search

microsoft / sarif-tools

A set of Python command line tools for working with SARIF files produced by code analysis tools
MIT License
76 stars 19 forks source link

Add getting message in cases where "text" property is not presented in sarif file per RFC3629 #15

Closed makhorkin closed 10 months ago

makhorkin commented 1 year ago

In some cases message doesn't have "text" attribute and result_to_record call fails with exception: File "C:\Python\lib\site-packages\sarif\sarif_file.py", line 550, in result_to_record message = result["message"]["text"] KeyError: 'text'

Example - binskim scan results from Defender for DevOps

Per RFC3629 At least one of the text (§3.11.8) or id (§3.11.10) properties SHALL be present https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#RFC3629 Proposed change checks if message have text or id attribute and use corresponding key to get message.

Sample sarif data: { "ruleId": "BA2015", "ruleIndex": 2, "level": "error", "message": { "id": "Error_NoHighEntropyVA", "arguments": [ "clipboard_x86_64.exe" ] },

balgillo commented 10 months ago

Thank you for spotting this bug, and apologies for the long delay getting your improvement merged. Now merged.