Add new visitor to get deterministic SARIF log by sorting results

[yongyan-gh]

Description

Some static analysis tools generate non-deterministic SARIF results, means if scan the same targets multiple times, the same issues are detected, but in each output SARIF file the entities in collection (e.g. rules/results/locations) are arranged in random order. It causes the issues for the users want to check if 2 SARIF results present the same set of issues by comparing them using bitwise diff tools.

Fixes

• Implement Comparer classes derived from IComparer interface for relevant SARIF entities.
• Implement Visitor to sort the entities using the comparers and handle index remapping when traversing the SARIF log.
• Add an option in rewrite command to sort the entities in the log and output deterministic SARIF log.

Can get sorted results by adding --sort-results to rewrite command.

This is a short term fix so that the customers can have their issue resolved asap. The comprehensive solution will be auto-generated Comparer implementation code by JSchema for all the SARIF entities instead of handwritten Comparer code.

[marmegh]

I see several instances where using System.Linq is greyed out in VS, can you double check where this is actually needed and remove any unnecessary? #Resolved

[yongyan-gh]

It is required in this file, checked other files and removed the unnecessary using.

[shaopeng-gh]

Compare

qurestion about design, do we need to compare all fields?
I see a few fields is not included like Relationships,MessageStrings

#Closed

[yongyan-gh]

This solution is a short term fix to help resolving issues some tools (E.g. PREfast) generate non-deterministic results for same targets run-over-run asap.

It mainly focus on relevant types cause the non-determinisms we observed in the sample/test SARIF files.

To compare all the fields we need to manually implement IComparer for all SARIF types. E.g. if compare Relationships, RelationshipComparer need to be implemented.

In planned comprehensive solution, we will update JSchema to automatically generates IComparer code for all SARIF types instead of these hand-written code, at that time we will make sure all types are used for comparing. Created issue #2424 for tracking.

[shaopeng-gh]

thanks for the detail explain.

[shaopeng-gh]

new []

should do a auto format code for all the files to keep it consistent, I tried no need space is the recommended one. #Resolved

[yongyan-gh]

which tool do you use? I ran dotnet format before commit, it didn't catch all of these additional spaces.

[shaopeng-gh]

in VS right click file -> code clean up with the default profile.

[shaopeng-gh]

Instance

not sure, should we also start with s_ since it is static #Closed

[yongyan-gh]

it's a public (internal) member. It should match naming convention: "All visible static member names are pascal cased."

[shaopeng-gh]

[eddynaka]

TryGetValue

replace this by a containskey.
this will prevent u from allocating the index. #Resolved

[eddynaka]

TryGetValue

same here. replace this for containskey #Resolved

[shaopeng-gh]

// create a test sarif log

I got a note from Michael in one of my PR that,
comments should be like a sentence start with Capital and ends with a ending.

But that was on a header of a method, not sure if also applies here?
#Resolved

[michaelcfanning]

Yes, this note applies. This is not a helpful comment in any case.

[michaelcfanning]

Can you define a helper for this? #Resolved

[yongyan-gh]

Moved to the common method in ComparerHelper

[michaelcfanning]

left.Hashes.ElementAt(i)

is this an n^2 access pattern? ouch. #Resolved

[yongyan-gh]

fixed. new implementation in ComparerHelper.CompareDictionary(...)

[michaelcfanning]

index_1

index_1? let's leave underscores out of this. :) #Resolved

[michaelcfanning]

ReportingConfigurationSortingComparer

How about we call this 'ReportingConfigurationComparer' #Resolved

[yongyan-gh]

Updated all comparers class name to {typename}Comparer

[michaelcfanning]

ConcurrentDictionary

If you are proposing to make this thread-safe, write a test to prove it. #Resolved

[yongyan-gh]

Visitor traverses entire Sarif log by properties in certain order. I could not think multi threads scenario for this. If its true I will change it to normal dictionary.

[yongyan-gh]

changed to Dictioanry<>

[michaelcfanning]

IDictionary

Stop using IDictionary if you want a perf micro-optimization (so you can use TryUpdate...) #Resolved

[yongyan-gh]

changed to Dictionary

[yongyan-gh]

Add code coverage data:

[michaelcfanning]

refences

'references'. #Resolved

[michaelcfanning]

Compare

These comment needs editing, for grammatical correctness and clarity.

[yongyan-gh]

Worked with Courtney got all user facing strings reviewed

[michaelcfanning]

how is this getting compiled? where? who can see your comment outside this source file?

otherwise convert this comment to a regular comment and make sure it's useful. #Resolved

[yongyan-gh]

IDE intellisense shows this comment for people wants to call it. I d like to keep the comment for this method since it has some behaviors cannot tell by just signatures.
Removed comments for other methods in this file.

[yongyan-gh]

changed to normal comments since its internal class its no visible outside of Sarif.Sdk

[michaelcfanning]

CompareReference

Rename this to 'TryCompare'.

This is internal code, so you could also return a nullable int. If it's null, no result.

[yongyan-gh]

renamed.
to be consistent with other compares method i d like to return int instead of nuallable int. what do you think?

[michaelcfanning]

ComparerHelper

Perhaps create class named ComparerExtensions.cs?

with extension methods.

public static bool TryCompare(this object left, object right, out int result)

[yongyan-gh]

Changed from helper methods to extension methods.
Renamed this method to 'TryReferenceCompares', following .net "ReferenceEquals" naming

[michaelcfanning]

unnecessary assignment here. #Resolved

[michaelcfanning]

compareFunc

Can you use a more descriptive name here? How about 'compareFunction'? #Resolved

[michaelcfanning]

if (left.TryReferenceCompare(right, out result))
{
return result;
}

if ((object)left.TryReferenceCompare((object)right, out result))
{
return result;
}

    #Resolved

[michaelcfanning]

internal

All of these classes s/be public?

[yongyan-gh]

was following the same pattern of Sarif SDK's EqualityComparers. The EqualityComparer class is internal and have a public reference in Sarif types, e.g.
public static IEqualityComparer ValueComparer => ArtifactLocationEqualityComparer.Instance;

[michaelcfanning]

CompareList__Shuffle_Tests

two underscores '__' in this name? #Resolved

[michaelcfanning]

CompareList__Shuffle_Tests

Go make this test fail. Show us the test output that makes it easy for a developer to repro the failure, using the random seed that generated the failing case.

[yongyan-gh]

Random object created with RandomSarifLogGenerator.GenerateRandomAndLog logs the seed in test output. Below is an example:

[xUnit.net 00:00:25.02]     Microsoft.CodeAnalysis.Test.UnitTests.Sarif.Comparers.ComparersTests.CompareList_Shuffle_Tests [FAIL]
  Failed Microsoft.CodeAnalysis.Test.UnitTests.Sarif.Comparers.ComparersTests.CompareList_Shuffle_Tests [203 ms]
  Error Message:
   Expected result to be 0, but found -1.
  Stack Trace:
     at FluentAssertions.Execution.XUnit2TestFramework.Throw(String message)
   at FluentAssertions.Execution.TestFrameworkProvider.Throw(String message)
   at FluentAssertions.Execution.DefaultAssertionStrategy.HandleFailure(String message)
   at FluentAssertions.Execution.AssertionScope.FailWith(Func`1 failReasonFunc)
   at FluentAssertions.Execution.AssertionScope.FailWith(Func`1 failReasonFunc)
   at FluentAssertions.Execution.AssertionScope.FailWith(String message, Object[] args)
   at FluentAssertions.Numeric.NumericAssertions`1.Be(T expected, String because, Object[] becauseArgs)
   at Microsoft.CodeAnalysis.Test.UnitTests.Sarif.Comparers.ComparersTests.CompareList_Shuffle_Tests() in C:\repo\github.com\sarif-sdk\src\Test.UnitTests.Sarif\Comparers\ComparersTests.cs:line 40
  Standard Output Messages:
 TestName: CompareList_Shuffle_Tests has seed 727824218

Also updated the RandomSarifLogGenerator.GenerateRandomAndLog to accept a specific seed so dev can easily reuse the seed in the failed case:
Random random = RandomSarifLogGenerator.GenerateRandomAndLog(this.output, seed: 727824218);

[michaelcfanning]

[yongyan-gh]

CodeQL reported 1 error and 1 warning both are false-positive.

• Error: Dereferenced variable is always null
  

  sarif-sdk/src/Test.UnitTests.Sarif/Comparers/ComparersTests.cs

  Lines 57 to 61 in c8ef19d

  	IList<int> list1 = null;
  	IList<int> list2 = null;
  	list1.ListCompare(list2).Should().Be(0);
  	list2.ListCompare(list1).Should().Be(0);

  
  The ListCompare() method is an extension method, it handles the case that extended type is null.

• Warning: Useless upcast
  

  sarif-sdk/src/Test.UnitTests.Sarif.Multitool/RewriteCommandTests.cs

  Lines 121 to 133 in c8ef19d

  	new {
  	Title = "fail case: argument value not provided",
  	Args = new string[] {
  	"test.sarif",
  	"--output",
  	"updated.sarif",
  	"--remove",
  	"--sort-results",
  	"--force"
  	},
  	Valid = false,
  	ExpectedOptions = (RewriteOptions)null,
  	},

  
  Because it instantiates an anonymous object, have to explicitly cast null to specific type for an anonymous type

[lgtm-com]

This pull request introduces 1 alert when merging f18e005 into bedc46e - view on LGTM.com

new alerts:

• 1 for Dereferenced variable may be null