search

microsoft / infersharp

Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null dereferences, resource leaks, and thread-safety violations. It also performs taint flow tracking to detect critical security vulnerabilities like SQL injections.
MIT License
727 stars 28 forks source link

report.sarif not generated #196

Closed jkuek closed 1 year ago

jkuek commented 1 year ago

I'm running infersharp on Azure DevOps, using the example provided.

Here's the snippet from my pipeline YAML:

  # Download binaries
  - task: DownloadBuildArtifacts@0
    displayName: 'Download binaries'
    inputs:
      buildType: 'current'
      downloadType: 'single'
      artifactName: 'infersharp-input'
      downloadPath: '$(System.ArtifactsDirectory)'

  - script: |
      curl -o run_infersharp.sh https://raw.githubusercontent.com/microsoft/infersharpaction/v1.4/run_infersharp_ci.sh
      chmod +x run_infersharp.sh
      ./run_infersharp.sh $(System.ArtifactsDirectory)
    displayName: 'Run Infer# analysis'
  # Display as build console logs
  - script: cat $(Build.SourcesDirectory)/infer-out/report.txt
    displayName: 'Infer# analysis result'

  - script: ls $(Build.SourcesDirectory)/infer-out
    displayName: 'list folder contents for debugging'

  # Publish SARIF
  # - task: PublishBuildArtifacts@1
  #   displayName: "Publish Infer# SARIF"
  #   inputs:
  #     PathtoPublish: "$(Build.SourcesDirectory)/infer-out/report.sarif"
  #     ArtifactName: "infersharp-output"
  #     publishLocation: "Container"

You can see I've commented out the publishing of the SARIF file, as it doesn't seem to be present. Here's the listing of the output folder after running infersharp:

bugs.txt capture.db capture.db-shm capture.db-wal config-impact-report.json costs-report.json logs report.json report.txt results.db results.db-shm results.db-wal tmp

Is report.sarif no longer generated by default?

xinshiMSFT commented 1 year ago

Can you update the Infer# analysis section as the following and try again?

- script: |
      curl -o run_infersharp.sh https://raw.githubusercontent.com/microsoft/infersharpaction/v1.4/run_infersharp_ci.sh
      curl -o .inferconfig https://raw.githubusercontent.com/microsoft/infersharp/v1.4/.inferconfig
      chmod +x run_infersharp.sh
      chmod +x .inferconfig
      ./run_infersharp.sh $(System.ArtifactsDirectory)
    displayName: 'Run Infer# analysis'
spaasis commented 1 year ago

@xinshiMSFT thanks, that modification worked for us at least 👍

jkuek commented 1 year ago

The report.sarif is indeed generated after adding the line "curl -o .inferconfig https://raw.githubusercontent.com/microsoft/infersharp/v1.4/.inferconfig" as you suggested.

Does the documentation need to be updated to add this line? Am I supposed to have a project-specific .inferconfig file?

xinshiMSFT commented 1 year ago

@jkuek Yes, we have updated the documentation pending merge https://github.com/microsoft/infersharp/pull/197.

.inferconfig is not project-specific. It dictates the default behavior of the analyzer. You will always need this file going forward, but you can modify the content to customize it.

jkuek commented 1 year ago

Thanks for your help, I will close this issue now. (By the way, I don't think .inferconfig needs to be executable and have put a comment to that effect in #197 )