Skip to content

Fix first instance rule being used as rule description for all violations of that rule and other SARIF improvements #7640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 67 commits into
base: main
Choose a base branch
from
Open

Fix first instance rule being used as rule description for all violations of that rule and other SARIF improvements #7640

wants to merge 67 commits into from
+1,185 −26

Conversation

Nettozx
Copy link

@Nettozx Nettozx commented Jul 2, 2025
edited
Loading

  • Fixed issue where the first instance of a rule violation short description would get used for all subsequent rule violations, found that if you make all the rule name and descriptions empty strings, github will default to the instance descriptions
  • Added setting for problem.severity
  • Changed defaultConfiguration.level to use problem.severity instead of security-severity
  • Added more levels for security-severity
  • Added reporting of cwe ID
  • Fixed issue with uncrustify version detection
  • Added unit tests for sarif output

Before:
cppcheck_original_problem

After:
image

Nettozx and others added 22 commits June 30, 2025 21:04
@Nettozx
add description for sarif based on id so github doesnt show same text…
793e0a6 
… for all warnings for that rule
@Nettozx
better description handling and add rule.name to serialize
152f804
@Nettozx
only set severity level for security related sarif findings
f68a78e
@Nettozx
set problem severity for non security findings
348abc7
@Nettozx
Merge branch 'danmar:main' into main
11d537a
@Nettozx
no prefix string, and always set problem severity
ad9703a
@Nettozx
Merge branch 'main' of github.com:Nettozx/cppcheck
6c231a6
@Nettozx
set defaultConfiguration to the same severity level
49f64df
@Nettozx
oops it was already there
86846fc
@Nettozx
guess recommendation is not valid even though the github documentatio…
af080f2 
…n says it is, fix Error details: instance.runs[0].tool.driver.rules[3].defaultConfiguration.level is not one of enum values: none,note,warning,error
@Nettozx
security-severity needs to be a string
ed9b0ae
@Nettozx
try short message for name
ce9c164
@Nettozx
update description functions to fallback to values from finding. add …
069b0dd 
…more mappings
@Nettozx
change name back to short desc, change short desc to shortMessage, up…
1ddf844 
…date severity mapping, add more rule description mappings
@Nettozx
revert the shortDescription value, that causes the original issue to …
428f2ef 
…come back
@Nettozx
update comment
50575b0
@Nettozx
more comment updates
c19bca9
@Nettozx
add to authors
c1c4e90
@Nettozx
braces
a0da1e0
@Nettozx
unit tests
de9a4bc
@Nettozx
remove duplicate code
e46a4fb
@Nettozx
match sarifSeverity for security-severity levels
c1d8f9b
firewave
firewave reviewed Jul 2, 2025
View reviewed changes
@firewave
Copy link
Collaborator

firewave commented Jul 2, 2025

Thanks for you contribution.

I added a remark on how to keep this in sync for future changes. Possibly not something which should addressed before/in this PR.

Also something like --errorlist-sarif might make sense.

danmar
danmar reviewed Jul 2, 2025
View reviewed changes
Copy link
Owner

@danmar danmar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution!!

I believe we'll need to rethink that getRuleDescription somehow but unfortunately I don't see a quick/simple method..

@Nettozx Nettozx marked this pull request as ready for review July 15, 2025 22:47
@Nettozx
Copy link
Author

Nettozx commented Jul 15, 2025

@danmar I have simplified the approach significantly. I added genericMessage output for ErrorMessage class like you recommended and have reduced the regex to a minimum. I also removed the security violation list of errors and now I just add security tag if a CWE ID exists.

@Nettozx
Copy link
Author

Nettozx commented Jul 16, 2025

Actually I just made a discovery. If I make all the descriptions for the rules blank strings, github will default to the instance specific description for each and this solves the problem. So this should greatly simplify the addition.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 16, 2025
View reviewed changes
@Nettozx Nettozx requested a review from danmar July 17, 2025 03:27
@Nettozx
Copy link
Author

Nettozx commented Jul 17, 2025

@danmar @firewave I updated the description of this PR with latest results and changes. This is ready for review now.

@danmar
Copy link
Owner

danmar commented Jul 17, 2025

Actually I just made a discovery. If I make all the descriptions for the rules blank strings, github will default to the instance specific description for each and this solves the problem. So this should greatly simplify the addition.

That is so much better 👍

Sounds like it will both simplify our job and make the user experience better.

danmar
danmar reviewed Jul 17, 2025
View reviewed changes
@Nettozx Nettozx requested a review from danmar July 17, 2025 21:48
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@firewave firewave Awaiting requested review from firewave

@danmar danmar Awaiting requested review from danmar

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Nettozx @firewave @danmar