Updates to Populate Sarif Fields for GitHub Severity + Precision (#606)

* Update dependencies

* Improve Confidence Reporting

Adds Confidence Field to Issue Record
Sets Confidence to either Confidence of Pattern if specified, or confidence of overall rule if specified
Report Confidence and Severity in special Github sarif fields.
Add Confidence values to rules

* Update Guidance (#600)
Fixed typo
Tokens/keys in source code
DES->AES Guidance

* Update Changelog.md
---------

Co-authored-by: Cristián Rojas <[email protected]>

Author: gfs

Changelog.md

@@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.31] - 2024-1-28
+### Sarif Format
+Populate additional fields for GitHub Code scanning
+
+### Rules
+Populate Confidence values for rules
+
+### Dependencies
+Update Dependencies
+
+### Engine
+Prioritize confidence value from Pattern level in Issue records but fall back to rule level if not specified.
+
 ## [1.0.30] - 2024-1-31
 ### Pipeline
 Additional pipeline fixes

DevSkim-DotNet/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj

@@ -37,9 +37,9 @@
     <ItemGroup>
       <PackageReference Include="CommandLineParser" Version="2.9.1" />
       <PackageReference Include="LibGit2Sharp" Version="0.29.0" />
-      <PackageReference Include="Microsoft.CST.ApplicationInspector.Logging" Version="1.9.18" />
+      <PackageReference Include="Microsoft.CST.ApplicationInspector.Logging" Version="1.9.19" />
       <PackageReference Include="Microsoft.Extensions.CommandLineUtils" Version="1.1.1" />
-      <PackageReference Include="Sarif.Sdk" Version="4.4.0" />
+      <PackageReference Include="Sarif.Sdk" Version="4.5.3" />
     </ItemGroup>
 
 </Project>

DevSkim-DotNet/Microsoft.DevSkim.CLI/Writers/SarifWriter.cs

@@ -213,13 +213,36 @@ private void AddRuleToSarifRule(DevSkimRule devskimRule)
                     Enabled = true,
                     Level = DevSkimLevelToSarifLevel(devskimRule.Severity)
                 };
+                // Set github code scanning properties
+                sarifRule.SetProperty("precision", ConfidenceToPrecision(devskimRule.Confidence));
+                sarifRule.SetProperty("problem.severity", DevSkimLevelToGitHubLevel(devskimRule.Severity));
                 sarifRule.SetProperty("DevSkimSeverity", devskimRule.Severity.ToString());
                 sarifRule.SetProperty("DevSkimConfidence", devskimRule.Confidence.ToString());
 
                 _rules.TryAdd(devskimRule.Id, sarifRule);
             }
         }
 
+        private object DevSkimLevelToGitHubLevel(Severity severity) => severity switch
+        {
+            Severity.Unspecified => string.Empty,
+            Severity.Critical => "error",
+            Severity.Important => "warning",
+            Severity.Moderate => "warning",
+            Severity.BestPractice => "recommendation",
+            Severity.ManualReview => "recommendation",
+            _ => string.Empty,
+        };
+
+        private static string ConfidenceToPrecision(Confidence confidence) => confidence switch
+        {
+            Confidence.High => "high",
+            Confidence.Medium => "medium",
+            Confidence.Low => "low",
+            Confidence.Unspecified => string.Empty,
+            _ => string.Empty
+        };
+
         private string ToSarifFriendlyName(string devskimRuleName) =>
             string.Concat(devskimRuleName.Split(' ', StringSplitOptions.RemoveEmptyEntries)
                 .Select(x => string.Concat(x.Where(char.IsLetterOrDigit)))

DevSkim-DotNet/Microsoft.DevSkim.Tests/Microsoft.DevSkim.Tests.csproj

@@ -10,8 +10,8 @@
 
     <ItemGroup>
         <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
-        <PackageReference Include="MSTest.TestAdapter" Version="3.2.0" />
-        <PackageReference Include="MSTest.TestFramework" Version="3.2.0" />
+        <PackageReference Include="MSTest.TestAdapter" Version="3.2.2" />
+        <PackageReference Include="MSTest.TestFramework" Version="3.2.2" />
     </ItemGroup>
 
     <ItemGroup>

DevSkim-DotNet/Microsoft.DevSkim.VisualStudio/Microsoft.DevSkim.VisualStudio.csproj

@@ -87,15 +87,15 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.8.0" />
     <PackageReference Include="Microsoft.VisualStudio.LanguageServer.Client">
-      <Version>17.8.36</Version>
+      <Version>17.9.46</Version>
     </PackageReference>
     <PackageReference Include="Microsoft.VisualStudio.LanguageServer.Protocol">
       <Version>17.2.8</Version>
     </PackageReference>
-    <PackageReference Include="Microsoft.VisualStudio.SDK" Version="17.8.37222" ExcludeAssets="runtime">
+    <PackageReference Include="Microsoft.VisualStudio.SDK" Version="17.9.37000" ExcludeAssets="runtime">
       <IncludeAssets>compile; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.VSSDK.BuildTools" Version="17.8.2365">
+    <PackageReference Include="Microsoft.VSSDK.BuildTools" Version="17.9.3168">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>

DevSkim-DotNet/Microsoft.DevSkim/DevSkimRuleProcessor.cs

@@ -41,6 +41,9 @@ public IEnumerable<Issue> Analyze(string text, string fileName)
                         StartLocation: textContainer.GetLocation(matchRecord.Boundary.Index),
                         EndLocation: textContainer.GetLocation(matchRecord.Boundary.Index + matchRecord.Boundary.Length),
                         Rule: devSkimRule);
+                        // Match record confidence is based on pattern confidence (from AI engine)
+                        // As a backup, DevSkim Rules may also have an overall confidence specified for the rule, use that when match confidence undefined
+                        issue.Confidence = matchRecord.Confidence == Confidence.Unspecified ? devSkimRule.Confidence : matchRecord.Confidence;
                         if (_processorOptions.EnableSuppressions)
                         {
                             Suppression supp = new(textContainer, issue.StartLocation.Line);

DevSkim-DotNet/Microsoft.DevSkim/Issue.cs

@@ -41,5 +41,9 @@ public Issue(Boundary Boundary, Location StartLocation, Location EndLocation, De
         ///     Location (line, column) where issue starts
         /// </summary>
         public Location StartLocation { get; set; }
+        /// <summary>
+        ///     Confidence level of match
+        /// </summary>
+        public Confidence Confidence { get; internal set; }
     }
 }

DevSkim-DotNet/Microsoft.DevSkim/Microsoft.DevSkim.csproj

@@ -24,7 +24,7 @@
   </ItemGroup>
 
     <ItemGroup>
-      <PackageReference Include="Microsoft.CST.ApplicationInspector.RulesEngine" Version="1.9.18" />
+      <PackageReference Include="Microsoft.CST.ApplicationInspector.RulesEngine" Version="1.9.19" />
       <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     </ItemGroup>
 

guidance/DS106864.md

@@ -11,6 +11,12 @@ anywhere.
 In general, the [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), 
 or AES, algorithm, is preferred for all cases where symmetric encryption is needed.
 
+#### Solution
+
+##### .NET
+
+Use the following method: `System.Security.Cryptography.Aes.Create()`
+
 ### Implementation
 
 #### C# / .NET

guidance/DS113286.md

@@ -1,4 +1,4 @@
-## Do not include user-input directoy in format strings
+## Do not include user-input directly in format strings
 
 ### Summary
 Do not create NSString objects using a user-provided format string, as this could lead to a security vulnerability. https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings