Add feature to mark and annotate a code path

trailofbits / vscode-weaudit

Create code bookmarks and code highlights with a click.

https://marketplace.visualstudio.com/items?itemName=trailofbits.weaudit

GNU General Public License v3.0

175 stars 17 forks source link

Add feature to mark and annotate a code path #7

Closed joaxcar closed 7 months ago

joaxcar commented 7 months ago

This looks like an amazing extension! I have just started playing with it and it fills some of the gaps I have had in my workflow.

The one thing I am still missing from a tool like this is the ability to save and annotate a flow through multiple files when describing a finding.

The workflow that I would like is to mark for example the call of a function in one file

dangerous(user input)

as step 1. this is the source and then the dangerous use of the input in file 2

sink(user input)

as step 2. this is the sink and easily jump between them and see their connection.

I understand that this might be out of scope for this project, but I wanted to throw this out there

//Johan

fcasal commented 7 months ago

Hi @joaxcar, thanks for your interest in the extension.

This feature actually already exists in weAudit!

Findings and notes can be multi-region. To use this, suppose you add a finding on dangerous(user input). Then, select sink(user input) and call the weaudit command "weAudit: Add Region to a Finding" and select the corresponding finding.

In the List of Findings view you will be able to assign individual labels to each step:

I'll make sure to add this feature description to the readme!

joaxcar commented 7 months ago

Oh, that's great @fcasal. Thanks for showing. Guess I could have gone through the list of commands

Is there any chance that it's also possible to rearrange the order of the notes in one find? It looks like they get added in the order as you add them, and then get stuck there. Would be great to be able to drag and drop them in any order.

But again, this is nitpicking. I will try this out on some real code now!

Again awsome extension

fcasal commented 7 months ago

You are correct -- the order of the regions is sequential as you add them to a finding, and you can't rearrange this on the UI.

If you really want to change the order you could go and change the order of the locations list for that entry on the .weaudit file, and then reload vscode:

Support for dragging and dropping is possible, and I have considered it before but never implemented it. I'll create a new issue for that feature so it's not lost.