Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding .sarif extension for validation. #183

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Adding .sarif extension for validation. #183

wants to merge 4 commits into from

Conversation

complexconst
Copy link

I have added validation for .sarif extension.

@complexconst complexconst mentioned this pull request Oct 15, 2024
Open
@kehoecj kehoecj added hacktoberfest-accepted Valid PR Hacktoberfest PR hacktoberfest 🎃 Hacktoberfest 2024 waiting-on-maintainer-review PR is waiting to be reviewed and functionally tested by the maintainers labels Oct 15, 2024
@complexconst
Copy link
Author

Could you please approve workflows ??

@complexconst
Copy link
Author

complexconst commented Oct 15, 2024
edited
Loading

Could you please approve workflow once more ? Had missed to push changes in cli.go file

@complexconst
Copy link
Author

is there anything from my side for now ?

kehoecj
kehoecj requested changes Oct 15, 2024
View reviewed changes
Copy link
Collaborator

@kehoecj kehoecj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update index.md, readme.md, and the CLI to include Sarif validation

@arthurflame
Copy link

Hey folks,

Not entirely sure if this is the most optimal way to validate .sarif files.

I've spent a couple of days implementing the validation myself.
Didn't want to intervene, since this issue was already assigned to @complexconst, but I was curious so I've researched and partially implemented it.

Partially - because I'm neither good, nor decent in Go ):

Here's my take.
Since files with .sarif extension are essentially JSON files, we need a way to somehow distinguish them.
In SARIF v2.1.0 specification we can determine which fields should be present in a .sarif file, so it can be considered valid.
After skimming rather quickly through it, and playing around with .sarif files with a VSCode's SARIF Viewer extension.
I could make this observation:

Minimal .sarif file should include the following fields:

  • $schema - preferably should be present, my idea was to spit a warning if this field doesn't exist in the file
  • version - key should be present, and a value shouldn't be an empty string
  • runs - amount of runs should be at least >= 1
  • results - can be an empty slice, but it should be present (in a file, explicitly)
  • tool.driver.name - keys should be present, and value shouldn't be an empty string

Let me know what you think.
@complexconst @kehoecj

arthurflame
arthurflame reviewed Oct 15, 2024
View reviewed changes
pkg/validator/sarif.go Outdated
func (SarifValidator) Validate(b []byte) (bool, error) {
_, err := sarif.FromBytes(b)
if err != nil {
return false, err
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since sarif.FromBytes does json.Unmarshal, we can return a custom error from JSON validator, which will explicitly display the precise location in the file where error occurred.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

func (SARIFValidator) Validate(b []byte) (bool, error) {
	_, err := sarif.FromBytes(b)
	if err != nil {
		customError := getCustomErr(b, err)
		return false, customError
	}

Yeah, if return value from sarif.FromBytes (except for the error) isn't needed, it's possible just to use JSON validator instead.

func (SARIFValidator) Validate(b []byte) (bool, error) {
	var output any
	err := json.Unmarshal(b, &output)
	if err != nil {
		customError := getCustomErr(b, err)
		return false, customError
	}
	return true, nil
}

arthurflame
arthurflame reviewed Oct 15, 2024
View reviewed changes
test/fixtures/good.sarif Outdated
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I presume it'll be nice to have not only a "good" .sarif file, but also a "bad" one.
Potentially a .sArIf extension would be nice too.

@complexconst
Copy link
Author

Ok, I will make required changes.

@complexconst
Copy link
Author

Please approve the workflows

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arthurflame arthurflame arthurflame left review comments

@kehoecj kehoecj kehoecj requested changes

Assignees
No one assigned
Labels
hacktoberfest 🎃 Hacktoberfest 2024 hacktoberfest-accepted Valid PR Hacktoberfest PR waiting-on-maintainer-review PR is waiting to be reviewed and functionally tested by the maintainers
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@complexconst @arthurflame @kehoecj