Updating SARIF2004

src/Sarif.Multitool/Extensions.cs

@@ -0,0 +1,24 @@
+using System;
+
+namespace Microsoft.CodeAnalysis.Sarif.Multitool
+{
+    public static class Extensions
+    {
+        public static bool RefersToDriver(this ToolComponentReference toolComponent, string driverGuid)
+        {
+            if (toolComponent.Index == -1)
+            {
+                if (toolComponent.Guid == null)
+                {
+                    return true;
+                }
+                else
+                {
+                    return toolComponent.Guid.Equals(driverGuid, StringComparison.OrdinalIgnoreCase);
+                }
+            }
+
+            return false;
+        }
+    }
+}

src/Sarif.Multitool/Rules/RuleResources.resx

@@ -272,7 +272,13 @@ Many tools follow a conventional format for the 'reportingDescriptor.id' propert
 
 In several parts of a SARIF log file, a subset of information about an object appears in one place, and the full information describing all such objects appears in an array elsewhere in the log file. For example, each 'result' object has a 'ruleId' property that identifies the rule that was violated. Elsewhere in the log file, the array 'run.tool.driver.rules' contains additional information about the rules. But if the elements of the 'rules' array contained no information about the rules beyond their ids, then there might be no reason to include the 'rules' array at all, and the log file could be made smaller simply by omitting it. In some scenarios (for example, when assessing compliance with policy), the 'rules' array might be used to record the full set of rules that were evaluated. In such a scenario, the 'rules' array should be retained even if it contains only id information.
 
-Similarly, most 'result' objects contain at least one 'artifactLocation' object. Elsewhere in the log file, the array 'run.artifacts' contains additional information about the artifacts that were analyzed. But if the elements of the 'artifacts' array contained not information about the artifacts beyond their locations, then there might be no reason to include the 'artifacts' array at all, and again the log file could be made smaller by omitting it. In some scenarios (for example, when assessing compliance with policy), the 'artifacts' array might be used to record the full set of artifacts that were analyzed. In such a scenario, the 'artifacts' array should be retained even if it contains only location information.</value>
+Similarly, most 'result' objects contain at least one 'artifactLocation' object. Elsewhere in the log file, the array 'run.artifacts' contains additional information about the artifacts that were analyzed. But if the elements of the 'artifacts' array contained not information about the artifacts beyond their locations, then there might be no reason to include the 'artifacts' array at all, and again the log file could be made smaller by omitting it. In some scenarios (for example, when assessing compliance with policy), the 'artifacts' array might be used to record the full set of artifacts that were analyzed. In such a scenario, the 'artifacts' array should be retained even if it contains only location information.
+
+In addition to the avoiding unnecessary arrays, there are other ways to optimize the size of SARIF log files.
+
+Prefer the result object properties 'ruleId' and 'ruleIndex' to the nested object-valued property 'result.rule', unless the rule comes from a tool component other than the driver (in which case only 'result.rule' can accurately point to the metadata for the rule). The 'ruleId' and 'ruleIndex' properties are shorter and just as clear.
+
+Do not specify the result object's 'analysisTarget' property unless it differs from the result location. The canonical scenario for using 'result.analysisTarget' is a C/C++ language analyzer that is instructed to analyze example.c, and detects a result in the included file example.h. In this case, 'analysisTarget' is example.c, and the result location is in example.h.</value>
   </data>
   <data name="SARIF2004_OptimizeFileSize_Warning_EliminateLocationOnlyArtifacts_Text" xml:space="preserve">
     <value>{0}: The 'artifacts' array contains no information beyond the locations of the artifacts. Removing this array might reduce the log file size without losing information. In some scenarios (for example, when assessing compliance with policy), the 'artifacts' array might be used to record the full set of artifacts that were analyzed. In such a scenario, the 'artifacts' array should be retained even if it contains only location information.</value>
@@ -360,4 +366,13 @@ This is part of a set of authoring practices that make your rule messages more r
   <data name="SARIF2007_ExpressPathsRelativeToRepoRoot_Warning_ExpressResultLocationsRelativeToMappedTo_Text" xml:space="preserve">
     <value>{0}: This result location does not provide any of the 'uriBaseId' values that specify repository locations: '{1}'. As a result, it will not be possible to determine the location of the file containing this result relative to the root of the repository that contains it.</value>
   </data>
+  <data name="SARIF2004_OptimizeFileSize_Warning_AvoidDuplicativeAnalysisTarget_Text" xml:space="preserve">
+    <value>{0}: The 'analysisTarget' property '{1}' is unnecessary because it is the same as the result location. Remove the 'analysisTarget' property.</value>
+  </data>
+  <data name="SARIF2004_OptimizeFileSize_Warning_AvoidDuplicativeResultRuleInformation_Text" xml:space="preserve">
+    <value>{0}: This result specifies both 'result.ruleId' and 'result.rule'. Prefer 'result.ruleId' because it is shorter and just as clear.</value>
+  </data>
+  <data name="SARIF2004_OptimizeFileSize_Warning_PreferRuleId_Text" xml:space="preserve">
+    <value>{0}: This result uses the 'rule' property to specify the rule metadata, but the 'ruleId' property suffices because the rule is defined by 'tool.driver'. Prefer 'result.ruleId' because it is shorter and just as clear.</value>
+  </data>
 </root>

src/Sarif.Multitool/Rules/SARIF2004.OptimizeFileSize.cs

@@ -41,20 +41,107 @@ public class OptimizeFileSize : SarifValidationSkimmerBase
         /// some scenarios (for example, when assessing compliance with policy), the 'artifacts' array
         /// might be used to record the full set of artifacts that were analyzed. In such a scenario,
         /// the 'artifacts' array should be retained even if it contains only location information.
+        /// 
+        /// In addition to the avoiding unnecessary arrays, there are other ways to optimize the
+        /// size of SARIF log files.
+        /// 
+        /// Prefer the result object properties 'ruleId' and 'ruleIndex' to the nested object-valued
+        /// property 'result.rule', unless the rule comes from a tool component other than the driver
+        /// (in which case only 'result.rule' can accurately point to the metadata for the rule).
+        /// The 'ruleId' and 'ruleIndex' properties are shorter and just as clear.
+        /// 
+        /// Do not specify the result object's 'analysisTarget' property unless it differs from the
+        /// result location. The canonical scenario for using 'result.analysisTarget' is a C/C++ language
+        /// analyzer that is instructed to analyze example.c, and detects a result in the included file
+        /// example.h. In this case, 'analysisTarget' is example.c, and the result location is in example.h.
         /// </summary>
         public override MultiformatMessageString FullDescription => new MultiformatMessageString { Text = RuleResources.SARIF2004_OptimizeFileSize_FullDescription_Text };
 
         protected override IEnumerable<string> MessageResourceNames => new string[] {
+            nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_AvoidDuplicativeAnalysisTarget_Text),
+            nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_AvoidDuplicativeResultRuleInformation_Text),
             nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_EliminateLocationOnlyArtifacts_Text),
-            nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_EliminateIdOnlyRules_Text)
+            nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_EliminateIdOnlyRules_Text),
+            nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_PreferRuleId_Text)
         };
 
         public override FailureLevel DefaultLevel => FailureLevel.Warning;
 
+        private string driverGuid;
+
         protected override void Analyze(Run run, string runPointer)
         {
             AnalyzeLocationOnlyArtifacts(run, runPointer);
             AnalyzeIdOnlyRules(run, runPointer);
+
+            this.driverGuid = run.Tool.Driver?.Guid;
+        }
+
+        protected override void Analyze(Result result, string resultPointer)
+        {
+            ReportUnnecessaryAnalysisTarget(result, resultPointer);
+            ReportRuleDuplication(result, resultPointer);
+        }
+
+        private void ReportRuleDuplication(Result result, string resultPointer)
+        {
+            if (result.Rule != null)
+            {
+                if (result.Rule.ToolComponent != null)
+                {
+                    if (result.Rule.ToolComponent.RefersToDriver(this.driverGuid))
+                    {
+                        // {0}: This result uses the 'rule' property to specify the rule
+                        // metadata, but the 'ruleId' property suffices because the rule
+                        // is defined by 'tool.driver'. Prefer 'result.ruleId' because it
+                        // is shorter and just as clear.
+                        LogResult(
+                            resultPointer,
+                            nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_PreferRuleId_Text));
+                    }
+                    else
+                    {
+                        if (!string.IsNullOrWhiteSpace(result.RuleId) || result.RuleIndex >= 0)
+                        {
+                            // {0}: This result specifies both 'result.ruleId' and 'result.rule'.
+                            // Prefer 'result.ruleId' because it is shorter and just as clear.
+                            LogResult(
+                                resultPointer,
+                                nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_AvoidDuplicativeResultRuleInformation_Text));
+                        }
+                    }                    
+                }
+                else
+                {
+                    // {0}: This result uses the 'rule' property to specify the rule
+                    // metadata, but the 'ruleId' property suffices because the rule
+                    // is defined by 'tool.driver'. Prefer 'result.ruleId' because it
+                    // is shorter and just as clear.
+                    LogResult(
+                        resultPointer,
+                        nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_PreferRuleId_Text));
+                }
+            }
+        }
+
+        private void ReportUnnecessaryAnalysisTarget(Result result, string resultPointer)
+        {
+            if (result.Locations != null && result.AnalysisTarget != null)
+            {
+                foreach (Location location in result.Locations)
+                {
+                    if (location?.PhysicalLocation?.ArtifactLocation?.Uri == result.AnalysisTarget.Uri)
+                    {
+                        // {0}: The 'analysisTarget' property '{1}' is unnecessary because it is the same as
+                        // the result location. Remove the 'analysisTarget' property.
+                        LogResult(
+                            resultPointer.AtProperty(SarifPropertyName.AnalysisTarget),
+                            nameof(RuleResources.SARIF2004_OptimizeFileSize_Warning_AvoidDuplicativeAnalysisTarget_Text),
+                            result.AnalysisTarget.Uri.OriginalString);
+                        break;
+                    }
+                }
+            }
         }
 
         private void AnalyzeLocationOnlyArtifacts(Run run, string runPointer)

src/Test.FunctionalTests.Sarif/Multitool/ValidateCommandTests.cs

@@ -121,15 +121,18 @@ public void SARIF1009_IndexPropertiesMustBeConsistentWithArrays_Valid()
 
         [Fact]
         public void SARIF1009_IndexPropertiesMustBeConsistentWithArrays_Invalid()
-            => RunTest(MakeInvalidTestFileName(RuleId.IndexPropertiesMustBeConsistentWithArrays, nameof(RuleId.IndexPropertiesMustBeConsistentWithArrays)));
+            => RunTest(MakeInvalidTestFileName(RuleId.IndexPropertiesMustBeConsistentWithArrays, nameof(RuleId.IndexPropertiesMustBeConsistentWithArrays)),
+                parameter: new TestParameters(configFileName: "disable2004.configuration.xml"));
 
         [Fact]
         public void SARIF1010_RuleIdMustBeConsistent_Valid()
-            => RunTest(MakeValidTestFileName(RuleId.RuleIdMustBeConsistent, nameof(RuleId.RuleIdMustBeConsistent)));
+            => RunTest(MakeValidTestFileName(RuleId.RuleIdMustBeConsistent, nameof(RuleId.RuleIdMustBeConsistent)),
+                parameter: new TestParameters(configFileName: "disable2004.configuration.xml"));
 
         [Fact]
         public void SARIF1010_RuleIdMustBeConsistent_Invalid()
-            => RunTest(MakeInvalidTestFileName(RuleId.RuleIdMustBeConsistent, nameof(RuleId.RuleIdMustBeConsistent)));
+            => RunTest(MakeInvalidTestFileName(RuleId.RuleIdMustBeConsistent, nameof(RuleId.RuleIdMustBeConsistent)),
+                parameter: new TestParameters(configFileName: "disable2004.configuration.xml"));
 
         [Fact]
         public void SARIF1011_ReferenceFinalSchema_Valid()

src/Test.FunctionalTests.Sarif/Test.FunctionalTests.Sarif.csproj

@@ -355,6 +355,9 @@
     <None Update="default.configuration.xml">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
+    <None Update="disable2004.configuration.xml">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
     <None Update="disable2011.configuration.xml">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>

src/Test.FunctionalTests.Sarif/TestData/Multitool/ValidateCommand/ExpectedOutputs/SARIF1004.ExpressUriBaseIdsCorrectly_Invalid.sarif

@@ -365,7 +365,7 @@
             "arguments": [
               "runs[0].results[0].analysisTarget",
               "%SRCROOT%",
-              "file:///C:/src/file.c"
+              "file:///C:/src/file.h"
             ]
           },
           "locations": [

src/Test.FunctionalTests.Sarif/TestData/Multitool/ValidateCommand/ExpectedOutputs/SARIF1009.IndexPropertiesMustBeConsistentWithArrays_Invalid.sarif

@@ -40,6 +40,14 @@
                 "id": "WRN999.RuleExplicitlyDisabled"
               }
             },
+            {
+              "message": {
+                "text": "Rule 'SARIF2004' was explicitly disabled by the user. As result, this tool run cannot be used for compliance or other auditing processes that require a comprehensive analysis."
+              },
+              "descriptor": {
+                "id": "WRN999.RuleExplicitlyDisabled"
+              }
+            },
             {
               "message": {
                 "text": "Rule 'SARIF2006' was explicitly disabled by the user. As result, this tool run cannot be used for compliance or other auditing processes that require a comprehensive analysis."

src/Test.FunctionalTests.Sarif/TestData/Multitool/ValidateCommand/ExpectedOutputs/SARIF1010.RuleIdMustBeConsistent_Invalid.sarif

@@ -40,6 +40,14 @@
                 "id": "WRN999.RuleExplicitlyDisabled"
               }
             },
+            {
+              "message": {
+                "text": "Rule 'SARIF2004' was explicitly disabled by the user. As result, this tool run cannot be used for compliance or other auditing processes that require a comprehensive analysis."
+              },
+              "descriptor": {
+                "id": "WRN999.RuleExplicitlyDisabled"
+              }
+            },
             {
               "message": {
                 "text": "Rule 'SARIF2006' was explicitly disabled by the user. As result, this tool run cannot be used for compliance or other auditing processes that require a comprehensive analysis."

src/Test.FunctionalTests.Sarif/TestData/Multitool/ValidateCommand/ExpectedOutputs/SARIF1010.RuleIdMustBeConsistent_Valid.sarif

@@ -19,6 +19,14 @@
                 "id": "WRN999.RuleExplicitlyDisabled"
               }
             },
+            {
+              "message": {
+                "text": "Rule 'SARIF2004' was explicitly disabled by the user. As result, this tool run cannot be used for compliance or other auditing processes that require a comprehensive analysis."
+              },
+              "descriptor": {
+                "id": "WRN999.RuleExplicitlyDisabled"
+              }
+            },
             {
               "message": {
                 "text": "Rule 'SARIF2006' was explicitly disabled by the user. As result, this tool run cannot be used for compliance or other auditing processes that require a comprehensive analysis."