[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [sarif] Alternatives for embedding links
Rather than introducing a JSONPath parser to parse references such as codeFlow[0].annotatedCodeLocations[2].physicalLocation, I prefer your suggested alternative: if you want to link from the text of a message to a physical location that already appears in (for example) a codeFlow, then recapitulate the location in the relatedLocations array. From: Michael Fanning [mailto:Michael.Fanning@microsoft.com] Thanks, Larry. To clarify your last point, we’d really like the TC to make a call on approach before the next TC, so that we can announce to the TC at next meeting that spec language for this issue is ready for final review (to be voted on in the TC following). My opinion on this is that we should stay away from the mini-language for the reasons you’ve cited. As far as the second option is concerned, I have a question: should we provide the ability for an embedded link to refer to a stack frame location, or a specific annotated code location provided in a code flow. This latter possibility occurred to me when looking at report output that Paul recently provided (related to the markdown vs. plain-text question). [here]{relatedLocations[0]}" [here]{stacks[0].frames[2].physicalLocation}" [here]{codeFlow[0].annotatedCodeLocations[2].physicalLocation}" Alternately, we could require people to recapitulate any location of interest in ‘related locations’, even if it originates with a stack or code flow. Pros:
Cons:
NOTE: stack frame doesn’t actually have a physical location, various physical location members are inlined into the frame. This was done because it doesn’t usually make sense to have the full expressivity of a region when referring to a stack frame. I think this was probably a mistake and we should reconsider. I opened a github issue to track this. Note that while a breaking change, it would be easy enough to transform the current SARIF into a correct form, if we decide to take it. Michael From: sarif@lists.oasis-open.org [mailto:sarif@lists.oasis-open.org] On Behalf Of Larry Golding (Comcast) Hello all, Yesterday, I took an action to describe to you the two options we have discussed for embedding links to source files within SARIF message properties. Both options will work whether the message is plain text or contains formatting markup such as Markdown; that is, the “embedded links” proposal is independent of the “messages with formatting” proposal. Both options involve using a syntax borrowed from Markdown to specify the link: [link text](link target). They differ in how link target is expressed. Option 1: Mini-languageThe first option expresses the properties of the link target using a string in a “mini-language”. To understand this option, you need to know that SARIF defines a “physicalLocation” object (see Section 3.19 of the spec), with three properties:
This option looks like this: { "version": "1.0.0", "runs": [ { "tool": { "name": "TaintTracker" }, "results": [ { "ruleId": "CA2001", "locations": [ { "analysisTarget": { "uriBaseId": "SRCROOT", "uri": "src/db/sql.cs", "region": { "startLine": 63, "startColumn": 12, "endColumn": 18 } } } ], "message": "Tainted data is used to execute a SQL command. The data entered the system [here]($(SRCROOT)src/ui/input.cs#startLine=20,startColumn=4,message='source of tainted data')" } ] } ] } The link text is “here”, and the link target is expressed in the mini-language as follows: $(SRCROOT)src/ui/input.cs#startLine=20,startColumn=4,message='source of tainted data', $(SRCROOT) refers to the uriBaseId, src/ui/input.cs is the uri, and the thing that looks like a URI fragment (starting with “#”) specifies the region, along with a “hover message”. The idea of the hover message is that if you click the link, your SARIF viewer application would open the specified file and highlight the region. Then, if you hovered your mouse over the region, the specified message would appear as the hover text. This design has an interesting consequence: since the mini-language specifies everything that a physicalLocation object specifies, we could consider removing the physicalLocation object from the standard, and replacing it with a string in that format. Then the example above would appear as follows: { "version": "1.0.0", "runs": [ { "tool": { "name": "TaintTracker" }, "results": [ { "ruleId": "CA2001", "locations": [ { "analysisTarget": "$(SRCROOT)/src/db/sql.cs#startLine=63,startColumn=12,endColumn=18" } ], "message": "Tainted data is used to execute a SQL command. The data entered the system [here]($(SRCROOT)src/ui/input.cs#startLine=20,startColumn=4,message='source of tainted data')" } ] } ] } The analysisTarget property, whose value was previously a physicalLocation object, is now a string expressed in the mini-language. The introduction of the mini-language does not require us to remove the physicalLocation object, but Michael has argued that the spec should not have two different ways to express the same thing (the physicalLocation object on the one hand, and the mini-language on the other). Option 2: Index into relatedLocationsThe second option expresses the link target as an index into the result.relatedLocations array. To understand this option, you need to know that SARIF defines a property relatedLocations on the result object. Section 3.17.12 explains that this property contains: … an array of one or more unique (§3.9) annotatedCodeLocation objects (§3.25), each of which represents a location relevant to understanding the result. In this example, the location where the tainted data entered the system is “relevant to understanding the result”, so it makes sense in SARIF to express it as a “related location”. This option looks like this: { "version": "1.0.0", "runs": [ { "tool": { "name": "TaintTracker" }, "results": [ { "ruleId": "CA2001", "locations": [ { "analysisTarget": { "uriBaseId": "SRCROOT", "uri": "src/db/sql.cs", "region": { "startLine": 63, "startColumn": 12, "endColumn": 18 } } } ], "message": "Tainted data is used to execute a SQL command. The data entered the system [here](0)", "relatedLocations": [ { "message": "source of tainted data", "physicalLocation": { "uriBaseId": "SRCROOT", "uri": "src/ui/input.cs", "region": { "startLine": 20, "startColumn": 4 } } } ] } ] } ] } The link text is “here”, and the link target is expressed as an index into the relatedLocations array. Note that in this option, the “hover message” (“source of tainted data”) appears as the message property of the annotatedCodeLocation object in the relatedLocations array. In this example, there is only one related location, so the index is 0. Comparison of the optionsOption 1 (mini-language) has these advantages:
Option 2 (index into relatedLocations) has these advantages:
#4 and #5 in this list require you to understand how SARIF represents locations within “nested files” (for example, files within a ZIP archive). I can explain this in more detail if necessary, but if you find #1 through #3 persuasive in themselves, I won’t bother. If you’re interested, you can see Section 3.12.9, which describes the run.files property. Look for the paragraph that starts “In some cases, a file might be nested within another file”. We will discuss this further at the next TC meeting. Thanks for reading all of this! Larry |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]