-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SARIF: Please add support for fingerprints
in SARIF format 🐾
#98
Comments
My initial thought was to compute a hash from all the data that are matched in |
Here is scala example of creating partialFingerprints = SarifReport.PartialFingerprints("1", generatePrimaryLocationHash(issue, fileContents)))
// ...
final case class PartialFingerprints(primaryLocationStartColumnFingerprint: String, primaryLocationLineHash: String) It seems they are counting only with line numbers and with the hash of line content. |
@jamacku The actual fingerprint computation is here: https://github.com/codacy/codacy-analysis-cli/blob/80c8baecbfea050feb5cee184051b996cdd7fed3/cli/src/main/scala/com/codacy/analysis/cli/formatter/Sarif.scala#L192 They compute MD5 hash of a string concatenated from |
Here is an example of how fingerprints are handled by And also one comment how it works: |
|
It hashes the data that csdiff uses in its matching algorithm. The interfaces are already prepared for csdiff/v1, which will also take the line content into account when available. From the updated tests it is obvious that these hashes already have numerous collisions on the existing test data. Related: https://issues.redhat.com/browse/OSH-9 Related: csutils#98
It hashes the data that csdiff uses in its matching algorithm and the line content without spaces. For this fingerprint to be computed, the results need to include the line content for the key event in the format produced by `csgrep --embed-context`. Related: https://issues.redhat.com/browse/OSH-9 Related: csutils#98
It hashes the data that csdiff uses in its matching algorithm and the line content without spaces. For this fingerprint to be computed, the results need to include the line content for the key event in the format produced by `csgrep --embed-context`. Related: https://issues.redhat.com/browse/OSH-9 Resolves: csutils#98 Closes: csutils#168
It hashes the data that csdiff uses in its matching algorithm. The interfaces are already prepared for csdiff/v1, which will also take the line content into account when available. From the updated tests it is obvious that these hashes already have numerous collisions on the existing test data. Related: https://issues.redhat.com/browse/OSH-9 Related: csutils#98
It hashes the data that csdiff uses in its matching algorithm and the line content without spaces. For this fingerprint to be computed, the results need to include the line content for the key event in the format produced by `csgrep --embed-context`. Related: https://issues.redhat.com/browse/OSH-9 Resolves: csutils#98
... to make the code easier to follow. No change in behavior intended with this commit. Related: csutils#98
... when the line content in the `csgrep --embed-context` format is available. Out of the 1783 fingerprints generated for the csgrep regression tests we got 115 collisions, which need to be analyzed. Some of them look undesired as, for example: ``` Error: CERT EXP40-C (CWE-758): wget-1.21.1/src/http.c:256: cert_exp40_c_violation: Casting pointer "value" with type "char const *" to type "void *" allows an object defined with a const-qualified type to be modified through use of an lvalue with non-const-qualified type. # 254| release_header (hdr); # 255| hdr->name = (void *)name; # 256|-> hdr->value = (void *)value; # 257| hdr->release_policy = release_policy; # 258| return; Error: CERT EXP40-C (CWE-758): wget-1.21.1/src/http.c:271: cert_exp40_c_violation: Casting pointer "value" with type "char const *" to type "void *" allows an object defined with a const-qualified type to be modified through use of an lvalue with non-const-qualified type. # 269| hdr = &req->headers[req->hcount++]; # 270| hdr->name = (void *)name; # 271|-> hdr->value = (void *)value; # 272| hdr->release_policy = release_policy; # 273| } ``` Related: csutils#98
No change in behavior intended with this commit. Related: csutils#98
... to make the code easier to follow. No change in behavior intended with this commit. Related: csutils#98
No change in behavior intended with this commit. Related: csutils#98
... to make the code easier to follow. No change in behavior intended with this commit. Related: csutils#98
No change in behavior intended with this commit. Related: csutils#98
... to make the code easier to follow. No change in behavior intended with this commit. Related: csutils#98
... taken from a real-world example encountered by differential-shellcheck: redhat-plumbers-in-action/differential-shellcheck#376 Related: csutils#98 Closes: csutils#168
It hashes the data that csdiff uses in its matching algorithm. The interfaces are already prepared for csdiff/v1, which will also take the line content into account when available. From the updated tests it is obvious that these hashes already have numerous collisions on the existing test data. Related: https://issues.redhat.com/browse/OSH-9 Related: csutils#98
It hashes the data that csdiff uses in its matching algorithm and the line content without spaces. For this fingerprint to be computed, the results need to include the line content for the key event in the format produced by `csgrep --embed-context`. Related: https://issues.redhat.com/browse/OSH-9 Resolves: csutils#98
... to make the code easier to follow. No change in behavior intended with this commit. Related: csutils#98
... when the line content in the `csgrep --embed-context` format is available. Out of the 1783 fingerprints generated for the csgrep regression tests we got 115 collisions, which need to be analyzed. Some of them look undesired as, for example: ``` Error: CERT EXP40-C (CWE-758): wget-1.21.1/src/http.c:256: cert_exp40_c_violation: Casting pointer "value" with type "char const *" to type "void *" allows an object defined with a const-qualified type to be modified through use of an lvalue with non-const-qualified type. # 254| release_header (hdr); # 255| hdr->name = (void *)name; # 256|-> hdr->value = (void *)value; # 257| hdr->release_policy = release_policy; # 258| return; Error: CERT EXP40-C (CWE-758): wget-1.21.1/src/http.c:271: cert_exp40_c_violation: Casting pointer "value" with type "char const *" to type "void *" allows an object defined with a const-qualified type to be modified through use of an lvalue with non-const-qualified type. # 269| hdr = &req->headers[req->hcount++]; # 270| hdr->name = (void *)name; # 271|-> hdr->value = (void *)value; # 272| hdr->release_policy = release_policy; # 273| } ``` Related: csutils#98
No change in behavior intended with this commit. Related: csutils#98
... to make the code easier to follow. No change in behavior intended with this commit. Related: csutils#98
... taken from a real-world example encountered by differential-shellcheck: redhat-plumbers-in-action/differential-shellcheck#376 Related: csutils#98 Closes: csutils#168
It hashes the data that csdiff uses in its matching algorithm. The interfaces are already prepared for csdiff/v1, which will also take the line content into account when available. From the updated tests it is obvious that these hashes already have numerous collisions on the existing test data. Related: https://issues.redhat.com/browse/OSH-9 Related: csutils#98
... to make the code easier to follow. No change in behavior intended with this commit. Related: csutils#98
... when the line content in the `csgrep --embed-context` format is available. Out of the 1783 fingerprints generated for the csgrep regression tests we got 115 collisions, which need to be analyzed. Some of them look undesired as, for example: ``` Error: CERT EXP40-C (CWE-758): wget-1.21.1/src/http.c:256: cert_exp40_c_violation: Casting pointer "value" with type "char const *" to type "void *" allows an object defined with a const-qualified type to be modified through use of an lvalue with non-const-qualified type. # 254| release_header (hdr); # 255| hdr->name = (void *)name; # 256|-> hdr->value = (void *)value; # 257| hdr->release_policy = release_policy; # 258| return; Error: CERT EXP40-C (CWE-758): wget-1.21.1/src/http.c:271: cert_exp40_c_violation: Casting pointer "value" with type "char const *" to type "void *" allows an object defined with a const-qualified type to be modified through use of an lvalue with non-const-qualified type. # 269| hdr = &req->headers[req->hcount++]; # 270| hdr->name = (void *)name; # 271|-> hdr->value = (void *)value; # 272| hdr->release_policy = release_policy; # 273| } ``` Related: csutils#98
No change in behavior intended with this commit. Related: csutils#98
... to make the code easier to follow. No change in behavior intended with this commit. Related: csutils#98
... taken from a real-world example encountered by differential-shellcheck: redhat-plumbers-in-action/differential-shellcheck#376 Related: csutils#98 Closes: csutils#168
... taken from a real-world example encountered by differential-shellcheck: redhat-plumbers-in-action/differential-shellcheck#376 Related: csutils#98
We use boost-1.69 in our EPEL-7 builds. Related: csutils#98 Closes: csutils#168
Fingerprints could be beneficial when used with GitHub and for a general comparison of scan results.
Documentation of
fingerprints
property: linkGitHub SARIF Documentation: link
The text was updated successfully, but these errors were encountered: