I have a SARIF file with multiple findings on a single line at the same column. When I double click the first time on an issue on line x, column, then the SARIF explorer updates. However, when I double click on another issue on the same line and column, then the explorer does not update.

VSCode Version: 1.21.1
OS Version: MacOS 10.14
Steps to Reproduce:

Have a SARIF file with several issues with the same line and column number
I have a video with the issue demonstrated, but it won't let me attach. Happy to share video and SARIF file via another method.

SARIF file was exported from CodeSonar.

Does this issue occur when all extensions are disabled?: Irrelevant

New feature to assign keys to navigate the codeflowlocations in the editor. A couple of initial design questions to discuss:

• Which keys will we assign to forward and backward navigation? Are there other actions we want?
• How should we handle when there is more then one CodeFlow in the result? Couple options I can think of:
  • cycle within one codeflow until you switch to the next(either a keyboard key or mouse selection)
  • on reaching the end of the current codeflow the next hotkey will take you to the beginning of the next codeflow. In this scenario will it be obvious that they entered a different codeflow or do we need a notification of some sort?

in the html we are referencing the resultsList.js file without the uppercase "L" in list. This is causing the file not to be found on Linux machines and the Sarif Explorer not to load.

When results are show in the "issues" window, they are organized in a tree widget which is organized by file.

That is overly strict for a top-level summary view of results. At a minimum, results can have a priority or a severity and it is desirable to see the results sorted by severity. More generally, it may be beneficial to have a summary view that is a table with multiple columns, e.g., (brief) description, severity, file (of end point), rule id (or CWE id), and finding (true or false positive).

There are other features that may build on this feature in the future: re-prioritization of warnings based user classification of (a subset) of warnings; user filters on which warnings are in the summary view; etc.

The first issue is a summary view that sorts by priority.

Add a Related Location list of locations below the Locations list in the Result Info.

After we get the Sarif Explorer converted to a webview we can then use the two way communication channel to update the selection in the codeflow panel

Add to the contribution file details on how to build the project

The following message appears whenever a SARIF file is loaded for which we don't have a current mapping:

However, this is confusing when the SARIF file contains embedded file content. In that case, if you click "Later", all the files will be loaded from the SARIF file itself i.e. the mapping wasn't necessary. In this case, it seems like the extension should not pop-up the mapping request at all.

Add a tab to the Sarif Explorer to support showing the properties data from the result in the log

Embedded links are not processed when they occur at the start of a message.

Inspecting the relevant code:

    private static embeddedRegEx = /[^\\](\[((?:\\\]|[^\]])+)\]\((\d+)\))/g;

This is because the regex requires a non backslash character to occur before the match, which is not present when the [ is the first character in the message. One way to fix it would be to provide a non-capturing group which provides the line start as an alternative, e.g. this regex:

/(?:[^\\]|^)(\[((?:\\\]|[^\]])+)\]\((\d+)\))/g

Add a link in the Result Info that maps back to the location in the Sarif file. This will allow the user to look at the raw sarif results.

Sarif V2 allows the result to have attachments. We should add a way to display the attachments as links for files. If it's a screenshot we should look into if theres a way we can display the image, including if there is a rectangles property we could try to draw the rectangle.

SARIF supports the concept of URIs which are relative to some uriBaseId. The spec includes this example:

"fileLocation": {
  "uri": "drivers/video/hidef/driver.c",
  "uriBaseId": "%srcroot%"
}

Here, uri is a relative reference to a given base - in this case %srcroot%. This makes it easier to provide portable SARIF files - typically, the uri property is given as a relative reference to the root directory of the project, removing the machine specific part. In fact, the spec states that if the uri is relative, a uriBaseId should also be provided.

In order to resolve the relative URI reference to create an absolute URI, the uriBaseId needs to be resolved. From the spec:

The uriBaseId property can be any string; it does not need to have any particular syntax or follow any particular naming convention. In particular, it does not need to designate a machine environment variable or similar value, although it might. The SARIF producer and any SARIF consumers need to agree on the meanings of any values for the uriBaseId property that appear in the log file.

For example, on opening a SARIF file including URI base ids, the Visual Studio SARIF extension asks for the location of the first file in the log, and then uses this to determine the value of the variable in the uriBaseId property, which is used when resolving further relative uri references to the same uriBaseId.

The VS Code extension currently ignores the uriBaseId property completely. When provided with a log file which uses such relative URI references, the remapping is actually somewhat unintuitive - as with the VS extension, it asks to remap the file. However, unlike the VS extension, it appears to treat the first element in the relative URI as the "base".

For example, in the example above if we gave C:\src\drivers\video\hidef\driver.c as the full path, the VS Code extension appears to store the mapping drivers/ -> c:\src\drivers. Further entries in the drivers directory are automatically mapped, but files in a different directory cause an additional dialog to be popped up, once for each top-level directory, requesting the location of the first file in that directory. This is particularly confusing in combination with #58, as the file dialogs don't mention the file that is being mapped.

If there are any warnings or errors in the ToolNotifications or configurationNotifications properties we should create and add diagnostics for those to show up in the problems window.

issue to track adding support for UriBaseIds.

The v2 spec says:

3.22.8 endColumn property
When a region object represents a text region, it MAY contain a property named endColumn whose value is an integer whose value is one greater than the column number of the last character in the region.

Currently, the extension treats the endColumn as the column number of the last character in the region, so the highlighted range is one greater than it should be.

Note: endColumn was inconsistently defined in v1 and earlier versions of the v2 spec, which is probably why this confusion occurred.

Can use the existing setup structure in the src/test folder.

1. Open the attached log
2. Select the first result (and do the rebase if necessary)
3. Click a codeflow step
4. Select the second result

The source file for the second result opens in both group panes and the Explorer UI is not the active tab in the right pane.

FortifyDemo.fpr.v2 .sarif.txt
ContentFileHandlingController.cs.txt

Update the Sarif Viewer to support Sarif V2 files

We should Path join and normalize the rootbase with the path when trying to apply the rootbase.

A task to cover automating the release steps when pulling Dev into Master branch.

Some tasks to automate include:

• Creating a tag based off of the version
• Creating a release based off the version, (assigned to the tag)
• Attaching the vsix to the release
• Packaging the vsix
• Publishing the vsix to the marketplace
• Running the test suite

Add a way to set an array of paths to the settings for default remapping. This will allow someone to set their repo directory once and when they open a sarif file it will try to remap using that directory before asking the user to correct the path.

Need to add a handler for onAccept and prevent the action if the current path is still invalid.

This is an issue because the extension listens for a sarif file to opens, it activates when a file opens, which means the first time in a fresh instance of vscode a file gets opened the sarif extension activates and the Sarif Explorer opens.

On activation we need to not load the Sarif Explorer, but to wait for the first sarif file opened to load it.

New feature to give a better visualization in the editor of the code path of the result. We currently highlight the codeflow locations but we don't give any indication of the calls and call returns.

The main pending issue for this feature is:
Sarif V2 CodeFlowLocations(v2's version of AnnotatedCodeLocation) no longer have a "kind" property. So the "call" or "callReturn" values are not available to determine when to put a decoration on the line. We could infer using the nesting levels but there's no guarantee that two codeflowlocations next to each other with different nesting levels are the call into or out of. All we know is that at some point after the first location and before the second location a call or return was made.

We could try using the Stacks object on the result to determine when to put a call decoration.

When we go to remap a SARIF file, the file open dialog comes up with no additional information on what file we should be looking for.

This is to add a way to reorder the columns. Without adding additional UI to the window, we could just add a setting, that allows the user to change the order.

using the Sarif SDKs new upgrader that converts a v1 to v2 sarif format we can detect it a file is v1 and upgrade it into a temp folder for use during the session. Will need to remove the file when the vscode session ends.

Add a tab to the Sarif Explorer to support showing the Callstacks data from the result in the log

Add an inline view of the codeflow steps message. This will allow the user to see the message/description right next to the code.

Open questions:

• do we want to show all of the messages or only the current one selected?
• should we show the message in the line above(via codelens) or to the right of the line(via decoration)?

I'm having trouble getting a SARIF file with uriBaseIds to be appropriately handled by the VS Code extension. I'm encountering a number of (seemingly related) problems.

I've attached a minimal test case here: uri-base-id-failure.zip. As well as the failing test case, I've also included a version of the SARIF file that does not use uriBaseIds, and the remapping works as expected with that file.

Issue 1: Problem view not populated after selecting mapping for first file

Reproduction steps:

1. Open uri-base-id-failure/results.sarif
2. When prompted for the path for \folder1\sourcefile1.cs, enter the full path to the first source file.
3. When prompted again (to confirm the mapping), press enter.

Result: The problem view is not populated, no error is reported.

Issue 2: Problem view not populated when root path specified

Reproduction steps:

1. Open uri-base-id-failure/results.sarif
2. When prompted for the path for for \folder1\sourcefile1.cs, enter the full path to the root directory of the unzipped folder.
3. When prompted again (to confirm the mapping), press enter.

Result: The problem view is not populated, no error is reported.

In this case, an entry has been added to the sarif-viewer.rootpaths array in the user settings. The entry appears to be correct, but the problem view is not populated, even if the file is reloaded or the SARIF viewer restarted.

Issue 3: Mapping to source after the file is loaded only applies to single result

Reproduction steps:

1. Open uri-base-id-failure/results.sarif
2. When prompted for the path to \folder1\sourcefile1.cs, hit escape to cancel.
3. The problems view is populated with the two unmapped results.
4. Right click one of the results, and select "Map to source".
5. When prompted for the path to \%SRCROOT%\folder1\sourcefile1.cs, enter either the full path to the file, or the rootpath.

Result: Only the single result is mapped. I would expect both results to be mapped.

Note that the second time around, the requested path is \%SRCROOT%\folder1\sourcefile1.cs, whereas the first time round the requested path is \folder1\sourcefile1.cs.

implement a visualization of the State information in the code flow tab for the selected step

Causes the location text to wrap. Suggest ellipsis truncation if possible (but keep the line # visible)

Need to refresh the sarif explorer if a remapping occurs, to refresh the links.

Need to add in the version if it exists in the tool data.

Look into/implement running the sarif sdk converter on files to then load them in the sarif viewer.

Initially thinking a vscode task could run the exe on the file, and put the created sarif file into the same temp location we create when an embedded file is created. Then open the newly created sarif file to view the sarif details.

Open question:

• How do we trigger when a file needs to be converted? Some options:
  • Full Auto: Should we detect if a compatible extension file was opened and auto convert it?
  • Optional Auto: Add a setting for the user to specify which file type opened need to be auto converted?
  • Full Manual: Add a new Command to convert the currently opened file?

Add support for embedded links in the message. Will need to investigate if links are possible in Problems panel.

We lost the file picker, can you please find a way to return it? I was unable to manually update the file path for the SDK SDV tests. The process was cumbersome.

Please follow up with the VS Code team on the failure to provide a mechanism to add a title to the file picker. That is either possible with their API or it is a bug they should fix. It is a significant issue is a file picker comes up with no useful title for users.

VSCode currently limits 250 diagnostics per file per DiagnosticsCollection. This prevents us from showing all of the results in a file if it's greater then 250. We currently display a custom error message after 249. A couple of possible ways to go above 250(I'm in favor of the first option):

• In the extensions DiagnosticsCollection Controller we could add an array of DiagnosticsCollections and once a collection hits the cap for a file, it then move to the next collection and fills it up. We could then establish our own limit that makes more sense for a sarif file's results, ex. 4 collections for total of 1000 results max.

• Second option would be to keep it at 249 and let the user click the custom(250th) one we add and it will cycle through to the next set of 249 for that file. This might be difficult to communicate to the user and it might get confusing to not be able to track where you are in the rotation through the errors.

There is no documentation on how to build this viewer locally after a git clone, and how to produce a package that can be installed locally to VSCode.

This is especially important if there are a large number of results. Can show they user the progress of reading the results something like "Processing 42/2000 results" and have it count up as it processes.

Known vulnerability found

CVE-2018-3728
Moderate severity
hoek node module before 5.0.3 or 4.2.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via...

more info can be found here:
https://nvd.nist.gov/vuln/detail/CVE-2018-3728

This is because we convert to zero based for VSCode's region, needs to be converted back to 1 based for display

Add a tab to the Sarif Explorer to support showing the Fixes data from the result in the log

Add a way to Search/Filter the Results List which would narrow down the amount of results in the list based on the search/filter value entered. A couple of things to figure out:

• do we remove groups that after filtering have no results?
• do we allow the user to narrow down the search/filter by specifying a column to search, such as:
  resultId:1234
• do we want to provide case/ignore case option
• do we want to allow wildcard characters

Sample attached. Choose result that begins with "Attackers are able..."
The first two code flow locations are whole-line, i.e. startLine and endLine are the only region properties and they have the same value.
FortifyDemo.fpr.v2 .sarif.txt

C:\src\blah.cs should work, but file:/// prefix is required.