microsoft / sarif-azuredevops-extension Goto Github PK

View Code? Open in Web Editor NEW

8.0 7.0 3.0 528 KB

License: MIT License

JavaScript 7.68% TypeScript 81.72% HTML 8.63% CSS 1.97%

sarif-azuredevops-extension's Introduction

SARIF SAST Scans Tab

See vss-extension.md for public facing info. This is for contributors/developers.

Development: DevOps Dev

npm run publish-dev
go to: https://dev.azure.com/jeffkingms/Project%20Zero/_workitems/edit/1/

Development: DevOps BaseUri

npm run publish-dev with baseUri
go to: https://localhost:8080 and bypass the chrome warning.
go to: https://dev.azure.com/jeffkingms/Project%20Zero/_workitems/edit/1/

Deployment

Verify vss-extension.prod.json property version is incremented. If not, you risk overriting an old vsix.

npx webpack
npx tfx extension create --output-path: vsix --overrides-file vss-extension.prod.json

This creates a file in your ./vsix folder named sariftools.scans-0.1.0.vsix (version number will differ).

Upload the vsix file to https://marketplace.visualstudio.com/manage/publishers/YOUR_PUBLISHER_ID. On that page, find the matching extension, choose ⋯, and choose Update.

Remember to commit any vss-extension.json version changes.

New API

import('azure-devops-extension-sdk').init() results in "No handler found on any channel for message" and "Error: Cannot get registered instance for : JeffKingO.scans-dev.workitem-tab"

import * as SDK from 'azure-devops-extension-sdk'
import { IWorkItemFormService, WorkItemTrackingServiceIds } from 'azure-devops-extension-api/WorkItemTracking'

SDK.init({
	applyTheme: true,
	loaded: true,
})
;(async () => {
	await SDK.ready()
	console.info('Version', SDK.getExtensionContext().version)

	const workItem = await SDK.getService<IWorkItemFormService>(WorkItemTrackingServiceIds.WorkItemFormService)
	const relations = await workItem.getWorkItemRelations()
	console.log(relations)
})()

sarif-azuredevops-extension's People

Contributors

Stargazers

Watchers

Forkers

nwcm tbreckle daholli

sarif-azuredevops-extension's Issues

This repo is missing important files

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

Qodana results do not show up due to file-extension

Originally posted by @Daholli in #25 (comment)

Not getting any results on the scan tab of Azure DevOps Build (SARIF Scan View is empty)

We have successfully installed the SARIF Scan extension for our ADO organization but it's not showing any result on the scan tab of Azure DevOps Build. Could you please guide if we are missing something here. Please let me know if you need any additional information.

Note: Microsoft Security DevOps extension task in part of build pipeline and build is successful without any issue.

How to set Scan Tab Header Titles

In our project we are doing many sarif scans: trivy + hadolint for every container we are going to build.
All sarif files ending up in CodeAnalysisLogs with their respective name e.g. hadolint-{containerName}.sarif or trivy-{containerName}.sarif.

But in the Scans Tab their accordions are listed only like this

Whats the cause of it?

Description of how filters (Unchange, New, ..) are working

We started to use this extension and we like it so far.

Now we would like e.g. to see which new findings have been introduced and we have seen the "Baseline" filters on the view.

In case I am using the filter "New" against which baseline of findings the current findings are being compared?

What is the definition of baseline?

Wrong paths for files in scan results with multi-checkouts.

Regarding documentation each repo is checked out to a custom path $(Pipeline.Workspace)/s/RepoName if use multi-checkouts.
In scans result section filenames have wrong links with RepoName

so it causes the error I try to see the file in a repo:

SARIF View is empty after Upgrade to 0.5.0

Azure DevOps Service automatically upgrades SARIF to 0.5.0. Now the SARIF View stays empty. It doesn't matter if filters are set or unset.

For me, the console output is not helpful, but maybe someone here is able to debug using these few information:

Microsoft Security DevOps Task Scan Results not showing up in Pipeline Scans Tab [Extension Version: 0.5.1]

Microsoft Azure DevOps Security Scan is producing the test results in .sarif format and generating the Artifact CodeAnalysisLogs
Scan results not picked up by extension and is not getting published
Tried re-installing the Extension but didn't help
Tried with multiple Pipelines

This repo is missing a LICENSE file

This repository is currently missing a LICENSE file.

A license helps users understand how to use your project in a compliant manner. You can find the standard MIT license Microsoft uses at: https://github.com/microsoft/repo-templates/blob/main/shared/LICENSE.

If you would like to learn more about open source licenses, please visit the document at https://aka.ms/license (Microsoft-internal guidance).

SARIF report is not viewable on Azure Devops though we have SARIF Viewer extension installed

Extention overwrites versionControlProvenance.repositoryUri

As per #13 the versionControlProvenance.repositoryUri property is always incorrectly overwritten

SARIF SAST Scans Tab not showing scan results

Hi I added Microsoft Security DevOps task and installed SARIF SAST Scans Tab. I can see the artifacts that is getting generated with the extension msdo.sarif but i am not seeing any output in the Scans tab. It shows a blank page. Could you please help us on this

How to check or read a SARIF file for any vulnerabilities found or not found during code scanning

Hello,

I wanted to find out if there is a way to check/read the SARIF file regarding the detection of any vulnerabilities in a pipeline run?

To provide some context I have implemented GHAS for Azure DevOps in all my yaml pipelines and I would like to use a condition or set some checks in the same pipeline to check whether or not the Advanced Security Perform CodeQL analysis task has detected any vulnerabilities and depending on whether or not there are vulnerabilities detected I can choose to run or skip a subsequent task(s) in the same pipeline, or, for example, force the pipeline to complete with issues etc. There does not seem to be any sort of 'out of the box' way to do this.

I noticed that whether or not the task has found any vulnerabilities, the task has a built-in variable which it always sets to 'true', and it will publish a SARIF file (variable shown below). In the scans tab of the pipeline, if no vulnerabilities are detected, it will display a "No results found..." image. It would have been great if that variable would be set to false if no vulnerabilities were found as I could use that to determine whether or not to run or skip a subsequent task(s) in the same pipeline.

##[debug]Processed: ##vso[task.setvariable variable=advancedsecurity.codeql.results.published;isOutput=false;issecret=false;]true

To try and explain better of what I am trying to achieve, I am currently doing something similar with the Advanced Security Dependency Scanning task whereby I am reading the log file from the task which actually states if any vulnerabilities have been found. For example, the log file contains the below if vulnerabilities have been found,

[WRN] Dependency Scanning has detected

Depending on whether or not the Advanced Security Dependency Scanning task has detected any vulnerabilities, I can set a custom variable which I can use in subsequent task(s) in the same pipeline, for example, forcing the pipeline to complete with issues if there are any dependency vulnerabilities detected.

If you can provide any ideas on how I can achieve what I am trying to do that will be greatly appreciated.

Apologies if I have not raised this is the correct place. If you can redirect me that would be great.

Thank you.