Introducing a functional test to validate the files in SarifConverterTestData directory showed that 22 of them are invalid. Skip the test until the files are fixed.

This issue is to fix the files, then reenable the test.

An exhaustive fictional SARIF file that populates every possible thing. Each thing should have multiple instances where permissible (two may be sufficient). This file will be a useful example, help drive testing for consumers, and help drive design.

• Acquire a set of sample SARIF files produced by various tools.
• Create a test that validates them against the current schema

The idea is that if the test fails, we report the breaking change to our partners so they can update their tools to produce the new format version.

@michaelcfanning, @srivatsn: FYI. I entered this item to track the work I mentioned in today's standup.

We should test this using XSS detection or perhaps a JS 'you overwrote a global' analysis.

Create a tool which generates rule documentation and helper classes from RuleDescriptors.

It might ease adoption of the sarif SDK if we had tooling which took the metadata from the RuleDescriptors and created rule documentation, classes for each rule and any associated helper methods (e.g. methods to create result objects for rules.) The adoption workflow would look like this.

1. Developer authors the RuleDescriptors for the static analysis tool.
2. Developer runs an SDK tool which consumes the RuleDescriptors and creates help documentation for each rule.
3. Developer runs an SDK tool (this could be the same tool as in step 2) which consumes the RuleDescriptors and creates C# classes/files for each rule. The rule strings are put into resource files. The classes have helper methods which the developer can use to access the strings or perhaps create Result objects for the rule.

For a missing PDB, we don't need to report the full stack. We should alter the core logging utility to accept a string message (which can be a concise 'could not locate PDB' message or a complete stack, a la ex.ToString()', up to the discretion of the caller).

we should have helpers/visitors in the SDK that perform comprehensive, detailed validation.
our JSON schema needs to exercise more validation capabilities, such as oneOf. We don't do this today because we generate the schema from a G4. when we author the JSON schema directly, we should build it out

We should ask Kathir for some SARIF results that contain path-through-function metadata. Viewer should highlight these paths on navigating to a specific associated result.

The current G4-driven mechanism is not sufficiently expressive for deriving the JSON schema. We should investigate hand-maintaining a JSON scheme and constructing managed serialization helpers from that form.

It would be nice of the configuration values for the run were stored in resultLog.runLogs.runInfo. While most of the configuration can be gleaned from the command line, if the user specifies the "default" configuration for the run, the person reading the log file might not know what the "default" settings are for the tool. It would be better if run configuration were specifically detailed in the runInfo section.

I know I filed this yesterday but I don't see it. Feel free to close the dup when/if you find it.

The idea is, you open a SARIF file in VS, and it shows sqiggles on (for example) invalid property names or invalid object content.

I have a triskele graphic that we would like to use for SARIF. We need to convert this graphic into an appropriate bundle of images and get them integrated in the VSIX.

On navigating to an issue in a previously unopened file, the file should open in the editor and squigglies should be overlaid everywhere we see an issue. The squiggly should provide a pop-up tool-tip with the full message text. Ultimately, a right click option on the squiggly that integrates with our up and down vote feature would be good.

Note that when squigglies are enabled, we might not need the navigation code that currently selects the relevant code range associated with a static analysis result on double-click. We should see how this behavior looks when we get to building this feature.

It would be nice if ruleDescriptor had a URI property which specifies an endpoint where the rule definition can be retrieved from.

In our meeting, we had a deeper conversation about how this property could be used. In general, we thought the URI (and it's contents) can be thought of as a contract for a rule. For example, if the URL was http://sarif.microsoft.com/codedefects/unusedusingstatements, this indicates that the rule professes to validate that there are no unused using statements. The URI describes the defect and the rule verifies the defect does not exist. The relationship between URI(defects)->rules is not 1-to-1. Many rules may profess to verify a defect. This also implies that many tools may profess to verify a defect.

For examples:

DbScanner http://localhost/accounting.db /runInfo:correlationId=123abc;architecture=x86

It is easy for log consumers to determine that they need to need to consult charOffset or byteOffset members to determine result location, they only need to consult startColumn, which is 1-indexed (if its value is 0, then charOffset or byteOffset must be consulted).

Because charOffset and byteOffset are 0-indexed, however, we cannot distinguish which property is in play for offset == 0.

The practical impact is that object models (such as provided by the SARIF .NET SDK) must provide nullable values for these properties, that directly express whether the property was present in source JSON.

See SarifSnapshot.cs for where this is populated

We have some debug handling for verifying that formattedMessages have appropriate # of arguments. This doesn't help callers who take a dependency on release builds.

Since the generation of a result is a reasonably low-frequency occurrence, we should put this validation into the release path. For now, it probably belongs in the RuleUtilities.BuildResult API (since we are still auto-generating the SDK, otherwise validation could exist in FormattedMessage itself).

Putting validation in the SDK API would allow someone to reauthor their own version if the validation was perceived as not helpful for some reason.

When attempting to remap a file location, it is nice when the code automatically tries to locate the remapped file, rather than requiring a use to navigate to it completely. Making this improvement would entail getting a callback from File/Open on any directory change. We'd then need to examine all directory suffixes on the target file path to see if any of them resolve via File.Exists.

We should be able to take a code fix for a test file and to apply it using VS text buffer manipulating capabilities. Complexity here would involve remembering what edits have been made in order to permit subsequent application of other code fixes within the file.

We want users to have an easy way to send telemetry that says, minimally, this is a good result vs. tool noise.

We took a crack at integrating Sarif into two of our prototyping tools and were able to do so, but through trial and error. Some sample code in the README file for generating a Sarif output file using the SDK would be helpful!

SqlSkim could provide a code fix here for the 'don't use small variably typed column definitions' rule.

We should add new options to File/Open for our tool converters. E.g., we have an entry for Fortify files that would invoke the converter for Fortify, convert to SARIF, and then populate via regular code paths.

When we have this functionality, the viewer is a kind of universal SA results viewer, might warrant some renaming of commands/change of metadata associated with package.

In the results node, a rule is identified by the “ruleId” field. In the ruleInfo node a rule is identified by the “id” field. It would be nice if these were named the same since they refer to the same value.

Repro:

1. Fork this repo and clone it.
2. From the root directory, run BuildAndTest.cmd.

Expected: It builds.

Actual:

CSC : error CS7027: Error signing output with public key from file 'GeneratedKey.snk' -- File not found. [e:\Repos\sarif-sdk\src\Sarif\Sarif.csproj]

Cause: The script creates GeneratedKey.snk in the root directory, but the project files don't refer to it at the correct path.

Fix: Modify the project files to refer to the key at the correct path. (The project file Sarif.Viewer.VisualStudio.csproj has it right. Sarif.csproj and Sarif.Driver.csproj have it wrong.)

In order to express three conditions:

in source suppression information not available (e.g., when CODE_ANALYSIS is not defined)
in-source suppression info available and item is suppressed in source
in-source suppression info available and item is not suppressed in source

There are several test failures. Console output attached:

sarif-sdk-test-errors.txt

Not clear how many distinct errors this represents. Will open separate issues as appropriate.

Some error messages (such as unhandled engine exception) may occur with no populated analysis target URI. We should explicit review these cases and ensure logging succeeds.

... so that customers don't have to discover the obscure helper method CreateUriForJsonSerialization.

Since ERR0998 is raised for rule exceptions, the rule id of the offending rule should be explicitly stated in the ERR0998 result node. Currently, the rule name is listed in the format args, but the rule id does not exist.

If we have a non-null property bag and it contains a 'Category' entry, we should populate the VS column with this information.

One way to accomplish this would be to enable FxCop ability to emit suppressed messages to log. Then populate SARIF from a converted FxCop log file and open in VS. If we have the automated FxCop conversion working in VS, this intermediate step could be skipped.

We should package/download signed versions instead.

Can we add the tool short-name to the tool column and provide tool full name, if present on pop-up, for example?