Merge pull request #51 from PavelBansky/master

PavelBansky · web-flow · commit e5103daa59de · 2018-05-17T15:58:28.000-07:00
Master
diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj
@@ -9,23 +9,20 @@
     <ApplicationIcon />
     <PackageId>Microsoft.DevSkim.CLI</PackageId>
     <Product>Microsoft DevSkim Command Line Interface</Product>
-    <Version>0.1.9</Version>
+    <Version>0.1.10</Version>
     <Authors>Microsoft</Authors>
     <Company>Microsoft</Company>
     <Copyright>(c) Microsoft Corporation. All rights reserved</Copyright>
     <Description>DevSkim is a framework and Language analyzer that provide inline security analysis</Description>    
   </PropertyGroup>
 
-  <ItemGroup>
-    <None Remove="Resources\devskim-rules.json" />
-  </ItemGroup>
-
   <ItemGroup>
     <EmbeddedResource Include="Resources\devskim-rules.json" />
   </ItemGroup>
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.CommandLineUtils" Version="1.1.1" />
+    <PackageReference Include="Sarif.Sdk" Version="1.7.5" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Properties/launchSettings.json b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Properties/launchSettings.json
@@ -2,7 +2,7 @@
   "profiles": {
     "Microsoft.DevSkim.CLI": {
       "commandName": "Project",
-      "commandLineArgs": "test d:\\A\\rules -c"
+      "commandLineArgs": " analyze d:\\GitHub\\DevSkim soubor.txt  -f sarif"
     }
   }
 }
diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Resources/devskim-rules.json b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Resources/devskim-rules.json
@@ -51,7 +51,7 @@
     "rule_info": "DS185832.md",
     "patterns": [
       {
-        "pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)",
+        "pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+?)\\)",
         "type": "regex",
         "modifiers": null,
         "scopes": [
@@ -66,7 +66,7 @@
         "name": "Change to strcpy_s (Recommended for VC++)",
         "type": "regex-replace",
         "pattern": {
-          "pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)",
+          "pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+?)\\)",
           "type": "regex",
           "modifiers": null,
           "scopes": [
@@ -80,7 +80,7 @@
         "name": "Change to strlcpy",
         "type": "regex-replace",
         "pattern": {
-          "pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)",
+          "pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+?)\\)",
           "type": "regex",
           "modifiers": null,
           "scopes": [
@@ -113,7 +113,7 @@
     "rule_info": "DS111237.md",
     "patterns": [
       {
-        "pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
+        "pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+?)\\)+",
         "type": "regex",
         "modifiers": null,
         "scopes": [
@@ -128,7 +128,7 @@
         "name": "Change to strcpy_s (Recommended for VC++)",
         "type": "regex-replace",
         "pattern": {
-          "pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
+          "pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+?)\\)+",
           "type": "regex",
           "modifiers": null,
           "scopes": [
@@ -142,7 +142,7 @@
         "name": "Change to strlcpy",
         "type": "regex-replace",
         "pattern": {
-          "pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
+          "pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+?)\\)+",
           "type": "regex",
           "modifiers": null,
           "scopes": [
@@ -175,7 +175,7 @@
     "rule_info": "DS141863.md",
     "patterns": [
       {
-        "pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)",
+        "pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+?)\\)",
         "type": "regex",
         "modifiers": null,
         "scopes": [
@@ -190,7 +190,7 @@
         "name": "Change to strcat_s (Recommended for VC++)",
         "type": "regex-replace",
         "pattern": {
-          "pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)",
+          "pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+?)\\)",
           "type": "regex",
           "modifiers": null,
           "scopes": [
@@ -204,7 +204,7 @@
         "name": "Change to strlcat",
         "type": "regex-replace",
         "pattern": {
-          "pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)",
+          "pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+?)\\)",
           "type": "regex",
           "modifiers": null,
           "scopes": [
@@ -237,7 +237,7 @@
     "rule_info": "DS108330.md",
     "patterns": [
       {
-        "pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
+        "pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+?)\\)+",
         "type": "regex",
         "modifiers": null,
         "scopes": [
@@ -252,7 +252,7 @@
         "name": "Change to strcat_s (Recommended for VC++)",
         "type": "regex-replace",
         "pattern": {
-          "pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
+          "pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+?)\\)+",
           "type": "regex",
           "modifiers": null,
           "scopes": [
@@ -266,7 +266,7 @@
         "name": "Change to strlcat",
         "type": "regex-replace",
         "pattern": {
-          "pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
+          "pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+?)\\)+",
           "type": "regex",
           "modifiers": null,
           "scopes": [
@@ -872,7 +872,7 @@
   },
   {
     "id": "DS113286",
-    "name": "Do not include user-input directoy in format strings",
+    "name": "Do not include user-input directly in format strings",
     "overrides": null,
     "schema_version": 0,
     "tags": [
diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/SarifWriter.cs b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/SarifWriter.cs
@@ -0,0 +1,159 @@
+﻿using Microsoft.CodeAnalysis.Sarif;
+using Microsoft.CodeAnalysis.Sarif.Readers;
+using Newtonsoft.Json;
+using System;
+using System.Collections.Generic;
+using System.Reflection;
+using System.Text;
+
+namespace Microsoft.DevSkim.CLI.Writers
+{
+    public class SarifWriter : Writer
+    {
+        public SarifWriter()
+        {
+            _results = new List<Result>();
+            _rules = new Dictionary<string, CodeAnalysis.Sarif.Rule>();
+        }
+
+        public override void WriteIssue(IssueRecord issue)
+        {
+            Result resultItem = new Result();
+            MapRuleToResult(issue.Issue.Rule, ref resultItem);
+            AddRuleToSarifRule(issue.Issue.Rule);
+
+            CodeAnalysis.Sarif.Location loc = new CodeAnalysis.Sarif.Location();
+            loc.AnalysisTarget = new PhysicalLocation(new Uri(issue.Filename),
+                                                      null,
+                                                      new Region(issue.Issue.StartLocation.Line,
+                                                                 issue.Issue.StartLocation.Column,
+                                                                 issue.Issue.EndLocation.Line,
+                                                                 issue.Issue.EndLocation.Column,
+                                                                 issue.Issue.Boundary.Index,
+                                                                 issue.Issue.Boundary.Length
+                                                       ));
+            resultItem.Snippet = issue.TextSample;
+
+            if (issue.Issue.Rule.Fixes != null)
+                resultItem.Fixes = GetFixits(issue);
+
+            resultItem.Locations = new List<CodeAnalysis.Sarif.Location>();
+            resultItem.Locations.Add(loc);
+            _results.Add(resultItem);            
+            
+        }
+
+        public override void FlushAndClose()
+        {
+            SarifLog sarifLog = new SarifLog();
+            sarifLog.Version = SarifVersion.OneZeroZero;
+            Run runItem = new Run();
+            runItem.Tool = new Tool();
+            Assembly entryAssembly = Assembly.GetEntryAssembly();
+
+            runItem.Tool.Name = entryAssembly.GetName()
+                                 .Name;
+
+            runItem.Tool.FullName = entryAssembly.GetCustomAttribute<AssemblyProductAttribute>()
+                                                 .Product;
+
+            runItem.Tool.Version = entryAssembly.GetCustomAttribute<AssemblyInformationalVersionAttribute>()
+                                                .InformationalVersion;
+            
+            runItem.Results = _results;
+            runItem.Rules = _rules;
+            sarifLog.Runs = new List<Run>();            
+            sarifLog.Runs.Add(runItem);
+
+
+            JsonSerializerSettings settings = new JsonSerializerSettings()
+            {
+                ContractResolver = SarifContractResolver.Instance,
+                Formatting = Formatting.Indented
+            };
+                        
+            TextWriter.Write(JsonConvert.SerializeObject(sarifLog, settings));
+            TextWriter.Flush();
+            TextWriter.Close();
+        }
+
+        private void MapRuleToResult(Rule rule, ref Result resultItem)
+        {
+            switch (rule.Severity)
+            {
+                case Severity.Critical:
+                case Severity.Important:
+                case Severity.Moderate:
+                    resultItem.Level = ResultLevel.Error;
+                    break;
+                case Severity.BestPractice:
+                    resultItem.Level = ResultLevel.Warning;
+                    break;
+                default:
+                    resultItem.Level = ResultLevel.Note;
+                    break;
+            }
+
+            resultItem.RuleId = rule.Id;
+            resultItem.Message = rule.Name;
+            foreach (string tag in rule.Tags)
+            {
+                resultItem.Tags.Add(tag);
+            }
+        }
+
+        private List<Fix> GetFixits(IssueRecord issue)
+        {
+            List<Fix> fixes = new List<Fix>();
+            if (issue.Issue.Rule.Fixes != null)
+            {
+                foreach (CodeFix fix in issue.Issue.Rule.Fixes)
+                {
+                    List<Replacement> replacements = new List<Replacement>();
+                    replacements.Add(new Replacement(issue.Issue.Boundary.Index,
+                                                     issue.Issue.Boundary.Length,
+                                                     RuleProcessor.Fix(issue.TextSample, fix)
+                                                     ));
+
+                    List<FileChange> changes = new List<FileChange>();
+                    changes.Add(new FileChange(new Uri(issue.Filename), null, replacements));
+
+                    fixes.Add(new Fix(fix.Name, changes));
+                }
+            }
+            return fixes;
+        }
+
+        private void AddRuleToSarifRule(Rule devskimRule)
+        {
+            if (!_rules.ContainsKey(devskimRule.Id))
+            {
+                CodeAnalysis.Sarif.Rule sarifRule = new CodeAnalysis.Sarif.Rule();
+                sarifRule.Id = devskimRule.Id;
+                sarifRule.Name = devskimRule.Name;
+                sarifRule.FullDescription = devskimRule.Description;
+                sarifRule.HelpUri = new Uri("https://github.com/Microsoft/DevSkim/blob/master/guidance/" + devskimRule.RuleInfo);
+
+                switch (devskimRule.Severity)
+                {
+                    case Severity.Critical:
+                    case Severity.Important:
+                    case Severity.Moderate:
+                        sarifRule.DefaultLevel = ResultLevel.Error;
+                        break;
+                    case Severity.BestPractice:
+                        sarifRule.DefaultLevel = ResultLevel.Warning;
+                        break;
+                    default:
+                        sarifRule.DefaultLevel = ResultLevel.Note;
+                        break;
+                }
+
+                _rules.Add(devskimRule.Id, sarifRule);
+            }
+        }
+        
+        private Dictionary<string, CodeAnalysis.Sarif.Rule> _rules;
+        private List<Result> _results;
+    }
+}
diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/WriterFactory.cs b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/WriterFactory.cs
@@ -24,7 +24,7 @@ public static Writer GetWriter(string writerName, string defaultWritter, string
                 case "text":
                     return new SimpleTextWriter(format);
                 case "sarif":
-                    throw new NotImplementedException("sarif not supported");
+                    return new SarifWriter();
                 default:
                     throw new Exception("wrong output");
             }

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`"profiles": {`
`3`	`3`	`"Microsoft.DevSkim.CLI": {`
`4`	`4`	`"commandName": "Project",`
`5`		`- "commandLineArgs": "test d:\\A\\rules -c"`
	`5`	`+ "commandLineArgs": " analyze d:\\GitHub\\DevSkim soubor.txt -f sarif"`
`6`	`6`	`}`
`7`	`7`	`}`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ public static Writer GetWriter(string writerName, string defaultWritter, string`
`24`	`24`	`case "text":`
`25`	`25`	`return new SimpleTextWriter(format);`
`26`	`26`	`case "sarif":`
`27`		`- throw new NotImplementedException("sarif not supported");`
	`27`	`+ return new SarifWriter();`
`28`	`28`	`default:`
`29`	`29`	`throw new Exception("wrong output");`
`30`	`30`	`}`