Sarif in Azure DevOps - Githubissues

microsoft / infersharp

Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null dereferences, resource leaks, and thread-safety violations. It also performs taint flow tracking to detect critical security vulnerabilities like SQL injections.

MIT License

730 stars 29 forks source link

Sarif in Azure DevOps #97

Closed buckleyGI closed 2 years ago

buckleyGI commented 2 years ago

Hi,

I read the commit that introduced sarif support but didn't got any wiser on how to surface it in Azure DevOps with the extension that MS provides

Building further upon the existing txt output I thought this might work

  - script: |
      curl -o run_infersharp.sh https://raw.githubusercontent.com/microsoft/infersharp/v1.2/run_infersharp_ci.sh
      chmod +x run_infersharp.sh
      ./run_infersharp.sh inferDir/$(project) --sarif
    displayName: 'Infer# Analysis of $(project)'

  - task: PublishBuildArtifacts@1
    displayName: "Publish analysis logs"
    inputs:
      PathtoPublish: "$(Build.SourcesDirectory)/infer-out"
      ArtifactName: "CodeAnalysisLogs"
      publishLocation: "Container"

But I get the following error `

[error]Publishing build artifacts failed with an error: Not found PathtoPublish: /__w/1/s/infer-out

` BTW I don't mind to do some plumbing but it would be heplful for the developers over at Azure DevOps if there was an extension like there is now for GitHub Actions

xinshiMSFT commented 2 years ago

Thanks for reporting this. We recently made an update on the GitHub Action side to enable SARIF. Here is the updated snippet for Azure DevOps:

- script: |
      curl -o run_infersharp.sh https://raw.githubusercontent.com/microsoft/infersharpaction/v1.2.1/run_infersharp_ci.sh
      chmod +x run_infersharp.sh
      ./run_infersharp.sh $(System.ArtifactsDirectory)
    displayName: 'Run Infer# analysis'

- task: PublishBuildArtifacts@1
  displayName: "Publish analysis logs"
  inputs:
    PathtoPublish: "$(Build.SourcesDirectory)/infer-out/report.sarif"
    ArtifactName: "CodeAnalysisLogs"
    publishLocation: "Container"

We will update the instructions on this repo. Thank you!

buckleyGI commented 2 years ago

No, Thank you @xinshiMSFT !

I can confirm it works :)

Maybe going slightly off topic in this issue but it was part of the same update (1.2 / 1.2.1) and it also relates to Azure DevOps I tried to to enable only 1 leak detection (--enable-dotnet-resource-leak)

  - script: |
      curl -o run_infersharp.sh https://raw.githubusercontent.com/microsoft/infersharpaction/v1.2.1/run_infersharp_ci.sh
      chmod +x run_infersharp.sh
      ./run_infersharp.sh inferDir/$(project) --enable-dotnet-resource-leak
    displayName: 'Infer# Analysis of $(project)'

And got the error

run_infersharp_ci.sh <dll_folder_path> -- requires 1 argument (dll_folder_path)

It's not stopping us from using Infer# so low prio. It is an optimization however as we are mostly interested in this leak type and want to reduce the analysis time.

Thank you again.

buckleyGI commented 2 years ago

FY, I kept the image at 1.2 (I see a v1.2.1 in this thread):

  pool:
    vmImage: 'ubuntu-20.04'
  container:
    image: mcr.microsoft.com/infersharp:v1.2