Add rule verifier check to require a description. (#544)

gfs · web-flow · commit 95e7eacad2b8 · 2023-05-25T02:02:14.000Z
* Add rule verifier check to require a description.

GitHub Sarif Upload Action requires the Help.Text property of each Rule object in the sarif to be populated. We populate this in DevSkim with either the Recommendation, if present, or the Description, if not present. However, previously it was possible to have neither. This adds a verification step to require a description to ensure there is a value to use for sarif export.

* Adds test to fail on rules without description

* Description is now a required field in each rule, SemVer relevant

* Description field may not be null
diff --git a/AppInspector.CLI/Writers/AnalyzeSarifWriter.cs b/AppInspector.CLI/Writers/AnalyzeSarifWriter.cs
@@ -15,7 +15,7 @@
 using Location = Microsoft.CodeAnalysis.Sarif.Location;
 using Result = Microsoft.ApplicationInspector.Commands.Result;
 
-namespace Microsoft.ApplicationInspector.CLI;
+namespace Microsoft.ApplicationInspector.CLI.Writers;
 
 internal static class AnalyzeSarifWriterExtensions
 {
@@ -49,10 +49,9 @@ public override void WriteResults(Result result, CLICommandOptions commandOption
             throw new ArgumentNullException(nameof(StreamWriter));
         }
 
-        string? basePath = null;
-        if (commandOptions is CLIAnalyzeCmdOptions cLIAnalyzeCmdOptions)
+        if (commandOptions is CLIAnalyzeCmdOptions cliAnalyzeCmdOptions)
         {
-            basePath = cLIAnalyzeCmdOptions.BasePath;
+            string? basePath = cliAnalyzeCmdOptions.BasePath;
 
             if (result is AnalyzeResult analyzeResult)
             {
@@ -63,14 +62,14 @@ public override void WriteResults(Result result, CLICommandOptions commandOption
                 log.Runs = new List<Run>();
                 var run = new Run();
 
-                if (Uri.TryCreate(cLIAnalyzeCmdOptions.RepositoryUri, UriKind.RelativeOrAbsolute, out var uri))
+                if (Uri.TryCreate(cliAnalyzeCmdOptions.RepositoryUri, UriKind.RelativeOrAbsolute, out var uri))
                 {
                     run.VersionControlProvenance = new List<VersionControlDetails>
                     {
                         new()
                         {
                             RepositoryUri = uri,
-                            RevisionId = cLIAnalyzeCmdOptions.CommitHash
+                            RevisionId = cliAnalyzeCmdOptions.CommitHash
                         }
                     };
                 }
@@ -106,7 +105,7 @@ public override void WriteResults(Result result, CLICommandOptions commandOption
 
                     if (match.Rule is not null)
                     {
-                        if (!reportingDescriptors.Any(r => r.Id == match.Rule.Id))
+                        if (reportingDescriptors.All(r => r.Id != match.Rule.Id))
                         {
                             ReportingDescriptor reportingDescriptor = new()
                             {
diff --git a/AppInspector.RulesEngine/Rule.cs b/AppInspector.RulesEngine/Rule.cs
@@ -60,7 +60,7 @@ public class Rule
         ///     Human readable description for the rule
         /// </summary>
         [JsonPropertyName("description")]
-        public string? Description { get; set; } = "";
+        public string Description { get; set; } = "";
 
         /// <summary>
         ///     Languages that the rule does not apply to
diff --git a/AppInspector.RulesEngine/RulesVerifier.cs b/AppInspector.RulesEngine/RulesVerifier.cs
@@ -168,6 +168,7 @@ public RuleStatus CheckIntegrity(ConvertedOatRule convertedOatRule)
 
         // Check that regexes for filenames are valid
         foreach (var pattern in (IList<string>?)rule.FileRegexes ?? Array.Empty<string>())
+        {
             try
             {
                 _ = new Regex(pattern, RegexOptions.Compiled);
@@ -179,6 +180,7 @@ public RuleStatus CheckIntegrity(ConvertedOatRule convertedOatRule)
                 errors.Add(MsgHelp.FormatString(MsgHelp.ID.VERIFY_RULES_REGEX_FAIL, rule.Id ?? "", pattern ?? "",
                     e.Message));
             }
+        }
 
         //valid search pattern
         foreach (var searchPattern in rule.Patterns ?? Array.Empty<SearchPattern>())
@@ -365,6 +367,13 @@ public RuleStatus CheckIntegrity(ConvertedOatRule convertedOatRule)
                 errors.Add($"Rule must specify MustNotMatch when `RequireMustNotMatch` is set. {rule.Id}");
             }
         }
+        
+        // Require Description so the Sarif is valid for GitHub sarif upload action
+        if (string.IsNullOrEmpty(rule.Description))
+        {
+            _logger?.LogError("Rule must contain a Description. {0}", rule.Id);
+            errors.Add($"Rule must contain a Description. {rule.Id}");
+        }
 
         return new RuleStatus
         {
diff --git a/AppInspector.Tests/Commands/TestVerifyRulesCmd.cs b/AppInspector.Tests/Commands/TestVerifyRulesCmd.cs
@@ -1,6 +1,7 @@
 ﻿using System;
 using System.Diagnostics.CodeAnalysis;
 using System.IO;
+using System.Linq;
 using CommandLine;
 using Microsoft.ApplicationInspector.Commands;
 using Microsoft.ApplicationInspector.Common;
@@ -40,6 +41,27 @@ public class TestVerifyRulesCmd
       }
     ]
 }
+]";
+    
+    private readonly string _ruleWithoutDescription = @"[
+{
+    ""name"": ""Rule: No Description"",
+    ""id"": ""AI_TEST_NO_DESCRIPTION"",
+    ""tags"": [
+      ""Test.Tags.NoDescription""
+    ],
+    ""severity"": ""Important"",
+    ""patterns"": [
+      {
+        ""confidence"": ""Medium"",
+        ""modifiers"": [
+          ""i""
+        ],
+        ""pattern"": ""windows"",
+        ""type"": ""String"",
+      }
+    ]
+}
 ]";
 
     // Rules are a List<Rule> so they must be contained in []
@@ -420,6 +442,23 @@ public void NoDefaultNoCustomRules()
     {
         Assert.ThrowsException<OpException>(() => new VerifyRulesCommand(new VerifyRulesOptions()));
     }
+    
+    [TestMethod]
+    public void NoDescription()
+    {
+        var path = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
+        File.WriteAllText(path, _ruleWithoutDescription);
+        VerifyRulesOptions options = new()
+        {
+            CustomRulesPath = path
+        };
+
+        VerifyRulesCommand command = new(options, _factory);
+        var result = command.GetResult();
+        File.Delete(path);
+        Assert.AreEqual(1, result.Unverified.Count());
+        Assert.AreEqual(VerifyRulesResult.ExitCode.NotVerified, result.ResultCode);
+    }
 
     [TestMethod]
     public void CustomRules()
diff --git a/version.json b/version.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
-  "version": "1.8",
+  "version": "1.9",
   "publicReleaseRefSpec": [
     "^refs/heads/main$",
     "^refs/heads/v\\d+(?:\\.\\d+)?$"

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@`
`15`	`15`	`using Location = Microsoft.CodeAnalysis.Sarif.Location;`
`16`	`16`	`using Result = Microsoft.ApplicationInspector.Commands.Result;`
`17`	`17`
`18`		`-namespace Microsoft.ApplicationInspector.CLI;`
	`18`	`+namespace Microsoft.ApplicationInspector.CLI.Writers;`
`19`	`19`
`20`	`20`	`internal static class AnalyzeSarifWriterExtensions`
`21`	`21`	`{`
`@@ -49,10 +49,9 @@ public override void WriteResults(Result result, CLICommandOptions commandOption`
`49`	`49`	`throw new ArgumentNullException(nameof(StreamWriter));`
`50`	`50`	`}`
`51`	`51`
`52`		`- string? basePath = null;`
`53`		`- if (commandOptions is CLIAnalyzeCmdOptions cLIAnalyzeCmdOptions)`
	`52`	`+ if (commandOptions is CLIAnalyzeCmdOptions cliAnalyzeCmdOptions)`
`54`	`53`	`{`
`55`		`- basePath = cLIAnalyzeCmdOptions.BasePath;`
	`54`	`+ string? basePath = cliAnalyzeCmdOptions.BasePath;`
`56`	`55`
`57`	`56`	`if (result is AnalyzeResult analyzeResult)`
`58`	`57`	`{`
`@@ -63,14 +62,14 @@ public override void WriteResults(Result result, CLICommandOptions commandOption`
`63`	`62`	`log.Runs = new List<Run>();`
`64`	`63`	`var run = new Run();`
`65`	`64`
`66`		`- if (Uri.TryCreate(cLIAnalyzeCmdOptions.RepositoryUri, UriKind.RelativeOrAbsolute, out var uri))`
	`65`	`+ if (Uri.TryCreate(cliAnalyzeCmdOptions.RepositoryUri, UriKind.RelativeOrAbsolute, out var uri))`
`67`	`66`	`{`
`68`	`67`	`run.VersionControlProvenance = new List<VersionControlDetails>`
`69`	`68`	`{`
`70`	`69`	`new()`
`71`	`70`	`{`
`72`	`71`	`RepositoryUri = uri,`
`73`		`- RevisionId = cLIAnalyzeCmdOptions.CommitHash`
	`72`	`+ RevisionId = cliAnalyzeCmdOptions.CommitHash`
`74`	`73`	`}`
`75`	`74`	`};`
`76`	`75`	`}`
`@@ -106,7 +105,7 @@ public override void WriteResults(Result result, CLICommandOptions commandOption`
`106`	`105`
`107`	`106`	`if (match.Rule is not null)`
`108`	`107`	`{`
`109`		`- if (!reportingDescriptors.Any(r => r.Id == match.Rule.Id))`
	`108`	`+ if (reportingDescriptors.All(r => r.Id != match.Rule.Id))`
`110`	`109`	`{`
`111`	`110`	`ReportingDescriptor reportingDescriptor = new()`
`112`	`111`	`{`
Original file line number	Diff line number	Diff line change
`@@ -168,6 +168,7 @@ public RuleStatus CheckIntegrity(ConvertedOatRule convertedOatRule)`
`168`	`168`
`169`	`169`	`// Check that regexes for filenames are valid`
`170`	`170`	`foreach (var pattern in (IList<string>?)rule.FileRegexes ?? Array.Empty<string>())`
	`171`	`+ {`
`171`	`172`	`try`
`172`	`173`	`{`
`173`	`174`	`_ = new Regex(pattern, RegexOptions.Compiled);`
`@@ -179,6 +180,7 @@ public RuleStatus CheckIntegrity(ConvertedOatRule convertedOatRule)`
`179`	`180`	`errors.Add(MsgHelp.FormatString(MsgHelp.ID.VERIFY_RULES_REGEX_FAIL, rule.Id ?? "", pattern ?? "",`
`180`	`181`	`e.Message));`
`181`	`182`	`}`
	`183`	`+ }`
`182`	`184`
`183`	`185`	`//valid search pattern`
`184`	`186`	`foreach (var searchPattern in rule.Patterns ?? Array.Empty<SearchPattern>())`
`@@ -365,6 +367,13 @@ public RuleStatus CheckIntegrity(ConvertedOatRule convertedOatRule)`
`365`	`367`	errors.Add($"Rule must specify MustNotMatch when `RequireMustNotMatch` is set. {rule.Id}");
`366`	`368`	`}`
`367`	`369`	`}`
	`370`	`+`
	`371`	`+ // Require Description so the Sarif is valid for GitHub sarif upload action`
	`372`	`+ if (string.IsNullOrEmpty(rule.Description))`
	`373`	`+ {`
	`374`	`+ _logger?.LogError("Rule must contain a Description. {0}", rule.Id);`
	`375`	`+ errors.Add($"Rule must contain a Description. {rule.Id}");`
	`376`	`+ }`
`368`	`377`
`369`	`378`	`return new RuleStatus`
`370`	`379`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",`
`3`		`- "version": "1.8",`
	`3`	`+ "version": "1.9",`
`4`	`4`	`"publicReleaseRefSpec": [`
`5`	`5`	`"^refs/heads/main$",`
`6`	`6`	`"^refs/heads/v\\d+(?:\\.\\d+)?$"`