Fix first instance rule being used as rule description for all violations of that rule and other SARIF improvements

AUTHORS

@@ -405,6 +405,7 @@ Tomo Dote
 Toralf Förster
 Troshin V.S.
 Tyson Nottingham
+Usman Majid
 Valentin Batz
 Valerii Lashmanov
 Vasily Maslyukov

Makefile

@@ -171,7 +171,7 @@ ifndef INCLUDE_FOR_CLI
 endif
 
 ifndef INCLUDE_FOR_TEST
-    INCLUDE_FOR_TEST=-Ilib -Ifrontend -Icli -isystem externals/simplecpp -isystem externals/tinyxml2
+    INCLUDE_FOR_TEST=-Ilib -Ifrontend -Icli -isystem externals/picojson -isystem externals/simplecpp -isystem externals/tinyxml2
 endif
 
 BIN=$(DESTDIR)$(PREFIX)/bin
@@ -239,6 +239,7 @@ LIBOBJ =      $(libcppdir)/valueflow.o \
               $(libcppdir)/preprocessor.o \
               $(libcppdir)/programmemory.o \
               $(libcppdir)/reverseanalyzer.o \
+              $(libcppdir)/sarifreport.o \
               $(libcppdir)/settings.o \
               $(libcppdir)/standards.o \
               $(libcppdir)/summaries.o \
@@ -316,6 +317,7 @@ TESTOBJ =     test/fixture.o \
               test/testpreprocessor.o \
               test/testprocessexecutor.o \
               test/testprogrammemory.o \
+              test/testsarif.o \
               test/testsettings.o \
               test/testsimplifytemplate.o \
               test/testsimplifytokens.o \
@@ -621,6 +623,9 @@ $(libcppdir)/programmemory.o: lib/programmemory.cpp lib/addoninfo.h lib/astutils
 $(libcppdir)/reverseanalyzer.o: lib/reverseanalyzer.cpp lib/addoninfo.h lib/analyzer.h lib/astutils.h lib/checkers.h lib/config.h lib/errortypes.h lib/forwardanalyzer.h lib/library.h lib/mathlib.h lib/platform.h lib/reverseanalyzer.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/symboldatabase.h lib/templatesimplifier.h lib/token.h lib/utils.h lib/valueptr.h lib/vfvalue.h
 	$(CXX) ${INCLUDE_FOR_LIB} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/reverseanalyzer.cpp
 
+$(libcppdir)/sarifreport.o: lib/sarifreport.cpp externals/picojson/picojson.h lib/addoninfo.h lib/check.h lib/checkers.h lib/config.h lib/cppcheck.h lib/errorlogger.h lib/errortypes.h lib/json.h lib/library.h lib/mathlib.h lib/platform.h lib/sarifreport.h lib/settings.h lib/standards.h lib/utils.h
+	$(CXX) ${INCLUDE_FOR_LIB} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/sarifreport.cpp
+
 $(libcppdir)/settings.o: lib/settings.cpp externals/picojson/picojson.h lib/addoninfo.h lib/checkers.h lib/config.h lib/errortypes.h lib/json.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/settings.h lib/standards.h lib/summaries.h lib/suppressions.h lib/utils.h lib/vfvalue.h
 	$(CXX) ${INCLUDE_FOR_LIB} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/settings.cpp
 
@@ -666,7 +671,7 @@ frontend/frontend.o: frontend/frontend.cpp frontend/frontend.h lib/addoninfo.h l
 cli/cmdlineparser.o: cli/cmdlineparser.cpp cli/cmdlinelogger.h cli/cmdlineparser.h cli/filelister.h externals/tinyxml2/tinyxml2.h lib/addoninfo.h lib/check.h lib/checkers.h lib/color.h lib/config.h lib/cppcheck.h lib/errorlogger.h lib/errortypes.h lib/filesettings.h lib/importproject.h lib/library.h lib/mathlib.h lib/path.h lib/pathmatch.h lib/platform.h lib/settings.h lib/standards.h lib/suppressions.h lib/timer.h lib/utils.h lib/xml.h
 	$(CXX) ${INCLUDE_FOR_CLI} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ cli/cmdlineparser.cpp
 
-cli/cppcheckexecutor.o: cli/cppcheckexecutor.cpp cli/cmdlinelogger.h cli/cmdlineparser.h cli/cppcheckexecutor.h cli/executor.h cli/processexecutor.h cli/sehwrapper.h cli/signalhandler.h cli/singleexecutor.h cli/threadexecutor.h externals/picojson/picojson.h lib/addoninfo.h lib/analyzerinfo.h lib/check.h lib/checkers.h lib/checkersreport.h lib/color.h lib/config.h lib/cppcheck.h lib/errorlogger.h lib/errortypes.h lib/filesettings.h lib/json.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/settings.h lib/standards.h lib/suppressions.h lib/utils.h
+cli/cppcheckexecutor.o: cli/cppcheckexecutor.cpp cli/cmdlinelogger.h cli/cmdlineparser.h cli/cppcheckexecutor.h cli/executor.h cli/processexecutor.h cli/sehwrapper.h cli/signalhandler.h cli/singleexecutor.h cli/threadexecutor.h externals/picojson/picojson.h lib/addoninfo.h lib/analyzerinfo.h lib/check.h lib/checkers.h lib/checkersreport.h lib/color.h lib/config.h lib/cppcheck.h lib/errorlogger.h lib/errortypes.h lib/filesettings.h lib/json.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/sarifreport.h lib/settings.h lib/standards.h lib/suppressions.h lib/utils.h
 	$(CXX) ${INCLUDE_FOR_CLI} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ cli/cppcheckexecutor.cpp
 
 cli/executor.o: cli/executor.cpp cli/executor.h lib/addoninfo.h lib/checkers.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/platform.h lib/settings.h lib/standards.h lib/suppressions.h lib/utils.h
@@ -834,6 +839,9 @@ test/testprocessexecutor.o: test/testprocessexecutor.cpp cli/executor.h cli/proc
 test/testprogrammemory.o: test/testprogrammemory.cpp lib/addoninfo.h lib/check.h lib/checkers.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/programmemory.h lib/settings.h lib/standards.h lib/templatesimplifier.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/vfvalue.h test/fixture.h test/helpers.h
 	$(CXX) ${INCLUDE_FOR_TEST} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ test/testprogrammemory.cpp
 
+test/testsarif.o: test/testsarif.cpp externals/picojson/picojson.h lib/addoninfo.h lib/check.h lib/checkers.h lib/color.h lib/config.h lib/cppcheck.h lib/errorlogger.h lib/errortypes.h lib/filesettings.h lib/json.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/sarifreport.h lib/settings.h lib/standards.h lib/suppressions.h lib/tokenize.h lib/tokenlist.h lib/utils.h test/fixture.h test/helpers.h
+	$(CXX) ${INCLUDE_FOR_TEST} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ test/testsarif.cpp
+
 test/testsettings.o: test/testsettings.cpp lib/addoninfo.h lib/check.h lib/checkers.h lib/color.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/settings.h lib/standards.h lib/suppressions.h lib/tokenize.h lib/tokenlist.h lib/utils.h test/fixture.h test/helpers.h
 	$(CXX) ${INCLUDE_FOR_TEST} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ test/testsettings.cpp
 

cli/cppcheckexecutor.cpp

@@ -33,6 +33,7 @@
 #include "errortypes.h"
 #include "filesettings.h"
 #include "json.h"
+#include "sarifreport.h"
 #include "settings.h"
 #include "singleexecutor.h"
 #include "suppressions.h"
@@ -78,156 +79,6 @@
 #endif
 
 namespace {
-    class SarifReport {
-    public:
-        void addFinding(ErrorMessage msg) {
-            mFindings.push_back(std::move(msg));
-        }
-
-        picojson::array serializeRules() const {
-            picojson::array ret;
-            std::set<std::string> ruleIds;
-            for (const auto& finding : mFindings) {
-                // github only supports findings with locations
-                if (finding.callStack.empty())
-                    continue;
-                if (ruleIds.insert(finding.id).second) {
-                    picojson::object rule;
-                    rule["id"] = picojson::value(finding.id);
-                    // rule.shortDescription.text
-                    picojson::object shortDescription;
-                    shortDescription["text"] = picojson::value(finding.shortMessage());
-                    rule["shortDescription"] = picojson::value(shortDescription);
-                    // rule.fullDescription.text
-                    picojson::object fullDescription;
-                    fullDescription["text"] = picojson::value(finding.verboseMessage());
-                    rule["fullDescription"] = picojson::value(fullDescription);
-                    // rule.help.text
-                    picojson::object help;
-                    help["text"] = picojson::value(finding.verboseMessage()); // FIXME provide proper help text
-                    rule["help"] = picojson::value(help);
-                    // rule.properties.precision, rule.properties.problem.severity
-                    picojson::object properties;
-                    properties["precision"] = picojson::value(sarifPrecision(finding));
-                    const char* securitySeverity = nullptr;
-                    if (finding.severity == Severity::error && !ErrorLogger::isCriticalErrorId(finding.id))
-                        securitySeverity = "9.9"; // We see undefined behavior
-                    //else if (finding.severity == Severity::warning)
-                    //    securitySeverity = 5.1; // We see potential undefined behavior
-                    if (securitySeverity) {
-                        properties["security-severity"] = picojson::value(securitySeverity);
-                        const picojson::array tags{picojson::value("security")};
-                        properties["tags"] = picojson::value(tags);
-                    }
-                    rule["properties"] = picojson::value(properties);
-                    // rule.defaultConfiguration.level
-                    picojson::object defaultConfiguration;
-                    defaultConfiguration["level"] = picojson::value(sarifSeverity(finding));
-                    rule["defaultConfiguration"] = picojson::value(defaultConfiguration);
-
-                    ret.emplace_back(rule);
-                }
-            }
-            return ret;
-        }
-
-        static picojson::array serializeLocations(const ErrorMessage& finding) {
-            picojson::array ret;
-            for (const auto& location : finding.callStack) {
-                picojson::object physicalLocation;
-                picojson::object artifactLocation;
-                artifactLocation["uri"] = picojson::value(location.getfile(false));
-                physicalLocation["artifactLocation"] = picojson::value(artifactLocation);
-                picojson::object region;
-                region["startLine"] = picojson::value(static_cast<int64_t>(location.line < 1 ? 1 : location.line));
-                region["startColumn"] = picojson::value(static_cast<int64_t>(location.column < 1 ? 1 : location.column));
-                region["endLine"] = region["startLine"];
-                region["endColumn"] = region["startColumn"];
-                physicalLocation["region"] = picojson::value(region);
-                picojson::object loc;
-                loc["physicalLocation"] = picojson::value(physicalLocation);
-                ret.emplace_back(loc);
-            }
-            return ret;
-        }
-
-        picojson::array serializeResults() const {
-            picojson::array results;
-            for (const auto& finding : mFindings) {
-                // github only supports findings with locations
-                if (finding.callStack.empty())
-                    continue;
-                picojson::object res;
-                res["level"] = picojson::value(sarifSeverity(finding));
-                res["locations"] = picojson::value(serializeLocations(finding));
-                picojson::object message;
-                message["text"] = picojson::value(finding.shortMessage());
-                res["message"] = picojson::value(message);
-                res["ruleId"] = picojson::value(finding.id);
-                results.emplace_back(res);
-            }
-            return results;
-        }
-
-        picojson::value serializeRuns(const std::string& productName, const std::string& version) const {
-            picojson::object driver;
-            driver["name"] = picojson::value(productName);
-            driver["semanticVersion"] = picojson::value(version);
-            driver["informationUri"] = picojson::value("https://cppcheck.sourceforge.io");
-            driver["rules"] = picojson::value(serializeRules());
-            picojson::object tool;
-            tool["driver"] = picojson::value(driver);
-            picojson::object run;
-            run["tool"] = picojson::value(tool);
-            run["results"] = picojson::value(serializeResults());
-            picojson::array runs{picojson::value(run)};
-            return picojson::value(runs);
-        }
-
-        std::string serialize(std::string productName) const {
-            const auto nameAndVersion = Settings::getNameAndVersion(productName);
-            productName = nameAndVersion.first.empty() ? "Cppcheck" : nameAndVersion.first;
-            std::string version = nameAndVersion.first.empty() ? CppCheck::version() : nameAndVersion.second;
-            if (version.find(' ') != std::string::npos)
-                version.erase(version.find(' '), std::string::npos);
-
-            picojson::object doc;
-            doc["version"] = picojson::value("2.1.0");
-            doc["$schema"] = picojson::value("https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json");
-            doc["runs"] = serializeRuns(productName, version);
-
-            return picojson::value(doc).serialize(true);
-        }
-    private:
-
-        static std::string sarifSeverity(const ErrorMessage& errmsg) {
-            if (ErrorLogger::isCriticalErrorId(errmsg.id))
-                return "error";
-            switch (errmsg.severity) {
-            case Severity::error:
-            case Severity::warning:
-            case Severity::style:
-            case Severity::portability:
-            case Severity::performance:
-                return "warning";
-            case Severity::information:
-            case Severity::internal:
-            case Severity::debug:
-            case Severity::none:
-                return "note";
-            }
-            return "note";
-        }
-
-        static std::string sarifPrecision(const ErrorMessage& errmsg) {
-            if (errmsg.certainty == Certainty::inconclusive)
-                return "medium";
-            return "high";
-        }
-
-        std::vector<ErrorMessage> mFindings;
-    };
-
     class CmdLineLoggerStd : public CmdLineLogger
     {
     public:
@@ -672,19 +523,21 @@ void StdLogger::reportErr(const ErrorMessage &msg)
                                      mGuidelineMapping, msgCopy.severity);
     msgCopy.classification = getClassification(msgCopy.guideline, mSettings.reportType);
 
-    // TODO: there should be no need for verbose and default messages here
-    const std::string msgStr = msgCopy.toString(mSettings.verbose, mSettings.templateFormat, mSettings.templateLocation);
+    if (mSettings.outputFormat == Settings::OutputFormat::sarif) {
+        mSarifReport.addFinding(std::move(msgCopy));
+    } else {
+        // TODO: there should be no need for verbose and default messages here
+        const std::string msgStr = msgCopy.toString(mSettings.verbose, mSettings.templateFormat, mSettings.templateLocation);
 
-    // Alert only about unique errors
-    if (!mSettings.emitDuplicates && !mShownErrors.insert(msgStr).second)
-        return;
+        // Alert only about unique errors
+        if (!mSettings.emitDuplicates && !mShownErrors.insert(msgStr).second)
+            return;
 
-    if (mSettings.outputFormat == Settings::OutputFormat::sarif)
-        mSarifReport.addFinding(std::move(msgCopy));
-    else if (mSettings.outputFormat == Settings::OutputFormat::xml)
-        reportErr(msgCopy.toXML());
-    else
-        reportErr(msgStr);
+        if (mSettings.outputFormat == Settings::OutputFormat::xml)
+            reportErr(msgCopy.toXML());
+        else
+            reportErr(msgStr);
+    }
 }
 
 /**

lib/cppcheck.vcxproj

@@ -80,6 +80,7 @@
     <ClCompile Include="preprocessor.cpp" />
     <ClCompile Include="programmemory.cpp" />
     <ClCompile Include="reverseanalyzer.cpp" />
+    <ClCompile Include="sarifreport.cpp" />
     <ClCompile Include="settings.cpp" />
     <ClCompile Include="standards.cpp" />
     <ClCompile Include="summaries.cpp" />
@@ -156,6 +157,7 @@
     <ClInclude Include="preprocessor.h" />
     <ClInclude Include="programmemory.h" />
     <ClInclude Include="reverseanalyzer.h" />
+    <ClInclude Include="sarifreport.h" />
     <ClInclude Include="settings.h" />
     <ClInclude Include="smallvector.h" />
     <ClInclude Include="sourcelocation.h" />