Add SARIF processing and basic alert rendering (#1171)

Author: charisk

extensions/ql-vscode/src/remote-queries/analyses-results-manager.ts

@@ -6,9 +6,10 @@ import { Credentials } from '../authentication';
 import { Logger } from '../logging';
 import { downloadArtifactFromLink } from './gh-actions-api-client';
 import { AnalysisSummary } from './shared/remote-query-result';
-import { AnalysisResults, QueryResult } from './shared/analysis-result';
+import { AnalysisResults, AnalysisAlert } from './shared/analysis-result';
 import { UserCancellationException } from '../commandRunner';
 import { sarifParser } from '../sarif-parser';
+import { extractAnalysisAlerts } from './sarif-processing';
 
 export class AnalysesResultsManager {
   // Store for the results of various analyses for each remote query.
@@ -136,26 +137,15 @@ export class AnalysesResultsManager {
     void publishResults([...resultsForQuery]);
   }
 
-  private async readResults(filePath: string): Promise<QueryResult[]> {
-    const queryResults: QueryResult[] = [];
-
+  private async readResults(filePath: string): Promise<AnalysisAlert[]> {
     const sarifLog = await sarifParser(filePath);
 
-    // Read the sarif file and extract information that we want to display
-    // in the UI. For now we're only getting the message texts but we'll gradually
-    // extract more information based on the UX we want to build.
-
-    sarifLog.runs?.forEach(run => {
-      run?.results?.forEach(result => {
-        if (result?.message?.text) {
-          queryResults.push({
-            message: result.message.text
-          });
-        }
-      });
-    });
-
-    return queryResults;
+    const processedSarif = extractAnalysisAlerts(sarifLog);
+    if (processedSarif.errors) {
+      void this.logger.log(`Error processing SARIF file: ${os.EOL}${processedSarif.errors.join(os.EOL)}`);
+    }
+
+    return processedSarif.alerts;
   }
 
   private isAnalysisInMemory(analysis: AnalysisSummary): boolean {

extensions/ql-vscode/src/remote-queries/sample-data.ts

@@ -99,7 +99,23 @@ export const sampleRemoteQueryResult: RemoteQueryResult = {
 };
 
 
-const createAnalysisResults = (n: number) => Array(n).fill({ 'message': 'Sample text' });
+const createAnalysisResults = (n: number) => Array(n).fill(
+  {
+    message: 'This shell command depends on an uncontrolled [absolute path](1).',
+    severity: 'Error',
+    filePath: 'npm-packages/meteor-installer/config.js',
+    codeSnippet: {
+      startLine: 253,
+      endLine: 257,
+      text: '  if (isWindows()) {\n    //set for the current session and beyond\n    child_process.execSync(`setx path "${meteorPath}/;%path%`);\n    return;\n  }\n',
+    },
+    highlightedRegion: {
+      startLine: 255,
+      startColumn: 28,
+      endColumn: 62
+    }
+  }
+);
 
 export const sampleAnalysesResultsStage1: AnalysisResults[] = [
   {

extensions/ql-vscode/src/remote-queries/sarif-processing.ts

@@ -0,0 +1,203 @@
+import * as sarif from 'sarif';
+
+import { AnalysisAlert, ResultSeverity } from './shared/analysis-result';
+
+const defaultSeverity = 'Warning';
+
+export function extractAnalysisAlerts(
+  sarifLog: sarif.Log
+): {
+  alerts: AnalysisAlert[],
+  errors: string[]
+} {
+  if (!sarifLog) {
+    return { alerts: [], errors: ['No SARIF log was found'] };
+  }
+
+  if (!sarifLog.runs) {
+    return { alerts: [], errors: ['No runs found in the SARIF file'] };
+  }
+
+  const errors: string[] = [];
+  const alerts: AnalysisAlert[] = [];
+
+  for (const run of sarifLog.runs) {
+    if (!run.results) {
+      errors.push('No results found in the SARIF run');
+      continue;
+    }
+
+    for (const result of run.results) {
+      const message = result.message?.text;
+      if (!message) {
+        errors.push('No message found in the SARIF result');
+        continue;
+      }
+
+      const severity = tryGetSeverity(run, result) || defaultSeverity;
+
+      if (!result.locations) {
+        errors.push('No locations found in the SARIF result');
+        continue;
+      }
+
+      for (const location of result.locations) {
+        const contextRegion = location.physicalLocation?.contextRegion;
+        if (!contextRegion) {
+          errors.push('No context region found in the SARIF result location');
+          continue;
+        }
+        if (contextRegion.startLine === undefined) {
+          errors.push('No start line set for a result context region');
+          continue;
+        }
+        if (contextRegion.endLine === undefined) {
+          errors.push('No end line set for a result context region');
+          continue;
+        }
+        if (!contextRegion.snippet?.text) {
+          errors.push('No text set for a result context region');
+          continue;
+        }
+
+        const region = location.physicalLocation?.region;
+        if (!region) {
+          errors.push('No region found in the SARIF result location');
+          continue;
+        }
+        if (region.startLine === undefined) {
+          errors.push('No start line set for a result region');
+          continue;
+        }
+        if (region.startColumn === undefined) {
+          errors.push('No start column set for a result region');
+          continue;
+        }
+        if (region.endColumn === undefined) {
+          errors.push('No end column set for a result region');
+          continue;
+        }
+
+        const filePath = location.physicalLocation?.artifactLocation?.uri;
+        if (!filePath) {
+          errors.push('No file path found in the SARIF result location');
+          continue;
+        }
+
+        const analysisAlert = {
+          message,
+          filePath,
+          severity,
+          codeSnippet: {
+            startLine: contextRegion.startLine,
+            endLine: contextRegion.endLine,
+            text: contextRegion.snippet.text
+          },
+          highlightedRegion: {
+            startLine: region.startLine,
+            startColumn: region.startColumn,
+            endLine: region.endLine,
+            endColumn: region.endColumn
+          }
+        };
+
+        const validationErrors = getAlertValidationErrors(analysisAlert);
+        if (validationErrors.length > 0) {
+          errors.push(...validationErrors);
+          continue;
+        }
+
+        alerts.push(analysisAlert);
+      }
+    }
+  }
+
+  return { alerts, errors };
+}
+
+export function tryGetSeverity(
+  sarifRun: sarif.Run,
+  result: sarif.Result
+): ResultSeverity | undefined {
+  if (!sarifRun || !result) {
+    return undefined;
+  }
+
+  const rule = tryGetRule(sarifRun, result);
+  if (!rule) {
+    return undefined;
+  }
+
+  const severity = rule.properties?.['problem.severity'];
+  if (!severity) {
+    return undefined;
+  }
+
+  switch (severity.toLowerCase()) {
+    case 'recommendation':
+      return 'Recommendation';
+    case 'warning':
+      return 'Warning';
+    case 'error':
+      return 'Error';
+  }
+
+  return undefined;
+}
+
+export function tryGetRule(
+  sarifRun: sarif.Run,
+  result: sarif.Result
+): sarif.ReportingDescriptor | undefined {
+  if (!sarifRun || !result) {
+    return undefined;
+  }
+
+  const resultRule = result.rule;
+  if (!resultRule) {
+    return undefined;
+  }
+
+  // The rule can found in two places:
+  // - Either in the run's tool driver tool component
+  // - Or in the run's tool extensions tool component
+
+  const ruleId = resultRule.id;
+  if (ruleId) {
+    const rule = sarifRun.tool.driver.rules?.find(r => r.id === ruleId);
+    if (rule) {
+      return rule;
+    }
+  }
+
+  const ruleIndex = resultRule.index;
+  if (ruleIndex != undefined) {
+    const toolComponentIndex = result.rule?.toolComponent?.index;
+    const toolExtensions = sarifRun.tool.extensions;
+    if (toolComponentIndex !== undefined && toolExtensions !== undefined) {
+      const toolComponent = toolExtensions[toolComponentIndex];
+      if (toolComponent?.rules !== undefined) {
+        return toolComponent.rules[ruleIndex];
+      }
+    }
+  }
+
+  // Couldn't find the rule.
+  return undefined;
+}
+
+function getAlertValidationErrors(alert: AnalysisAlert): string[] {
+  const errors = [];
+
+  if (alert.codeSnippet.startLine > alert.codeSnippet.endLine) {
+    errors.push('The code snippet start line is greater than the end line');
+  }
+
+  const highlightedRegion = alert.highlightedRegion;
+  if (highlightedRegion.endLine === highlightedRegion.startLine &&
+    highlightedRegion.endColumn < highlightedRegion.startColumn) {
+    errors.push('The highlighted region end column is greater than the start column');
+  }
+
+  return errors;
+}

extensions/ql-vscode/src/remote-queries/shared/analysis-result.ts

@@ -3,9 +3,28 @@ export type AnalysisResultStatus = 'InProgress' | 'Completed' | 'Failed';
 export interface AnalysisResults {
   nwo: string;
   status: AnalysisResultStatus;
-  results: QueryResult[];
+  results: AnalysisAlert[];
 }
 
-export interface QueryResult {
-  message?: string;
+export interface AnalysisAlert {
+  message: string;
+  severity: ResultSeverity;
+  filePath: string;
+  codeSnippet: CodeSnippet
+  highlightedRegion: HighlightedRegion
 }
+
+export interface CodeSnippet {
+  startLine: number;
+  endLine: number;
+  text: string;
+}
+
+export interface HighlightedRegion {
+  startLine: number;
+  startColumn: number;
+  endLine: number | undefined;
+  endColumn: number;
+}
+
+export type ResultSeverity = 'Recommendation' | 'Warning' | 'Error';