into multiple (#1945)

* rename original rule - tested

* copies of the same rule created

* added test cases

* cleaned up resx strings

* pushing changes so far - 2 test cases fail

* expected outputs

* fixes for test cases

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* More spreadsheet updates and document work.

* Adding Rule SARIF2012 (#1949)

* More spreadsheet updates and document work.

* Add rule SARIF2004.OptimizeFileSize.EliminateIdOnlyRules (#1950)

* sub-rule added

* reviews answered and merge from latest faetures branch

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* More spreadsheet updates and document work.

* More spreadsheet updates and document work.

* More spreadsheet updates and document work.

* Adding rule SARIF2013 (#1951)

* More spreadsheet updates and document work.

* Updating Rule SARIF2009 and SARIF2014 (#1954)

* Update spreadsheet.

* sarif validation rule 2010 - provide code snippets (#1953)

* rule + test cases

* reviews++

* remove blank line

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Updating rules based on the guidelines (#1955)

* More spreadsheet updates and document work.

* Update spreadsheet.

* Document: "high quality" => "effective" everywhere.

* Document: Split up "enriched SARIF" rule.

* Author messages for SARIF2008.ProvideSchema.

* Remove obsolete "uriBaseId conventions" text.

* Rule description for SARIF2007.ExpressPathsRelativeToRepoRoot

* Fix ExpressUriBaseIdsCorrectly messages.

* Fix doc errors; update spreadsheet.

* user msgs verified for 1006 to 1010 (#1957)

* user messages updated for 1006 to 1010

* adding period back for 1008 description

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Adding Rule SARIF2007 (#1958)

* Bugfix null reference Rule SARIF2007 (#1959)

* Update spreadsheet: last rule written!

* Introduce SARIF1003 in spreadsheet.

* user msgs verified for 1001 to 1005 (#1956)

* usewr msgs verified for 1001 to 1005

* changing implementation for one sub-rule

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Fix missing cross-ref in doc.

* Remove backticks from plain text message.

* user messages for rules 1011, 1012, 2001, 2002. (#1960)

* user messages for rules 1011, 1012, 2001, 2002.

* fixing wrong message

* fixed updated string and merge from features

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Fix 2005 messages.

* user msgs verified for 2005 2008 2009 (#1961)

* user msgs verified for 2005, 2008, 2009

* 2005 msgs updated

* proof read 2008 & 2009

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Doc update for 2005/8/9.

* user msgs verified for 2014 & 2015 (#1965)

* user msgs verified for 2014 & 2015

* proof read 2014 and 2015

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Doc update for 2014/15.

* Restoring original functionality for sub rule: UriBaseIdRequiresRelativeUri (#1967)

Authored-by: Harleen Kaur Kohli

* Spreadsheet update for 1004.

* Update messages and code for SARIF1004. (#1968)

* Fix bug in 1012. (#1969)

* Provide messages for SARIF2003.ProvideVersionControlProvenance. (#1970)

* Provide messages for SARIF2004.OptimizeFileSize. (#1973)

* Provide messages for SARIF2006.MessagesShouldBeReachable. (#1974)

* Provide messages for SARIF2007.ExpressLocationsRelativeToRepoRoot. (#1975)

* Provide messages for SARIF1012.ProvideHelpUris. (#1976)

* Provide messages for SARIF2013.ProvideEmbeddedFileContent. (#1977)

* Fix broken functional test due to typo in message. (#1978)

* Provide messages for SARIF2010.ProvideCodeSnippets. (#1979)

* Provide messages for SARIF2011.ProvideContextRegion. (#1980)

* Remove overactive assertion. (#1981)

* Fix empty 2005 message (wrong argument order to LogResult). (#1982)

* Update release history and bump minor version number. (#1983)

* Update version

Co-authored-by: Harleen Kaur Kohli <hakohli@microsoft.com>
Co-authored-by: Eddy Nakamura <eddynaka@gmail.com>
Co-authored-by: Larry Golding (Myriad Consulting Inc) <v-lgold@microsoft.com>
Co-authored-by: Larry Golding <lgolding@comcast.net>
Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com>
Co-authored-by: Michael Fanning <mikefan@microsoft.com>

* marking webrequest perf test to be ignored due to its flakiness. (#1987)

* marking perf test to be ignored due to its flakiness.

* Update skip description.:

Co-authored-by: Harleen Kaur Kohli <erferferfg>
Co-authored-by: Michael Fanning <mikefan@microsoft.com>

* Make all Multitool command and options classes public, (#1988)

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Bump lodash from 4.17.14 to 4.17.19 in /src/ESLint.Formatter (#1999)

Bumps [lodash](https://github.com/lodash/lodash) from 4.17.14 to 4.17.19.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.14...4.17.19)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Updating SARIF2004 (#1995)

* Updating SARIF2004

* code review - 1

* code review - 2

* code review - 3

* Adding Extension and tests

* Updating tests and sarif files

* adding more cases to unit test

* code review - 4

* code review - 5

* updating order

* updating texts

* updating texts

* Bump version to 2.3.3; update release history. (#2006)

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Adding rule SARIF2016 (#1996)

* Adding rule SARIF2016

* updating tests

* Modify sample to use uriBaseIds (#2002)

* Modify sample to use uriBaseIds.

* Add TryReconstructAbsoluteUri unit test for missing trailing slash.

* Shorten and move comment.

* Introduce string constants.

* Add SarifLogger tests for run enhancement.

* Add a period.

* Test population of artifact contents in presence of uriBaseId.

* Add tests for GetEncodingFromName.

* Remove renamed-and-mostly-changed file.

* Fix file-scheme-related bug in UriConverter.

* Test for analysis targets with encoding and contents.

* DRY out "file" scheme constant.

* Mentioned fix for #2001 in release history.

* Remove extra blank line.

* Fix typo in comment.

* Fix another typo.

* Add version control provenance; change to REPO_ROOT.

* Visit results to provide region snippets.

* Clean up InsertOptionalDataVisitorTests

* Add unit test for visiting individual result.

* Add rule help URIs to test data.

Co-authored-by: Larry Golding <lgolding@comcast.net>
Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com>

* Update release history for SARIF2016. (#2010)

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Sarif SDK fixes during Fortify conversion comparison testing (#2011)

* Fix Sarif.Multitool duplicate files in nupkg issue!

* Update SarifTrim to match new Newtonsoft reference version.

* Fix SarifLogger NullRefException when Results don't have a RuleId set.

* FortifyFprConverter: More efficient code when ContextRegions excluded.

* switching test cases titles and adding a new case (#2012)

Co-authored-by: Harleen Kaur Kohli <erferferfg>

* Fortify FPR converter fixes (#2014)

* FortifyFpr converter improvements.

* Fix typo in file.

* Code changes to convrter

* Add DSP ingestion visitor.

* Files to demonstrate Fortify DSP progress.

* Update script to auto-gen drive letter based on script path.

* Update replacement logic.

* Update tests based on foritfy fopr converter and page command improvements.

* Remove test files for now.

* Delete test files.:

* Fix #2009: Don't require per-test config files in validator functional tests. (#2013)

* Don't disable rules in the default configuration file.

* Eliminate config files.

* Finish refactoring.

* Fix #2009: Don't break tests when new rules are introduced.

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Fix #2003: Don't report missing snippet if file content is present. (#2019)

* Checking artifacts before snippet

* code review - 1

* code review - 1

* code review - 2

* Code review - 2

* code review - 3

* code review - 3

* Fix broken functional test. (#2020)

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Update merge command to allow splitting merged results again along a rule boundary. (#2023)

* Introduce GitHub DSP analysis rules (#2021)

* Bump version; update release history.

* Add GitHub DSP policy file.

* Fix broken functional test.

* Add user-facing strings for SARIF2017.

* Define rule id for SARIF2017.

* Introduce SARIF2017.LocationsMustHaveRequiredProperties.

* Add "valid" functional test for SARIF2017.LocationsMustHaveRequiredProperties.

* Add "invalid" functional test for SARIF2017.LocationsMustHaveRequiredProperties.

* Cover case where result.locations is empty.

* Move location property bags up to expose JPointer bug.

* Introduce Skimmer.EnabledByDefault

* Skimmer: Populate DefaultConfiguration so it appears in rule metadata.

* Don't execute default-disabled rules unless the configuration enables them.

* Add first rule to policy file; add file to solution.

* Add DSP XML config file.

* Remove associated tool GUID from SARIF config file.

* Update solution file for renamed policy file.

* Adjust line numbers to fix test broken by JPointer bug.

* Update a comment.

* Rename misnamed resource strings.

* Implement SARIF2018.InlineThreadFlowLocations.

* Implement SARIF2019.RegionsMustProvideRequiredProperties.

* Update policy files for SARIF2019.

* Implement SARIF2020.ReviewArraysThatExceedConfigurableDefaults.

* Fix broken formatted messages; improve messages.

* Fix naming errors in policy files and a bug in SARIF2019.

* Implement SARIF2021.LocationsMustBeRelativeUrisOrFilePaths.

* Implement SARIF2022.ProvideCheckoutPath.

* SARIF2017 now covers related locations.

* SARIF2017: Add tests for relatedLocations.

* SARIF2017: Really add relatedLocations logic this time.

* Rename "policy" files to "config".

* Protect SARIF1004 against a null ref.

* Correct user-facing strings for SARIF2019 to match DSP behavior.

* Improve user-facing strings for SARIF2021.

* Avoid null ref in SARIF2022.

* Implement SARIF2023.RelatedLocationsMustProvideRequiredProperties.

* Update test for changed message.

* Fix typo in summary comment.

* Refactor SARIF2021 to prepare for related locations.

* Apply SARIF2021 to related locations.

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Include GitHub DSP policy file in MultiTool NuGet package. (#2030)

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Defer loading of the filing client until it's used. (#2038)

* Rename the 'guid' property to 'logId'. (#2037)

LogId is more descriptive and easier to understand.

* Add GitInformation helper. (#2035)

* Add GitInformation helper.

* Add unit test for ArtifactLocation.ToLocation.

* Add VersionControlInformation to OptionallyEmittedData.

* Add comment explaining path replacement.

* DRY out calculation of repo root.

* Compensate for varying repo root.

* Compensate for enlistment root's artifact.

* PR feedback.

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Improve package creation (#2032)

* DRY out declaration of TargetFrameworks.

* Ensure Multitool netcoreapp3.1 publishing directory is created.

* Create a dependency package for Multitool.

* Create WorkItems package, needed by Multitool.Library package.

* Address PR feedback.

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Revert "Improve package creation (#2032)" (#2048)

This reverts commit ee6ab47.

Co-authored-by: Larry Golding <lgolding@comcast.net>

* SARIF2005.ProvideToolProperties: Allow dottedQuadFileVersion; require informationUri. (#2044)

The following requirements on rule `SARIF2005.ProvideToolProperties` are related to ensuring that SARIF log files are "fit for purpose" for automatic bug filing:

- Allow `dottedQuadFileVersion` to satisfy the requirement that version information be present.
- Require `informationUri`.

The set of version properties that satisfy the version information requirement is configurable. By default, any of the three properties `version`, `semanticVersion`, or `dottedQuadFileVersion` will do.

The requirement that `informationUri` be present can also be turned off in the rule configuration.

See [Appendix: Fitness for purpose: Automatic bug filing](https://github.com/microsoft/sarif-tutorials/blob/users/lgolding/fitness-for-purpose/docs/Fitness-for-purpose-automatic-bug-filing.md) in the [SARIF Tutorials](https://github.com/microsoft/sarif-tutorials)

* Rebase absolute URIs relative to the closest enclosing repo root. (#2047)

* Renaming DSP rules (#2049)

Rename the analysis rules that ensure compatibility with the GitHub Developer Security Portal (DSP). Give them the prefix "DSP". This way we don't have to worry about reserving a numeric range for them.

* Rename SARIF2012 and add check for friendly name (#2031)

Rename `SARIF2012` from `ProvideHelpUris` to `ProvideRuleProperties`. In addition to checking for the `helpUri` property, it now also checks for the `name` property, and checks whether `name` is in the form of a single Pascal case identifier.

* Mention VersionControlInformation to Multitool help (#2051)

As of cef88f8, the `rewrite` command's `--insert` option accepts the value `VersionControlInformation`. When this value is specified, the command populates `run.versionControlProvenance`. In addition, any absolute URI that points into a Git repo is rewritten as a relative reference with respect to the nearest enclosing repo root.

We neglected to mention the new value in the command line help; do that now.

Also, we note that the descrption of the `rewrite` command did not at all say what the command actually does. Fix that.

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Enable rule documentation export in multitool (#2052)

Add a multitool command `export-rule-documentation` that creates a Markdown file containing information from the rule metadata, driven by the set of `SarifValidationSkimmerBase`-derived classes in the multitool assembly.

* Minor change in ESLint.Formatter/readme.MD (#2059)

* Fix GitHubDspIngestionVisitor (#2061)

Add file-based unit tests for the `GitHubDspIngestionVisitor` and fix the bugs that they reveal:

- #2058: GitHubDspIngestionVisitor limits number of results only if some of them are non-errors
- #2060: GitHubDspIngestionVisitor removes codeFlows entirely rather than inlining threadFlowLocations

When inlining `threadFlowLocations`, we have to take care to distinguish those properties that are shared among all usages of a given location (for example, the `location` and `module` properties) from those properties that vary across usages (for example, `executionTimeUtc` and `state`). The `location.message` requires special handling because we do want to take `location` from the shared object, but we don't necessarily want to take `location.message`. Finally, we merge the property bags, preferring the values in the per-usage property bag if there are any overlaps.

We also have to merge property bags when inlining artifact locations.

* Extract Sarif.Multitool.Library from Sarif.Multitool (#2054)

We extract almost all the functionality from the `Sarif.Multitool` exe project into a separate library project `Sarif.Multitool.Library`. We continue to build a "DotnetTool package" from `Sarif.Multitool`, but now we also build a "Dependency" package from `Sarif.Multitool.Library`. This allows other projects to consume the library and access its public API.

The motivation for all this is to expose the "normalization API" (which is actually just an invocation of the `RewriteCommand` with certain options) so that it can be consumed.

NOTE: We ended up having to create a package from the `WorkItems` project, which we hadn't previously done, to get the `Sarif.Multitool.Library` package to build.

* Update GitHub brand names (#2069)

This resolves some brand inconsistencies in the SARIF SDK for some of the GitHub-specific validation rules. DSP is our internal organization name, but not our official product name, so I went and made a bunch of changes to align with the guidance from marketing.

Changes tweaked by @lgolding: Rule prefix is now `GH`, all test files now have the appropriate prefix, and I polished a few user-facing strings.

* Fix a couple of edge cases that cause the ESLint formatter to create invalid SARIF files (#2068)

* Only add shortDescription to a rule if a description exists. Otherwise the output is an invalid SARIF file with a missing text field.

* Add a test for valid SARIF from a custom rule with no description.

* Only add `startLine` / `startColumn` if they are > 0.

* Add a test for invalid column number.

* Moving ExportRuleDocumentationCommand to Driver (#2066)

* Update nuget.exe. Remove duplicate files from package. Resolve nuget.exe warning re: icon use. (#2074)

* Update release file and version for 2.3.6 (#2076)

* Remove package file contents duplication. (#2078)

* ESLint.Formatter - Add ESLint version to run.tool.driver #2070 (#2071)

Also:
* Bump SARIF schema version to 2.1.0-rtm.5 (final public standard version).
* Move chai and mocha into devDependencies.

* Refactor the SARIF Multitool unit tests (#2075)

Since we have factored a library out of `Sarif.Multitool`, we should factor the tests as well.

At first I thought this was a pure rename, since the only file left in `Sarif.Multitool` was `Program.cs`, and (as far as I knew) there were no tests for `Program.cs` (which does nothing but dispatch the verb to the appropriate command class).

But it turns out that there is exactly one test which does call `Program.cs` directly (whether it _should_ is another question), so I have retained the project `Test.UnitTests.Sarif.Multitool` to hold that one test, and moved all the others into `Test.UnitTests.Sarif.Multitool.Library`.

Only two test classes required changes due to the move:
- `GenericCommandTests.cs`
- `MergeCommandTests.cs`

* Exposing commands to multitool (#2073)

* Exposing commands to multitool

* code review - 1

* renaming commands

Co-authored-by: Michael Fanning <mikefan@microsoft.com>

* Adding Delete in IFileSystem (#2072)

* Adding Delete in IFileSystem

updating text

* code review - 1

* renaming methods

* renaming methods

* Fix #2062: LGTM "could not build merge commit" (#2067)

* Fix LGTM by adding new Multitool library project to CodeQL solution.

* Add explicit reference to newtonsoft JSON package.

Co-authored-by: Larry Golding <lgolding@comcast.net>
Co-authored-by: Michael Fanning <mikefan@microsoft.com>

* Add explicit reference to newtonsoft. Update to 11.0.2. Update to minimist 1.2.3 (#2093)

* Add explicit reference to newtonsoft. Update to 11.0.2. Update to minimist 1.2.3.

* Restore fluent assertions reference.:

* Implement converter from FlawFinder's CSV output format (#2088)

* Update option help text.

* Introduce NYI exception-throwing converter.

* Require input stream.

* Require result log writer.

* Converter creates empty log file -- test incomplete.

* "No results" test passes.

* Convert each CSV row to a dummy SARIF result.

* Populate ruleId.

* Populate message.

* Populate level.

* Extract a method.

* Rename a method.

* Populate locations (and thus artifacts).

* Populate result.properties["Level"].

* Refactor to carve out a place for rules production.

* Populate rules.

* Populate partial fingerprints.

* Remove unused resources.

* Bump version and update release history.

* Populate snippets.

* Use Category/Name as the rule id.

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Fix #2084 (GitHub related location message); Fix #2085 (GitHub invocations) (#2086)

* Remove GH1007.ProvideRequiredRelatedLocationProperties.

* Rename file GitHubDspIngestionVisitor.cs to GitHubIngestionVisitor.cs (class already has correct name).

* Don't insert placedholder related locations message.

* Remove obsolete test.

* Don't remove invocations.

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Fixing index out of range in baseliner (#2102)

* Fixing index out of range in baseliner

* Adding resultmatching test to validate before/after change

* Addressing michael's comments

* Adding setter to GitExePath (#2110)

* Adding setter to GitExePath

* adding tests and change to changelog

* Checking PATH environment variable (#2107)

* Checking PATH environment variable

* creating file searcher helper, adding tests

* code review & update in changelog

* updating error comment

* fixing tests

* Fix #2089: GitHub policy should not turn off any note level rules (#2096)

* Fix #2089: GitHub policy should not turn off any note level rules

* Elevate two rules and (correctly) disable one.

* Update release history.

Co-authored-by: Larry Golding <lgolding@comcast.net>
Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com>

* Export docs when packing (#2087)

* Generalize and harden docs exporter (#2082)

* Generalize and harden docs exporter

merge

* code review - 1

* code review - 2

Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com>

* Fix #2090: Validator should warn of leading / in relative artifact location URIs (#2095)

* Fix #2090: Validator should warn of leading / in relative artifact location URIs

* Update release history.

* Remove unnecessary "== true".

Co-authored-by: Larry Golding <lgolding@comcast.net>
Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com>

* Fix up test break. Mark doc comment warnings as silent for now. (#2112)

* Fix #2098: Make pretty-print the default output format (#2100)

* Fix #2098: Make pretty-print the default output format

Introduce a new command line option `--minify`. If neither `--minify` nor `--pretty-print` is specified, `--pretty-print` is set to true. If both `--minify` and `--pretty-print` is specified, parameter validation fails.

* Minor cleanups.

* Fix up root namespace in a test project.

* Introduce fit-for-purpose error message.

* DRY out options validation.

* Avoid writing a file just to verify command line options.

* Remove unused static field.

* Update release history.

Co-authored-by: Larry Golding <lgolding@comcast.net>

* Support queries against properties in the result's and the rule's property bags (#2065)

* Introduce a test file for property bag queries.

* Support string-valued result properties.

* Support string-valued rule properties.

* Clarify property bag query syntax and restore ability to recognize invalid property names.

* Compare property bag properties case-insensitively.

* Handle integer-valued properties.

* Update version number and release history.

* Handle float properties.

* Generalize exception messages.

* Separate property bag tests.

* DRY out test setup into a fixture.

* Restore erroneously edited comment.

* Simplify query syntax by inferring whether string or numeric comparison was desired.

* Fix up test project file.

* Remove unnecessary else.

* Case-sensitive property name comparison with minimal code change.

* Simplify code.

* Bump version, correct release history.

Co-authored-by: Larry Golding <lgolding@comcast.net>
Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com>

* Compute and Apply policies (#2109)

* Compute and Apply policies

* adding tests + reorganization

* michael's code review - 1

* adding parameter names and renamings

* Policies won't be static, because it can lead to errors

* updating changelog

Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com>

* Simplifying tests and adding fix in changelog (#2111)

* Simplifying tests and adding fix in changelog

* Renaming parameters and changing to show literals

* fixing test

Co-authored-by: Michael Fanning <mikefan@microsoft.com>

* Creating FileSystem singleton (#2115)

* Creating FileSystem singleton

* Larry's code review - 1

* Larry's code review - 2

* updating last filesystem

* Implementing Formatting property+ fixes (#2121)

* Implementing GetFormatting helper + fixes

* from method to property

* changing from "" to string.empty

* Adding command policy to multitool (#2118)

* Adding command policy to multitool

* updating changelog

* Larry's code review - 1

* fixing ordering

* Fixing xml when that doesn't contain location (#2119)

* Fixing xml when that doesn't contain location

* Larry's code review - 1

* removing unused resource

* Revert "removing unused resource"

This reverts commit 4bbd4d1.

* Larry's code review - 2

* fixing tests

* adding comment why we need this condition

* fixing issue with parser

* updating tests

* checking capacity in AddLocationToResult method

* Fixing FileSpecifier for Linux/Windows environment (#2122)

* Fixing linux tests

* fixing FileSpecifierTests

* fixing files

* replacng \r\n for environment.newline

* Enforcing file normalization (#2116)

* Enforcing file normalization

* enforcing header

* reverting

* enforcing file normalization

* ignoring cs15xx for autogenerated files

* removing editorconfig from autogerated folder

* applying format

* Enabling dotnet-format in pipeline (#2123)

updating script to execute every time

using windows environment

updating path

* Reversion to 2.3.8. (#2125)

* Reversion to 2.3.8.

* fixing grouping + end of line in versionConstants file

Co-authored-by: Eddy Nakamura <eddynaka@gmail.com>
Co-authored-by: Eddy Nakamura <ednakamu@microsoft.com>

* Updating badge and pre-requisites to build sarif-sdk (#2126)

* Improve FileRegionsCache testability (#2131)

* Improve FileRegionsCache testability

* updating release history

* Revert "updating release history"

This reverts commit 0d79902.

* Merge correct current JSON1002 expected (one result)

* Fix Skimmer translation to be more consistent with previous conversion.
 DefaultConfiguration needs to be initialized.
 Pass additional arguments down to Skimmer.BuildRule().

* Set hint to serialize Result.Locations when empty.

* Update SARIF1004 Invalid example so input has same attribute order as roundtripped version after PrereleaseTransformer.

Newtonsoft seems to usually put "originalUriBaseIds" in the same order as the Run class declarations (and the schema from which it was generated) but not in this particular case.

Co-authored-by: Michael C. Fanning <michael.fanning@microsoft.com>
Co-authored-by: Harleen Kaur Kohli <hakohli@microsoft.com>
Co-authored-by: Larry Golding <lgolding@microsoft.com>
Co-authored-by: Eddy Nakamura <eddynaka@gmail.com>
Co-authored-by: Larry Golding <lgolding@comcast.net>
Co-authored-by: Jeff King <jeffking@gmail.com>
Co-authored-by: Larry Golding (Myriad Consulting Inc) <v-lgold@microsoft.com>
Co-authored-by: Michael Fanning <mikefan@microsoft.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: rtaket <rtaket@microsoft.com>
Co-authored-by: tosmolka <37370256+tosmolka@users.noreply.github.com>
Co-authored-by: Justin Hutchings <jhutchings1@users.noreply.github.com>
Co-authored-by: Chris Raynor <cbraynor@github.com>
Co-authored-by: Eddy Nakamura <ednakamu@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[RULE REQUEST] Additional file size optimizations
2 participants