Automatic SARIF Downloader from GitHub

[GeekMasher]

It would be amazing if when I use GitHub Advanced Security on my Open Source or a private repository project if I can pull/download the SARIF file and then send it to the rendered automatically. This would allow me as a developer to pull results generated by CodeQL and other SAST tools when my Actions workflows run and I can easily view those results.

Suggested Features / Requirements

• Authentication to GitHub
  • Only authenticated users can see Code Scanning results
• Call to GitHub Code Scanning API
  • Download SARIF file
• Discover / Check the branch used
  • If branch scan, use refs/heads/<branch_name>
  • If Pull Requests scan, use refs/pull/<number>/merge
• Store locally or in memory
• [optional] Select tool

These are just my thoughts and what I see this plugin allowing people to do.

Please feel free to suggest other features or details.

[michaelcfanning]

@ShiningMassXAcc @jeffersonking

Let's talk about this scenario.

[jeffersonking]

@NickLiffen Do you have a repo with some results ready to go?

[NickLiffen]

@jeffersonking 👋 I have added the data and everything in the slack channel where @michaelcfanning is. We need a way to add you in there. What is your Microsoft email? 📧

[jeffersonking]

@NickLiffen 👋 DMed you my Microsoft email.

[jeffersonking]

I have created a new branch where we are exploring this proposal: https://github.com/microsoft/sarif-vscode-extension/tree/ghas.

[markhermeling]

I'd love to contribute too here to be able to download SARIF from another remote location. Right now the SARIF viewer (at least on MacOS) only allows loading of local SARIF files. I'd like to get one through http

[michaelcfanning]

@markhermeling, tell us more about your scenario. The direction we're currently exploring is that of a repository which is configured for some out-of-band scanning, like GHAS. The IDEs (we're working on a VS and VS Code integration) will consult some config (likely checked in as code) that will poll the remote store periodically and ingest results, injecting them into the IDE workflow just a compiler errors and other SAST results appear. The complexity here mostly revolves around handling code drift, i.e., how do you continue to leverage async results which modifying the code to make fixes? This problem is exacerbated by the fact that async analysis tends to have fairly high latency.

Now, in VS we've completed some work around a much more limited HTTP download scenario. If you open a SARIF file with embedded http URLs for file locations and double-click one in the editor, VS will confirm you're happy with download across the Internet, and then acquire and show the downloaded content (which is persisted to the user temp directory). This can be a good way to deliver results to users for IDE exploration when you don't expect them to have a local enlistment.

Another way to accomplish this is to simply embed the source files themselves in the SARIF log, of course. The VS SARIF viewer in particular has good support for this (i.e., will 'see' and retrieve relevant source files from the SARIF log to allow view/troubleshooting of results).

[markhermeling]

Thanks @michaelcfanning and good to run into you again.

My scenarios are based on a repository with analysis results. My first target would clearly be a CodeSonar hub, but it should be fairly easy for other vendors to set up something similar.

Hence the scenario I am envisioning is disconnected from the code to be honest and based from the SAST repository. As you indicated, there is some 'inconvenience' with the disconnectedness of the scan vs the current code, but I think there is great value for users. A simple integration with getting the .sarif file from a URL is step 1. (this currently does not work, at least not from a Mac, the UI forces you to point to a file). I spent some time list night to make it happen and try to connect to the current SARIF extension, but I need to brush up my TypeScript knowledge. Then step 2, I think would be to connect to a repository (over http) that has multiple projects and multiple analysis per project, and have some form of a tree browser to select a past analysis (which is a scan of a particular day and time) and download. In a step 3, I would expect that the SARIF from the repository would have a commit hash and one could use that to get the proper checkout from git.

[michaelcfanning]

Mark, yes, very nice to talk with you again! Your reply is very helpful context.

In re: #1 @jeffersonking is our Mac developer and may be able to comment. Jeff, the feature desired here is the ability to open a SAIRF file across HTTP. There is another scenario that would unblocked by solving this, the ability to retrieve files across HTTP on demand as users explore results.

In re: #3, this is exactly the scenario we're pursuing for GHAS. We would be very glad to work with you to try to configure our working prototype to talk to CodeSonar hub. This will accelerate the conversation on how to make all this configurable. We would need your expertise to understand how to handle auth and some other conversations with your hub. Jeff has deep knowledge of how we're accomplishing this with GHAS.

Now, #2 is interesting and we haven't had much discussion for this scenario, i.e., let a developer 'explore' a range of result sets relevant to a repository (due to multiplicity of projects in a large repo, but also perhaps due to a need to filter specific tools in and out of the result set). This does relate to an active technical discussion around SARIF retrieval, i.e., given a broad set of results stored in something like CodeSonar hub, what's the best way to author an arbitrary query across a REST API to get a set of targeted results? [... this topic is one of the ones we're currently discussing on the OASIS SARIF technical committee]

[jasonschroeder-sfdc]

Looks like this was delivered in https://github.com/microsoft/sarif-vscode-extension/pull/458 ?

[jsoref]

@aeisenberg please close this is completed.