Fix #9972 (Add support for SARIF output format) #6863
Conversation
|
There is no testing yet. I will see if I can integrate it into github. |
|
@mario-campos would you be interested to test/review this Cppcheck SARIF output? |
4651: very related but this is a simpler approach. 3365: I don't think this is related to the uniq/append output. |
|
I believe that we can output findings directly btw. We don't have to construct the complete report at the end. However I am not sure if that will be very useful anyway, the report is so verbose I don't think anybody would like to read the sarif output "live". I believe a minimal SARIF header would be: |
danmar
force-pushed
the
fix-9972-2
branch
2 times, most recently
from
a9065ff
to
a798d28
Compare
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,6 @@ | |||
|
|
|||
| void foo(int x) { | |||
| if (x >= 0 || x <= 10) {} | |||
Check warning
Code scanning / Cppcheck
Logical disjunction always evaluates to true: x >= 0 || x <= 10.
|
There is an experimental SARIF upload here: |
|
@danmar, sure. I can take a look at it later today. |
There was a problem hiding this comment.
Looks great!! Can't wait to see this merged!
I left a few comments about some missing SARIF properties, which GitHub requires. I think it would be a good idea to implement them, because I think someone will eventually try to upload the SARIF file to GitHub expecting it to work.
cli/cppcheckexecutor.cpp
Outdated
| picojson::array serializeRules() const { | ||
| picojson::array ret; | ||
| std::set<std::string> ruleIds; | ||
| for (const auto& finding : mFindings) { | ||
| if (ruleIds.insert(finding.id).second) { | ||
| picojson::object rule; | ||
| rule["id"] = picojson::value(finding.id); | ||
| picojson::object shortDescription; | ||
| shortDescription["text"] = picojson::value(finding.shortMessage()); | ||
| rule["shortDescription"] = picojson::value(shortDescription); | ||
| ret.emplace_back(rule); | ||
| } | ||
| } | ||
| return ret; | ||
| } |
There was a problem hiding this comment.
serializeRules() does not serialize the rule's fullDescription.text nor its help.text, which are both required*. See reportingDescriptor object specification.
Also, while not required, it would be nice to see the severity (properties.problem.severity) implemented as well.
* These properties are required by GitHub's Code scanning platform, not necessarily the SARIF specification.
cli/cppcheckexecutor.cpp
Outdated
| picojson::array serializeResults() const { | ||
| picojson::array results; | ||
| for (const auto& finding : mFindings) { | ||
| picojson::object res; | ||
| res["level"] = picojson::value(sarifLevel(finding.severity)); | ||
| if (!finding.callStack.empty()) | ||
| res["locations"] = picojson::value(serializeLocations(finding)); | ||
| picojson::object message; | ||
| message["text"] = picojson::value(finding.shortMessage()); | ||
| res["message"] = picojson::value(message); | ||
| res["ruleId"] = picojson::value(finding.id); | ||
| results.emplace_back(res); | ||
| } | ||
| return results; | ||
| } |
There was a problem hiding this comment.
This function does not implement the required* partialFingerprints property, which is used to prevent creating duplicate alerts for the same vulnerability/finding. See result object specification.
* These properties are required by GitHub's Code scanning platform, not necessarily the SARIF specification.
There was a problem hiding this comment.
Also, the locations property is required (by GitHub), so maybe consider hoisting up the if (!finding.callStack.empty()) condition to the for loop, so that if there are no locations, the alert is not serialized.
cli/cppcheckexecutor.cpp
Outdated
| picojson::object region; | ||
| region["startLine"] = picojson::value(static_cast<int64_t>(location.line)); | ||
| region["startColumn"] = picojson::value(static_cast<int64_t>(location.column)); | ||
| physicalLocation["region"] = picojson::value(region); |
There was a problem hiding this comment.
Missing required* properties region.endLine and region.endColumn. See physicalLocation object specification.
* These properties are required by GitHub's Code scanning platform, not necessarily the SARIF specification.
|
@mario-campos thanks for the comments. Can you please check again? Example output: |
|
@mario-campos please take an extra careful look on the |
There was a problem hiding this comment.
Nice job! A few more finishing touches.
Also, you can validate the SARIF file at https://sarifweb.azurewebsites.net/. I've already submitted it and there's a few "issues" but I wouldn't worry about them. According to the docs, they're not required.
Co-authored-by: Mario Campos <[email protected]>
Co-authored-by: Mario Campos <[email protected]>
Co-authored-by: Mario Campos <[email protected]>
|
@mario-campos I merged it now. but please feel free to provide additional advice if there is something we can fix.. |
Co-authored-by: Mario Campos <[email protected]>
No description provided.