If a user opens an SA log in a different format (FxCop, PREfast, etc.), they should be able to get the resulting .sarif log.

Repro:

1. Build and run the sarif-sdk sample application:

SarifSdkSample.exe create Test.sarif

2. Open Test.sarif in the viewer.
3. In the Error List Window, click on the issue CA1820.
4. In the SARIF Explorer Window, click Fixes.
5. Expand the tree nodes "Replace empty string with test for zero length", "Analysis Sample.cs"

Expected: It should display the "Deleted region" with proper row and column values.

Actual: It says "Start at offset 0".

Why is the VS add-in asking me to confirm this remap? The path and file names match but it isn't picking it up automatically.

...once Sarif SDK is published with corresponding package change.

VS 2017 15.9.7.

Is there a way to get additional information on what's happening? The error doesn't provide much of a direction.

1. Open valid SARIF that only populates resource.rules + result.arguments.
2. No user-facing strings appear in 'description' column of error list.

As a result, we are selecting a region that is one character too long.

ReformattingVisitor.txt

{
"$schema": "http://json.schemastore.org/sarif-2.0.0",
"version": "2.0.0",
"runs": [
{
"instanceGuid": "a8cd4914-c079-414c-86b0-1311f4c9678a",
"tool": {
"name": "Sarif.UnitTests",
"fullName": "Sarif.UnitTests.1.3.3.0-beta",
"version": "1.3.3.0",
"semanticVersion": "1.3.3",
"sarifLoggerVersion": "1.5.22.0",
"language": "en-US"
},
"originalUriBaseIds": { "SRCROOT": "file:///e$/src/sarif-sdk/" },
"results": [
{
"ruleId": "TEST2001",
"level": "error",
"message": {
"text": "This is an error with a 'dynamic' argument. It selects a text value of 'RegionOne'.",
"richMessageId": "Error",
"arguments": [ "dynamic" ]
},
"locations": [
{
"physicalLocation": {
"fileLocation": {
"uri": "/src/Sarif.UnitTests/TestData/ReformattingVisitor/ReformattingVisitor.txt",
"uriBaseId": "SRCROOT"
},
"region": {
"startLine": 14,
"endColumn": 10
}
}
}
]
}
],
"resources": {
"rules": {
}
}
}
]
}

Repro Steps:

1. Attempt to open the attach SARIF in the viewer (rename attachment to .sarif)

Expected: SARIF should load into viewer error list as normal
Actual: Exception thrown due to key already existing in dictionary

AndroidStudio.sarif.txt

We currently require a region on the result. But if a result references a file, why not just try to open that file?

IOW, we assume there is a default region, which is the insertion point at the beginning of the file. :)

Repro, copy file contents below to file named test.sarif. Open it. double-click the result and open the file log. you get pointed to a copy in a temporary location rather than the original file.

{
"$schema": "http://json.schemastore.org/sarif-2.0.0-csd.2.beta.2018-10-10",
"version": "2.0.0-csd.2.beta.2018-10-10",
"runs": [
{
"tool": {
"name": "Contrast Security"
},
"results": [
{
"ruleId": "test",
"level": "warning",
"message": {
"text": "sample warning."
},
"locations": [
{
"physicalLocation": {"fileLocation": {"uri": "file:///c:/test.txt"}}
}
]
}
]
}
]
}

If the user chooses not to save the post-processing file, we need to save it to a temp file so they can click "Open Log File" on the Information tab.

Repro:

1. Load SARIF file, select issue, open file with highlighting
2. open a SARIF file with no results

result: error list is cleared but the open source file still shows highlighting

Load one of the new FxCop SARIF files to see this (checked in shortly)

Warning from Marketplace:
The package (Microsoft.Sarif.Viewer.SarifViewerPackage) class in any VSIX supporting Visual Studio 2015 or later should derive from AsyncPackage instead of Package. Read more about using AsyncPackage here: https://aka.ms/asyncpackage.

Should be "Microsoft DevLabs"

SarifErrorListItemTests.SarifErrorListItem_WhenResultRefersToExistingMessageString_ContainsExpectedMessage
Need SDK PR microsoft/sarif-sdk/pull/1048 before this test will pass.

Investigate on if there is any existing control/api which can render 'create bug' template form.

Comment : Discussed with Mukul, the creating bug is not priority now. Close this one, if it needs in the futue, will reopen.

The viewer is focused on displaying a list of results, and the details of a selected result. It needs a feature to display the list of rules, and details of a selected rule.

Since the extension is already able to convert from different formats #41 Would it be easy to add an option to export to SARIF selected items from Errors window (the results could be from analyzers)?

My workflow is to save results from analyzers for opening later. Maybe I miss something, but all I found is dotnet/roslyn#430 and dotnet/roslyn#24319 but it requires changes to the project file.

Repro Steps:

1. Open SARIF in viewer
2. Select issue in error list that opens source code with proper highlighting
   (snippet is highlighted properly)
3. In SARIF explorer window, click "Info" tab

Expected: Source highlighting should still exist
Actual: Source highlighting is remove and no longer present in source code

The viewer pops a null reference exception error box when opening the file WebGoat.xml.sarif from the SARIF SDK.

This might be because the .sarif file is invalid. Right now I can't validate the file because Sarif.Multitool is crashing on startup. I will file a bug for that, too.

For any property that you display whose value is a message object or a multiformatMessage object, if you are displaying the object's text property, then render the sequence [link text](link target) as a hyperlink.

@michaelcfanning noticed the lack in the rule metadata display, but we should do it everywhere.

Following v1 sarif file (generated with https://github.com/Microsoft/DevSkim) fails to convert to v2 when opened in VS with the error "The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters."

{
  "version": "1.0.0",
  "runs": [
    {
      "tool": {
        "name": "devskim",
        "fullName": "Microsoft DevSkim Command Line Interface",
        "version": "0.1.11"
      },
      "results": [
        {
          "ruleId": "DS137138",
          "level": "error",
          "message": "Insecure URL",
          "locations": [
            {
              "analysisTarget": {
                "uri": "file:///C:/temp/aaa.js",
                "region": {
                  "startLine": 18,
                  "startColumn": 27,
                  "endLine": 18,
                  "endColumn": 33,
                  "offset": 516,
                  "length": 6
                }
              }
            }
          ],
          "snippet": "http:/",
          "fixes": [
            {
              "description": "Change to HTTPS ",
              "fileChanges": [
                {
                  "uri": "file:///C:/temp/aaa.js",
                  "replacements": [
                    {
                      "offset": 516,
                      "deletedLength": 6,
                      "insertedBytes": "https:/"
                    }
                  ]
                }
              ]
            }
          ],
          "properties": {
            "tags": ["ThreatModel.Integration.HTTP"]
          }
        }
      ],
      "rules": {
        "DS137138": {
          "id": "DS137138",
          "name": "Insecure URL",
          "fullDescription": "An HTTP-based URL without TLS was detected.",
          "defaultLevel": "error",
          "helpUri": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS137138.md"
        }
      }
    }
  ]
}

I am on Windows 10 Pro.

I have installed the extension using the method outlined in the readme. When in Visual Studio Community 2017, I go to Tools > Import Static Analysis Log File to Error List > Import SARIF file and selecting a sarif file, I am getting an error message:

Could not load file or assembly 'System.Collections.Immutable, Version=1.2.3.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.

I am able to open this file in Visual Studio Code using the very same plugin, so the file is valid.

Where should I start looking to fix this?

Microsoft Visual Studio Community 2017 
Version 15.7.4
VisualStudio.15.Release/15.7.4+27703.2035
Microsoft .NET Framework
Version 4.7.03190

Installed Version: Community

Visual C++ 2017   00369-60000-00001-AA558
Microsoft Visual C++ 2017

ASP.NET and Web Tools 2017   15.0.40601.0
ASP.NET and Web Tools 2017

C# Tools   2.8.3-beta6-62923-07. Commit Hash: 7aafab561e449da50712e16c9e81742b8e7a2969
C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Common Azure Tools   1.10
Provides common services for use by Azure Mobile Services and Microsoft Azure Tools.

JavaScript Language Service   2.0
JavaScript Language Service

Microsoft JVM Debugger   1.0
Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines

Microsoft MI-Based Debugger   1.0
Provides support for connecting Visual Studio to MI compatible debuggers

Microsoft SARIF Viewer   2.0 beta
Visual Studio Static Analysis Results Interchange Format (SARIF) log file viewer

Microsoft Visual C++ Wizards   1.0
Microsoft Visual C++ Wizards

Microsoft Visual Studio VC Package   1.0
Microsoft Visual Studio VC Package

NuGet Package Manager   4.6.0
NuGet Package Manager in Visual Studio. For more information about NuGet, visit http://docs.nuget.org/.

ProjectServicesPackage Extension   1.0
ProjectServicesPackage Visual Studio Extension Detailed Info

ResourcePackage Extension   1.0
ResourcePackage Visual Studio Extension Detailed Info

Visual Basic Tools   2.8.3-beta6-62923-07. Commit Hash: 7aafab561e449da50712e16c9e81742b8e7a2969
Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Visual Studio Code Debug Adapter Host Package   1.0
Interop layer for hosting Visual Studio Code debug adapters in Visual Studio

Visual Studio Tools for CMake   1.0
Visual Studio Tools for CMake

Windows Machine Learning Generator Extension   1.0
Windows Machine Learning Visual Studio Extension Detailed Info

Repro:

1. Build and run the sarif-sdk sample application:

SarifSdkSample.exe create Test.sarif

2. Open Test.sarif in the viewer.
3. In the Error List Window, click on the issue CA1820.
4. In the SARIF Explorer Window, click Fixes.
5. Expand the tree nodes "Replace empty string with test for zero length", "Analysis Sample.cs"

Expected: The Preview and Apply links are enabled and work properly.

Actual: The links are disabled.

Add options to File, New:

.sarif file, with initial contents

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Tool Name"
        }
      },
      "results": [
      ]
    }
  ]
}

.sarif-external-properties file, with initial contents

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-external-property-file-schema-2.1.0.json",
  "version": "2.1.0"

}

If I attempt to open the /analyze:log sarif output from Visual Studio 2019 (16.0.3 release or 16.1.0, preview 2), both Visual Studio 2019 and Visual Studio 2017 produce the same error dialog. It says, "Value cannot be null. Parameter name: path." I have no information within the standard that says a path parameter exists. Please refer to section I.5 of the official standard .

I suppose there is a small chance that the environmentVariables area under invocations is the cause. However, when I search the sarif file output from Visual Studio 2019, there is no entry anywhere in the file that is tagged environmentVariables. If this is an issue with Visual Studio 2019, then it would make sense. This file output type is not listed on the official analyze option page for 2019. For this issue, use the Microsoft Sample C++ project for code analysis.

sarifText = PrereleaseCompatibilityTransformer.UpdateToCurrentVersion(sarifText);

ouch! when we load file table keys, these are shared across runs. this rightly raises an exception when Files.Add encounters a file name that's already there.

all our remapping needs to occur on a per-run basis. don't forget! when you have a uriBaseId (with no originalUriBaseId value that maps to an existing file location), you can just query for that directory location and you're off to the races. i.e., no more heuristics to figure out common path roots.

we might want separate simplified logic for this case (as it should, in fact, be simple, while the existing remapping has some complexity to it that I don't think can be easily removed for the absolute URL case, etc).

Try copying the following into a file with SARIF extension then load.

Observe: SARIF UI is empty on double-click. Can we do something simple, like put an error notice in the UI about an invalid file?

{"$schema":"http://json.schemastore.org/sarif-2.0.0","version":"2.0.0","runs":[{"tool":{"name":"BadProducer"},"results":[{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{}]}]}

General spacing and the divider alignment offset in the image below seems off and not formatted properly.

We correctly create an expander for multisentence error list entries. But we show the full contents for the unexpanded error list entry. we should only show the first sentence for this case (and the remainder of the error should display when expanded).