Bumps npm dependencies and DevSkim .NET dependencies, Fix #697 (#698)

* Bumps npm dependencies

* Update Changelog.md

* Fix #697

Populate the Description or Recommendation fields in the markdown description since that is what ends up rendered when used in github code scanning per report in #697 of inability to customize message with custom rules.

* Clean up and changelog update

* Add unit tests for SarifWriter help field logic

Introduces SarifWriterTests to verify SARIF help field population for rules with various combinations of recommendation, description, and rule info. Tests cover fallback logic, markdown formatting, and edge cases such as empty or whitespace recommendations.

* Update DevSkim-DotNet/Microsoft.DevSkim.CLI/Writers/SarifWriter.cs

Co-authored-by: Copilot <[email protected]>

* Refactor SARIF rule markdown description logic

Extracted markdown description building into a new BuildMarkdownDescription method for improved readability and maintainability. The logic for constructing the SARIF rule's Help.Markdown field is now encapsulated in a dedicated helper function.

* Refactor SarifWriterTests to use local writers

Replaces class-level StringWriter and SarifWriter fields with local variables in each test method. This improves test isolation and resource management by using 'using' statements for disposable objects.

* Refactor SARIF output parsing in tests

Replaced calls to the ParseSarifOutput helper with direct usage of JObject.Parse in SarifWriterTests. Removed the now-unused ParseSarifOutput method for simplification.

* Rename SarifWriter test methods for clarity

Test method names in SarifWriterTests.cs were updated to use descriptive, behavior-driven naming. This improves readability and makes test purposes clearer for future maintenance.

* Remove unused Patterns property in SarifWriterTests

Eliminated the Patterns property from the test case object initialization in SarifWriterTests.cs, as it was not required for the test.

* Refactor SARIF rule text description logic

Moved the logic for building SARIF rule text descriptions into a dedicated BuildTextDescription method for improved readability and maintainability.

* Add test for empty markdown in SARIF rule help

Introduces a unit test to verify that when a rule has no recommendation and no rule info, the SARIF 'help.markdown' field is empty or null, while 'help.text' falls back to the rule description.

* Update changelog for v1.0.63 with fixes and tests

Added details for version 1.0.63 including a fix for Sarif Markdown recommendation value population (#697), new test cases for SarifWriter, and updated dependencies. Fixed some section header levels to improve formatting.

* Remove redundant test for SARIF markdown help content

Deleted the test 'When_rule_has_recommendation_and_rule_info_then_markdown_includes_both' from SarifWriterTests.cs as it was redundant with `When_rule_has_recommendation_and_rule_info_then_markdown_is_properly_formatted`

* Dependencies in checked in package-lock file should use npmjs repository

The internal repository is substituted during pipeline build to allow for external contributor use

* Refactor SARIF help URI construction and update tests

Introduced a CreateHelpUri method in SarifWriter to safely construct help URIs for DevSkim rules, handling null or empty RuleInfo values. Updated related unit tests to use the new baseHelpUri constant for consistency and maintainability.

* Update tests to use SarifWriter.CreateHelpUri

Replaces references to SarifWriter.baseHelpUri with SarifWriter.CreateHelpUri in SarifWriterTests to ensure help URIs are generated consistently. This improves test accuracy and future-proofs against changes in URI construction.

* Rename baseHelpUri to BaseHelpUri in SarifWriter

Updated the constant baseHelpUri to use PascalCase (BaseHelpUri) for consistency with naming conventions. Adjusted references to the constant accordingly.

* Update SarifWriterTests to use exact string assertions

Changed tests to use Assert.AreEqual with expected markdown and help text strings instead of Assert.IsTrue with Contains. This ensures stricter validation of the output format.

* Update Changelog.md

* Refactor SarifWriterTests to reuse helpUri variable

Replaces repeated calls to SarifWriter.CreateHelpUri with a local helpUri variable in test assertions for expectedMarkdown. This improves readability and reduces redundant method calls.

* Change BaseHelpUri to private constant

Updated the visibility of the BaseHelpUri constant from public to private in SarifWriter.cs to restrict its access within the class.

* Change CreateHelpUri to internal access modifier

The CreateHelpUri method in SarifWriter was changed from public to internal to restrict its visibility within the assembly. This helps encapsulate implementation details and limits external usage.

* Update SarifWriter.cs

* Expose internals to test project and update method visibility

Added InternalsVisibleTo for Microsoft.DevSkim.Tests in the CLI project file to allow unit testing of internal members. Changed CreateHelpUri from public to internal in SarifWriter to restrict its visibility to within the assembly.

* Remove unused variable in AnalyzeTest.cs

Deleted the unused 'oneUpPath' variable from the test setup to clean up the code.

* Remove unused variable in SuppressionsTest

Deleted the unused 'oneUpPath' variable from the test method to clean up the code.

* Remove unused exception variable in regex creation

Eliminated the unused exception variable in the catch block of the regex creation method. Added a TODO comment noting the need to refactor for logging since the logger is not accessible in the static context.

---------

Co-authored-by: Copilot <[email protected]>

Author: gfs

Changelog.md

@@ -4,69 +4,79 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.63] - 2025-07-29
+### Fix
+Fixes Sarif Markdown value failing to populate the rule provided recommendation value. #697
+
+### Dependencies
+Update dependencies 
+
+### Tests
+Adds test cases for SarifWriter
+
 ## [1.0.62] - 2025-07-23
-## Pipelines
+### Pipelines
 Pipeline updates
 
 ## [1.0.61] - 2025-07-11
-## Pipelines
+### Pipelines
 Pipeline updates
 
-## [1.0.60] - 2025-06-36
-## Pipelines
+## [1.0.60] - 2025-06-26
+### Pipelines
 Pipeline updates
 
 ## [1.0.59] - 2025-06-10
-## Misc (non-code)
+### Misc (non-code)
 Removes old doc publish workflow. 
 
 ## [1.0.58] - 2025-06-09
-## New Feature
+### New Feature
 Adds a `vs` output format to leverage the DevSkim CLI as a build task in a csproj.
 
 ## [1.0.57] - 2025-05-28
-## Fix
+### Fix
 Fix an issue handling non-ascii paths when launching LSP in VS Code Extension
 
-## Dependencies
+### Dependencies
 Update Dependencies
 
 ## [1.0.56] - 2025-04-14
-## Tests
+### Tests
 Migrate to MTP
 
 ## [1.0.55] - 2025-04-14
-## Dependencies
+### Dependencies
 Updates Dependencies
 
 ## [1.0.54] - 2025-04-09
-## Dependencies
+### Dependencies
 Updates Dependencies
 
 ## [1.0.53] - 2025-04-01
-## Documentation
+### Documentation
 Adds a link to the Microsoft Privacy Statement to the Readme.
 
 ## [1.0.52] - 2024-12-09
-## Dependencies
+### Dependencies
 Updates Dependencies
 
-## .Net Targets
+### .Net Targets
 CLI now targets .NET 8.0 and .NET 9.0, .NET 6.0/7.0 targeting removed. DevSkim Library component retains .Net Standard 2.1 support.
 
 ## [1.0.51] - 2024-12-09
-## Fix
+### Fix
 Fix confidence filtering at rule level.
 
 ## [1.0.50] - 2024-12-05
-## Fix
+### Fix
 Fixes #664 handling of options from IgnoreRuleMap when using OptionsJson
 
-## New Functionality
+### New Functionality
 Adds `include-globs` argument to require all scanned files match a specific glob pattern #663.
 
 ## [1.0.49] - 2024-12-03
-## Rules
+### Rules
 Fixed false positives and false negatives in outdated/banned SSL/TLS protocols. #649
 
 ## [1.0.48] - 2024-11-20

DevSkim-DotNet/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj

@@ -25,6 +25,10 @@
     <LangVersion>10.0</LangVersion>
     <Nullable>Enable</Nullable>        
   </PropertyGroup>
+  
+  <ItemGroup>
+    <InternalsVisibleTo Include="Microsoft.DevSkim.Tests" />
+  </ItemGroup>
     <ItemGroup>
         <None Include="..\Content\LICENSE.txt" Pack="true" PackagePath="" />
         <None Include="..\Content\devskim-icon-128.png" Pack="true" PackagePath="" />

DevSkim-DotNet/Microsoft.DevSkim.CLI/Writers/SarifWriter.cs

@@ -6,6 +6,7 @@
 using System.Linq;
 using System.Reflection;
 using System.Runtime.InteropServices;
+using System.Text;
 using Microsoft.ApplicationInspector.RulesEngine;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
@@ -190,23 +191,25 @@ var s when s.HasFlag(Severity.ManualReview) => FailureLevel.Note,
 
         public string? OutputPath { get; }
 
+        private const string BaseHelpUri = "https://github.com/Microsoft/DevSkim/blob/main/guidance/";
+
         private void AddRuleToSarifRule(DevSkimRule devskimRule)
         {
             if (!_rules.ContainsKey(devskimRule.Id))
             {
-                Uri helpUri = new Uri("https://github.com/Microsoft/DevSkim/blob/main/guidance/" + devskimRule.RuleInfo); ;
+                Uri helpUri = CreateHelpUri(devskimRule.RuleInfo);
                 ReportingDescriptor sarifRule = new ReportingDescriptor();
                 sarifRule.Id = devskimRule.Id;
                 sarifRule.Name = ToSarifFriendlyName(devskimRule.Name);
                 sarifRule.ShortDescription = new MultiformatMessageString() { Text = devskimRule.Description };
                 sarifRule.FullDescription = new MultiformatMessageString() { Text = $"{devskimRule.Name}: {devskimRule.Description}" };
+
                 sarifRule.Help = new MultiformatMessageString()
                 {
-                    // If recommendation is present use that, otherwise use description if present, otherwise use the HelpUri
-                    Text = !string.IsNullOrEmpty(devskimRule.Recommendation) ? devskimRule.Recommendation : 
-                        (!string.IsNullOrEmpty(devskimRule.Description) ? devskimRule.Description : $"Visit {helpUri} for guidance on this issue."),
-                    Markdown = $"Visit [{helpUri}]({helpUri}) for guidance on this issue."
+                    Text = BuildTextDescription(devskimRule, helpUri),
+                    Markdown = BuildMarkdownDescription(devskimRule, helpUri)
                 };
+
                 sarifRule.HelpUri = helpUri;
                 sarifRule.DefaultConfiguration = new ReportingConfiguration()
                 {
@@ -316,5 +319,74 @@ private void MapRuleToResult(Rule rule, ref Result resultItem)
                 resultItem.Tags.Add(tag);
             }
         }
+
+        /// <summary>
+        /// Creates a help URI for a DevSkim rule, handling null or empty RuleInfo safely
+        /// </summary>
+        /// <param name="ruleInfo">The rule info filename, can be null or empty</param>
+        /// <returns>A properly formed URI</returns>
+        internal static Uri CreateHelpUri(string? ruleInfo)
+        {
+            var baseUri = new Uri(BaseHelpUri);
+            
+            if (string.IsNullOrEmpty(ruleInfo))
+            {
+                // Return base URI if no specific rule info is provided
+                return baseUri;
+            }
+            
+            // Use Uri constructor to safely combine base URI with relative path
+            return new Uri(baseUri, ruleInfo);
+        }
+
+        /// <summary>
+        /// Builds the text description for a SARIF rule based on the DevSkim rule properties
+        /// </summary>
+        /// <param name="devskimRule">The DevSkim rule containing recommendation and description</param>
+        /// <param name="helpUri">The help URI for the rule</param>
+        /// <returns>The text description string</returns>
+        private static string BuildTextDescription(DevSkimRule devskimRule, Uri helpUri)
+        {
+            // If recommendation is present use that, otherwise use description if present, otherwise use the HelpUri
+            if (!string.IsNullOrEmpty(devskimRule.Recommendation))
+            {
+                return devskimRule.Recommendation;
+            }
+            
+            if (!string.IsNullOrEmpty(devskimRule.Description))
+            {
+                return devskimRule.Description;
+            }
+            
+            return $"Visit {helpUri} for guidance on this issue.";
+        }
+
+        /// <summary>
+        /// Builds the markdown description for a SARIF rule based on the DevSkim rule properties
+        /// </summary>
+        /// <param name="devskimRule">The DevSkim rule containing recommendation and rule info</param>
+        /// <param name="helpUri">The help URI for the rule</param>
+        /// <returns>The formatted markdown string</returns>
+        private static string BuildMarkdownDescription(DevSkimRule devskimRule, Uri helpUri)
+        {
+            StringBuilder markdownDescriptionBuilder = new();
+            
+            if (!string.IsNullOrEmpty(devskimRule.Recommendation))
+            {
+                markdownDescriptionBuilder.Append(devskimRule.Recommendation);
+            }
+            
+            if (!string.IsNullOrEmpty(devskimRule.RuleInfo))
+            {
+                // If a recommendation was set put a space before the rule info string.
+                if (markdownDescriptionBuilder.Length > 0)
+                {
+                    markdownDescriptionBuilder.Append(' ');
+                }
+                markdownDescriptionBuilder.Append($"Visit [{helpUri}]({helpUri}) for additional guidance on this issue.");
+            }
+            
+            return markdownDescriptionBuilder.ToString();
+        }
     }
 }

DevSkim-DotNet/Microsoft.DevSkim.Tests/AnalyzeTest.cs

@@ -20,7 +20,6 @@ public void RelativePathTest()
             File.Delete(outFileName);
 
             string basePath = Path.GetTempPath();
-            string oneUpPath = Directory.GetParent(basePath).FullName;
             using FileStream file = File.Open(tempFileName, FileMode.Create);
             file.Write(Encoding.UTF8.GetBytes("MD5;\nhttp://contoso.com\n"));
             file.Close();