GithubHelp home page GithubHelp logo

microsoft / infersharpaction Goto Github PK

View Code? Open in Web Editor NEW
61.0 10.0 15.0 166 KB

About Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null dereferences, resource leaks, and thread-safety violations. It also performs taint flow tracking to detect critical security vulnerabilities like SQL injections.

License: MIT License

Dockerfile 5.16% Shell 94.84%

infersharpaction's Issues

Suggestion: record a link to third party libraries if they are available

I have one example of code scan results that point a third party library. The results can be seen at https://github.com/lumoin/Verifiable/pull/48/checks?check_run_id=4552813964.

Clicking on of them shows the library and path, e.g. https://github.com/lumoin/Verifiable/security/code-scanning/52?query=ref%3Arefs%2Fpull%2F48%2Fmerge+ref%3Arefs%2Fpull%2F48%2Fhead+ref%3Arefs%2Fheads%2Fadd-infersharp.

This likely a long-shot one, but it occurred to me I could record as a suggestion to link to third party repositories if the source is available (e.g. via source link or via search APIs).

Here is also a screenshot if the links here become unavailable in the future.
kuva

Redundant files

There are redundant source-related files inside your docker image. For example, .git folder (which has all tracked sources).

Unable to get job output

I tried

            - name: Run Infer#
              id: runinfersharp
              uses: microsoft/[email protected]
              with:
                  binary-path: .
            - name: Write Infer# analysis results
              run: echo "${{join(steps.runinfersharp.outputs.*, '\n')}}" >> report.txt

Doesn't works

Feature request: SARIF format support

Hello dear community,

It seems that at the moment the format of the output for the github action is hard-coded and it is txt. It will be more valuable to support SARIF option as well as this is the main format for GitHub Security Center support.

As far as I can see both infer and infer# support this as an option however it is no exposed as part of this action. It could be for sure added to this script that is used under the hood of the action.

I would propose this feature to be added to the GitHub action as it will bring a lot of value to the consumers.

Thanks.

Planning to upgrade logo on GitHub Marketplace to Microsoft logo by end of May 2021

Exception while analyzing a project: Cilsil.Services.ServiceExecutionException: Popping on empty stack at method

I added infer# to my project as a GitHub action.

There are lots of messages about Unable to parse instruction xxx, More than two space-separated tokens in xxx and there is one exception at the end:

Unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> Cilsil.Services.ServiceExecutionException: Popping on empty stack at method: System.Void modreq(System.Runtime.CompilerServices.IsExternalInit) modreq(System.Runtime.CompilerServices.IsExternalInit) Meziantou.Framework.StronglyTypedId.StronglyTypedIdSourceGenerator$StronglyTypedStruct::set_ContainingSymbol(Microsoft.CodeAnalysis.ISymbol) instruction: IL_0007: ret location: Line 978
   at Cilsil.Utils.ProgramState.Pop() in /app/Cilsil/Utils/ProgramState.cs:line 241
   at Cilsil.Cil.Parsers.RetParser.ParseCilInstructionInternal(Instruction instruction, ProgramState state) in /app/Cilsil/Cil/Parsers/RetParser.cs:line 18
   at Cilsil.Cil.Parsers.InstructionParser.ParseCilInstruction(Instruction instruction, ProgramState state) in /app/Cilsil/Cil/Parsers/InstructionParser.cs:line 84
   at Cilsil.Services.CfgParserService.ComputeMethodCfg(MethodDefinition method) in /app/Cilsil/Services/CfgParserService.cs:line 113
   at Cilsil.Services.CfgParserService.Execute() in /app/Cilsil/Services/CfgParserService.cs:line 49
   at Cilsil.Program.ExecuteTranslation(String[] paths, String printprocs) in /app/Cilsil/Program.cs:line 123
   at Cilsil.Program.Translate(String[] paths, String printprocs, String outcfg, String cfgtxt, String outtenv, String dot) in /app/Cilsil/Program.cs:line 95
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Delegate.DynamicInvokeImpl(Object[] args)
   at System.CommandLine.Invocation.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
   at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass2_0.<<InvokeAsync>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c.<<UseParseErrorReporting>b__16_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c__DisplayClass8_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c.<<UseSuggestDirective>b__7_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c.<<UseParseDirective>b__6_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c.<<UseHelp>b__14_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass3_0.<<UseVersionOption>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c.<<RegisterWithDotnetSuggest>b__17_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c__DisplayClass5_0.<<UseExceptionHandler>b__0>d.MoveNext()

Is there something wrong in my CI or is it a bug in infer#?

Where are the binary files supposed to be

Hello,

I've juste tested the github actions with this piece of code

      - name: Run Infer#
        uses: microsoft/[email protected]
        id: runinfersharp
        with:
          binary-path: ${{ env.PUBLISH_WEBSITE }}
      - name: Infer# analysis results
        run: echo "${{ steps.runinfersharp.outputs.results }}"
        
      - name: Zip Website
        run: pushd ${{ env.PUBLISH_WEBSITE }}; zip -r ${{ env.PUBLISH_WEBSITE_ZIP }} .; popd

Where ${{ env.PUBLISH_WEBSITE }} equals to :

    env:
      BUILD_CONFIGURATION: Release
      PUBLISH_WEBSITE: ${{ github.workspace }}/artifacts/Website

Looking at the logs I have this error :

cp: cannot stat '/home/runner/work/MyWebsite/MyWebsite/artifacts/Website': No such file or directory
Timed out methods: 0
Unknown instructions:

I'm sure the dlls are here and the directory exists because this is the pipeline I use to deploy my webapp.

Have I missed something from the doc ?

Unable to upload "infer-out/report.sarif" as it is not valid SARIF - startColumn/startLine must have a minimum value of 1

After running the microsoft/[email protected] action and trying to upload the report generated to GitHub using the github/codeql-action/upload-sarif@v2 action the following error is displayed:

**Stack trace**


Unable to upload "infer-out/report.sarif" as it is not valid SARIF:
Error details: instance.runs[0].results[1].codeFlows[0].threadFlows[0].locations[2].location.physicalLocation.region.startColumn must have a minimum value of 1
  {
    "property": "instance.runs[0].results[1].codeFlows[0].threadFlows[0].locations[2].location.physicalLocation.region.startColumn",
    "message": "must have a minimum value of 1",
    "schema": {
      "description": "The column number of the first character in the region.",
      "type": "integer",
      "minimum": 1
    },
    "name": "minimum",
    "argument": 1,
    "stack": "instance.runs[0].results[1].codeFlows[0].threadFlows[0].locations[2].location.physicalLocation.region.startColumn must have a minimum value of 1"
  }

This also happens for the following JSON Path: instance.runs.results.locations.physicalLocation.region.startLine, for example.

To bypass this error we have a temporary workaround

  1. run Infer tool using microsoft/[email protected] action
  2. run a custom step to fix SARIF report
  3. upload the resulting report (from previous step) into GitHub using github/codeql-action/upload-sarif@v2 action.

The custom step enumerated in 2. is just checking if the paths having trouble have a value equal to zero, and if so, overwriting it with 1 and then saving a new report with this overwritten values.

An example of the SARIF report generated with this kind of errors:

{
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Infer",
          "informationUri": "https://github.com/facebook/infer",
          "version": "1.1.0",
          "rules": [
            {
              "id": "PULSE_RESOURCE_LEAK",
              "shortDescription": {
                "text": "Pulse Resource Leak"
              },
              "helpUri": "https://fbinfer.com/docs/next/all-issue-types#pulse_resource_leak"
            }
          ]
        }
      },
      "results": [
        {
          "message": {
            "text": "Resource dynamically allocated by constructor (...) on line 16 is not closed after the last access at line 16, column 15."
          },
          "level": "error",
          "ruleId": "PULSE_RESOURCE_LEAK",
          "codeFlows": [...],
          "locations": [...]
        },
        {
          "message": {
            "text": "Resource dynamically allocated by constructor (...) on line 56 is not closed after the last access at line 16707566, column 0."
          },
          "level": "error",
          "ruleId": "PULSE_RESOURCE_LEAK",
          "codeFlows": [
            {
              "threadFlows": [
                {
                  "locations": [ 
                    {},
                    {},
                    {
                      "nestingLevel": 0,
                      "location": {
                        "physicalLocation": {
                          "artifactLocation": {
                            "uri": "Something.cs",
                            "uriBaseId": "Something.cs"
                          },
                          "region": {
                            "startLine": 16707566,
                            "startColumn": 0
                          }
                        },
                        "message": {
                          "text": "memory becomes unreachable here"
                        }
                      }
                    }
                  ]
                }
              ]
            }
          ],
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                    "uri": "Something.cs",
                    "uriBaseId": "Something.cs"
                },
                "region": {
                  "startLine": 16707566,
                  "startColumn": 0
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Analyzer fails to build container

When trying to use this action I get the following:

Build container for action use: '/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta/Dockerfile'.
/usr/bin/docker build -t 3888d3:59e75f2b20424588af762728dae4f8b8 -f "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta/Dockerfile" "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta"
pull access denied for xinshi/csharpcodeanalyzer, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Sending build context to Docker daemon  60.93kB

Step 1/3 : FROM xinshi/csharpcodeanalyzer:3721994-g1f43701f1f1b62a54e21600c4b3bf788082d64c2
##[warning]Docker build failed with exit code 1, back off 7.787 seconds before retry.
/usr/bin/docker build -t 3888d3:59e75f2b20424588af762728dae4f8b8 -f "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta/Dockerfile" "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta"
Sending build context to Docker daemon  60.93kB

pull access denied for xinshi/csharpcodeanalyzer, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Step 1/3 : FROM xinshi/csharpcodeanalyzer:3721994-g1f43701f1f1b62a54e21600c4b3bf788082d64c2
##[warning]Docker build failed with exit code 1, back off 9.625 seconds before retry.
/usr/bin/docker build -t 3888d3:59e75f2b20424588af762728dae4f8b8 -f "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta/Dockerfile" "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta"
Sending build context to Docker daemon  60.93kB

Step 1/3 : FROM xinshi/csharpcodeanalyzer:3721994-g1f43701f1f1b62a54e21600c4b3bf788082d64c2
pull access denied for xinshi/csharpcodeanalyzer, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
##[error]Docker build failed with exit code 1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.