Releasing 4.0.0

[shaopeng-gh]

SARIF Package Release History (SDK, Driver, Converters, and Multitool)

v4.0.0 Sdk | Driver | Converters | Multitool | Multitool Library

• BRK: SarifLogger no longer allows providing a Tool instance. Use the run parameter instead (and populate it with any custom Tool object). #2614
• BRK: SarifLogger updates version details differently. #2611
• BRK: Add ToolComponent argument to IAnalysisLogger.Log(ReportingDescriptor, Result) method. #2611
• BRK: Rename --normalize-for-github argument to --normalize-for-ghas for convert command and mark --normalize-for-github as obsolete. #2581
• BRK: Update IAnalysisContext.LogToolNotification method to add ReportingDescriptor parameter. This is required in order to populated AssociatedRule data in Notification instances. The new method has an option value of null for the associatedRule parameter to maximize build compatibility. #2604
• BRK: Correct casing of LogMissingreportingConfiguration helper to LogMissingReportingConfiguration. #2599
• BRK: Change type of MaxFileSizeInKilobytes from int to long in IAnalysisContext and other classes. #2599
• BRK: For Guid properties defined in SARIF spec, updated Json schema to use uuid, and updated C# object model to use Guid? instead of string. #2555
• BRK: Mark AnalyzeCommandBase as obsolete. This type will be removed in the next significant update. #2599
• BRK: LogUnhandledEngineException no longer has a return value (and updates the RuntimeErrors context property directly as other helpers do). #2599
• BUG: Populate missing context region data for small, single-line scan targets. #2616
• BUG: Increase parallelism in MultithreadedAnalyzeCommandBase by correcting task creation. []Threading fixes #2618](Threading fixes #2618)
• BUG: Resolve hangs due to unhandled exceptions during multithreaded analysis file enumeration phase. #2599
• BUG: Resolve hangs due to unhandled exceptions during multithreaded analysis file hashing phase. #2600
• BUG: Another attempt to resolve 'InvalidOperationException' with message Collection was modified; enumeration operation may not execute in MultithreadedAnalyzeCommandBase, raised when analyzing with the --hashes switch. #2459. There was a previous attempt to fix this in #2447.
• BUG: Resolve issue where match-results-forward command fails to generate VersionControlDetails data. #2487
• BUG: Remove duplicated rule definitions when executing match-results-forward commands for results with sub-rule ids. #2486
• BUG: Update merge command to properly produce runs by tool and version when passed the --merge-runs argument. #2488
• BUG: Eliminate IOException and DirectoryNotFoundException exceptions thrown by merge command when splitting by rule (due to invalid file characters in rule ids). #2513
• BUG: Fix classes inside NotYetAutoGenerated folder missing virtual keyword for public methods and properties, by regenerate and manually sync the changes. #2537
• BUG: MSBuild Converter now accepts case insensitive keywords and supports PackageValidator msbuild log output. #2579
• BUG: Eliminate NullReferenceException when file hashing fails (due to file locked or other errors reading the file). #2596
• NEW: Provide PluginDriver property (AdditionalOptionsProvider) that allows additional options to be exported (typically for command-line arguments). #2599
• NEW: Provide LogFileSkippedDueToSize that fires a warning notification if any file is skipped due to exceeding size threshold. #2599
• NEW: Provide overridable ShouldEnqueue predicate method to filter files from driver processing. #2599
• NEW: Provide overridable ShouldComputeHashes predicate method to prevent files from hashing. #2601
• NEW: Allow external set of MaxFileSizeInKilobytes, which will allow SDK users to change the value. (Default value is 1024) #2578
• NEW: Add a Github validation rule GH1007, which requires flattened result message so GHAS code scanning can ingest the log. #2580
• NEW: Provide mechanism to populate SarifLogger with a FileRegionsCache instance.
• NEW: Allow initialization of file regions cache in InsertOptionalDataVisitor (previously initialized exclusively from FileRegionsCache.Instance).
• NEW: Provide 'RuleScanTimetrace and emitted timing data. ProvideScanExecution` trace with no utilization.
• NEW: Populate associated rule data in LogToolNotification as called from SarifLogger. #2604
• NEW: Add --normalize-for-ghas argument to the rewrite command to ensure rewritten SARIF is compatible with GitHub Advanced Security (GHAS) ingestion requirements. #2581
• NEW: Allow per-line rolling (partial) hash computation for a file. #2605
• NEW: SarifLogger now supports extensions rules data when logging (by providing a ToolComponent instance to the result logging method). #2661
• NEW: SarifLogger provides a ComputeHashData callback to provide hash data for in-memory scan targets. #2614
• NEW: Provide HashUtilities.ComputeHashes(Stream) and `ComputeHashesForText(string) helpers. #2614

[michaelcfanning]

**

What's going on here exactly? Why do we have an RC?

We need to pick a version (not pre-release) and ship it.

It can be 3.2 or it can be 4.0 (due to the large number of breaking changes).

In general, let's not create multiple PRs for package release. Create one and then let the review process tell you what's right.

@EasyRhinoMSFT, what's the call? 3.2 or 4.0? #Resolved

[shaopeng-gh]

Got it. I see his reply with 4.0, I will update it now.

[EasyRhinoMSFT]

I don't think there is anything with this that justifies a release candidate version. The SDK version is unrelated to BinSkim. As Michael noted this morning, what's in main is always release quality.

[michaelcfanning]

Sounds good, I'm happy with 4.0, there's a lot of update to this one. :)

[EasyRhinoMSFT]

👍

---

In reply to: 1439215041

[EasyRhinoMSFT]

@michaelcfanning are you happy with this?

[michaelcfanning]