Baseline file path should be configurable, and the result should have a "baselineState" property computed from the baseline sarif file provided.

Ref - baselineState

When using @microsoft/eslint-formatter-sarif, rules disabled by eslint-disable-next-line or eslint-disable still show up in the final output and the code scanning result.

This issue previously proposed in here, since the eslint formatter move to this repo, I move this issue as well.

When I running eslint -f @microsoft/eslint-formatter-sarif foo.js in a project met below error:

TypeError: Cannot read property 'description' of undefined
    at node_modules/@microsoft/eslint-formatter-sarif/sarif.js:152:57
    at Array.forEach (<anonymous>)

The line that caused above error is here

I found reason why I encounter this error is that some of the rulesMeta do not the property named docs
e.g.

  'ember-best-practices/no-lifecycle-events': {
    message: 'Do not use events for lifecycle hooks. Please use the actual hooks instead: https://github.com/ember-best-practices/eslint-plugin-ember-best-practices/blob/master/guides/rules/no-lifecycle-events.md'
  },
  'ember-best-practices/no-observers': {
    message: 'Do not use observers. Consider using computed properties instead. Please see following guide for more information: https://github.com/ember-best-practices/eslint-plugin-ember-best-practices/blob/master/guides/rules/no-observers.md'
  },
  'ember-best-practices/no-send-action': {
    message: 'Do not use send action. Consider using closure actions to work with JS functions instead of relying on the old action system. Please see following guide for more information: https://github.com/ember-best-practices/eslint-plugin-ember-best-practices/blob/master/guides/rules/no-send-action.md'
  },

This will cause the command eslint -f @microsoft/eslint-formatter-sarif failed and can not output sarif.

I implemented a small library to help build valid SARIF logs with simple methods

I think it covers most of the cases of SAST tools

If you want to add a link until official one is released, please be my guest :)

https://github.com/nvuillam/node-sarif-builder

Looks like landing #1 was missing a tsconfig.json file that was needed for building (discovered in #4).

> npm run build


> [email protected] build
> tsc --build

error TS5083: Cannot read file '/home/runner/work/sarif-js-sdk/sarif-js-sdk/packages/sarif-builder/tsconfig.json'.
npm ERR! code 1
npm ERR! path /home/runner/work/sarif-js-sdk/sarif-js-sdk
npm ERR! command failed
npm ERR! command sh -c tsc --build

When I running eslint -f @microsoft/eslint-formatter-sarif foo.js in a project met below error:

TypeError: Cannot read property 'description' of undefined
    at node_modules/@microsoft/eslint-formatter-sarif/sarif.js:152:57
    at Array.forEach (<anonymous>)

The line that caused above error is here

I found reason why I encounter this error is that some of the rulesMeta do not the property named docs
e.g.

  'ember-best-practices/no-lifecycle-events': {
    message: 'Do not use events for lifecycle hooks. Please use the actual hooks instead: https://github.com/ember-best-practices/eslint-plugin-ember-best-practices/blob/master/guides/rules/no-lifecycle-events.md'
  },
  'ember-best-practices/no-observers': {
    message: 'Do not use observers. Consider using computed properties instead. Please see following guide for more information: https://github.com/ember-best-practices/eslint-plugin-ember-best-practices/blob/master/guides/rules/no-observers.md'
  },
  'ember-best-practices/no-send-action': {
    message: 'Do not use send action. Consider using closure actions to work with JS functions instead of relying on the old action system. Please see following guide for more information: https://github.com/ember-best-practices/eslint-plugin-ember-best-practices/blob/master/guides/rules/no-send-action.md'
  },

This will cause the command eslint -f @microsoft/eslint-formatter-sarif failed and can not output sarif.

The current release of eslint-formatter-sarif is still published from the sarif-sdk org. We should update and republish this formatter so that it's correctly referenced from this new org.

With the advent of new test frameworks such as vitest, which have an equivalent API to jest, but offer superior performance characteristics, it's worth making some changes to this package to support it. Specifically, decoupling the extend behavior from the underlying assertion functionality makes sense here, and would allow the consuming application to extend as necessary.

This could result in two benefits:

1. As mentioned, supporting other frameworks than Jest
2. Avoiding the side-effectful import that's necessary currently (and additionally the issue with side-effect imports being necessary for types to correctly work in TypeScript applications).

Summary
The @microsoft/eslint-formatter-sarif formatter is not properly encoding the URI of the files. This is producing warning logs when uploading SARIF results to the GitHub SARIF API. This is referenced in the GitHub Code Scanning starter workflow for eslint .

Problem
I believe the problem is the that the eslint-formatter-sarif is not percent-encoding the symbols. For example, one of the warning contains a [string] in the URI where it should have been %5string%5D

Note - this is not affecting the functionality of the GitHub Code Scanning, just producing a lot of noise.

We are facing issue while trying to use eslint parser to parse the js files and trying raise the issuesfrom JSON object to string using sarif formatter.
Please go through following steps to reproduce:

Note : Some pre-requisites
please install nodejs if your system doesn't have it
please Make sure node version by following command:
node -v
v16.14.2

Steps to reproduce :

Please download and extract this nms-ui.zip file.

please go to nms-ui working directory.
please open command prompt recommended to open in Administrator mode.
please run following command to verify the version:

npm -v
8.5.0

npx eslint -v
v7.26.0

please Make sure you have following libraries installed on the machine by using the following command :

npm list

+-- @microsoft/[email protected]
+-- @typescript-eslint/[email protected]
+-- [email protected]
+-- [email protected]
`-- [email protected]

finally run the following command :

node node_modules\eslint\bin\eslint.js -f node_modules@microsoft\eslint-formatter-sarif -o output.0.json -c config.0.json .

The output will be having following Error :

Oops! Something went wrong! :(

ESLint: 7.26.0

RangeError: Invalid string length
at JSON.stringify ()
at module.exports (C:\KW_Workspace\nms-ui\node_modules@microsoft\eslint-formatter-sarif\sarif.js:282:17)
at Object.format (C:\KW_Workspace\nms-ui\node_modules\eslint\lib\eslint\eslint.js:612:24)
at printResults (C:\KW_Workspace\nms-ui\node_modules\eslint\lib\cli.js:179:30)
at async Object.execute (C:\KW_Workspace\nms-ui\node_modules\eslint\lib\cli.js:314:13)
at async main (C:\KW_Workspace\nms-ui\node_modules\eslint\bin\eslint.js:142:24)

The reason is the string object it is trying to stringify is having an array of million data.
eslint is using microsoft sarif formatter to format the JSON object.

The reason behind this is the following code snippet available in the following path node_modules@microsoft\eslint-formatter-sarif\sarif.js

return JSON.stringify(sarifLog,
null, // replacer function
2 // # of spaces for indents
);
nms-ui.zip

high severity
Vulnerable versions: >= 7.0.0, < 8.0.1
Patched version: 8.0.1
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Hi all, we are currently using the SARIF formatter with some eslint plugins. We've noticed for plugins that include a meta.docs property with no url set it will generate the helpUri as an empty string: https://github.com/microsoft/sarif-js-sdk/blob/main/packages/eslint-formatter-sarif/sarif.js#L167-L175

The empty string leads to an invalid SARIF file format, should this be resolved w/this repository? I don't believe the url property from meta.docs is actually required when setting it.

Thanks!

Hi all, we are currently using the Eslint-formatter-sarif with Eslint. Now, the Eslint-formatter-sarif package includes the suppressed message field returned by the Eslint. Is there any existing, or could you update the package so that it provides the configuration to ignore the suppressed message?