Releases: microsoft/sarif-sdk
Releases · microsoft/sarif-sdk
v4.5.4
**v4.5.4 Sdk | Driver | Converters | Multitool | Multitool Library
- BUG: Fix incorrect base class in rule ADO2012.
v4.5.3
**v4.5.3 Sdk | Driver | Converters | Multitool | Multitool Library
- BUG: Restructure shared MessageResourceNames collections to ensure return of correct error messages.
v4.5.2
**v4.5.2 Sdk | Driver | Converters | Multitool | Multitool Library
- BUG: Update Skimmer stack in Multitool.Library to support shared MessageResourceNames collections between base rules and their derivatives.
- BUG: Fix message strings to always assume {1} is reserved for the rule's service name.
- BUG: Clean up unused resource strings in Multitool.Library.Rules.RuleResources.resx.
v4.5.1
**v4.5.1 Sdk | Driver | Converters | Multitool | Multitool Library
- DEP: Add explicit package references to
Sarif
andSarif.Driver
to resolve version conflict build error.
System.Diagnostics.Debug
4.3.0,
System.IO.FileSystem.Primitives
4.3.0,
System.Text.Encoding.Extensions
4.3.0.
v4.5.0
**v4.5.0 Sdk | Driver | Converters | Multitool | Multitool Library
- DEP: Downgrade
System.Text.Encoding.CodePages
from 8.0.0 to 4.3.0 inSarif
. - DEP: Remove explicit versioning for
System.Memory
andSystem.Runtime.CompilerServices.Unsafe
. - DEP: Remove spurious references to
System.Collections.Immutable
. - DEP: Update
Microsoft.Data.SqlClient
reference from 2.1.2 to 2.1.7 inWorkItems
andSarif.Multitool.Library
to resolve CVE-2024-0056. - DEP: Update
System.Data.SqlClient
reference from 4.8.5 to 4.8.6 inWorkItems
to resolve CVE-2024-0056. - BUG: Improve
FileEncoding.IsTextualData
method for detecting binary files. - BUG: Update
Stack.Create
method to populate missingPhysicalLocation
instances when stack frames reference relative file paths. - BUG: Fix
UnsupportedOperationException
inZipArchiveArtifact
. - BUG: Fix
MultithreadedAnalyzeCommandBase
to return rich return code with the--rich-return-code
option. - NEW: Add
IsBinary
property toIEnumeratedArtifact
and implement the property inZipArchiveArtifact
. - NEW: Switch to content-based
IsBinary
categorization forZipArchiveArtifact
s. - PRF: Change default
max-file-size-in-kb
parameter to 10 megabytes. - PRF: Add support for efficiently peeking into non-seekable streams for binary/text categorization.
- NEW: Add a new
--timeout-in-seconds
parameter toAnalyzeOptionsBase
, which will override theTimeoutInMilliseconds
property inAnalyzeContextBase
. - NEW:
--post-uri
will skip sending the SARIF log to the configured endpoint if the file contains no results or fatal execution errors. - NEW: Add the following rules:
ADO1011.ReferenceFinalSchema
,
ADO1013.ProvideRequiredSarifLogProperties
,
ADO1014.ProvideRequiredRunProperties
,
ADO1015.ProvideRequiredResultProperties
,
ADO1016.ProvideRequiredLocationProperties
,
ADO1017.ProvideRequiredPhysicalLocationProperties
,
ADO1018.ProvideRequiredToolProperties
,
ADO2012.ProvideRequiredReportingDescriptorProperties
,
GH1011.ReferenceFinalSchema
,
GH1013.ProvideRequiredSarifLogProperties
,
GH1014.ProvideRequiredRunProperties
,
GH1015.ProvideRequiredResultProperties
,
GH1016.ProvideRequiredLocationProperties
,
GH1017.ProvideRequiredPhysicalLocationProperties
,
GH1018.ProvideRequiredToolProperties
,
GH2012.ProvideRequiredReportingDescriptorProperties
. - NEW: Add a new
--rule-kind
parameter toAnalyzeOptionsBase
, which specifies rule kinds to run (Sarif
,Ghas
,Ado
). Example:--rule-kind Ado;Sarif
.
v4.2.1
SARIF Package Release History (SDK, Driver, Converters, and Multitool)
v4.2.1 Sdk | Driver | Converters | Multitool | Multitool Library
- BUG: Resolve
NotSupportedException
thrown (on .NET 4.8 and earlier) on accessingDeflateStream.Length
fromMultithreadedZipArchiveArtifactProvider.SizeInBytes
property.
v4.0.0
v4.0.0 Sdk | Driver | Converters | Multitool | Multitool Library
- BRK:
SarifLogger
no longer allows providing aTool
instance. Use therun
parameter instead (and populate it with any customTool
object). #2614 - BRK:
SarifLogger
updates version details differently. #2611 - BRK: Add
ToolComponent
argument toIAnalysisLogger.Log(ReportingDescriptor, Result)
method. #2611 - BRK: Rename
--normalize-for-github
argument to--normalize-for-ghas
forconvert
command and mark--normalize-for-github
as obsolete. #2581 - BRK: Update
IAnalysisContext.LogToolNotification
method to addReportingDescriptor
parameter. This is required in order to populatedAssociatedRule
data inNotification
instances. The new method has an option value of null for theassociatedRule
parameter to maximize build compatibility. #2604 - BRK: Correct casing of
LogMissingreportingConfiguration
helper toLogMissingReportingConfiguration
. #2599 - BRK: Change type of
MaxFileSizeInKilobytes
from int to long inIAnalysisContext
and other classes. #2599 - BRK: For
Guid
properties defined in SARIF spec, updated Json schema to useuuid
, and updated C# object model to useGuid?
instead ofstring
. #2555 - BRK: Mark
AnalyzeCommandBase
as obsolete. This type will be removed in the next significant update. #2599 - BRK:
LogUnhandledEngineException
no longer has a return value (and updates theRuntimeErrors
context property directly as other helpers do). #2599 - BUG: Populate missing context region data for small, single-line scan targets. #2616
- BUG: Increase parallelism in
MultithreadedAnalyzeCommandBase
by correcting task creation. []#2618](#2618) - BUG: Resolve hangs due to unhandled exceptions during multithreaded analysis file enumeration phase. #2599
- BUG: Resolve hangs due to unhandled exceptions during multithreaded analysis file hashing phase. #2600
- BUG: Another attempt to resolve 'InvalidOperationException' with message
Collection was modified; enumeration operation may not execute
inMultithreadedAnalyzeCommandBase
, raised when analyzing with the--hashes
switch. #2459. There was a previous attempt to fix this in #2447. - BUG: Resolve issue where
match-results-forward
command fails to generate VersionControlDetails data. #2487 - BUG: Remove duplicated rule definitions when executing
match-results-forward
commands for results with sub-rule ids. #2486 - BUG: Update
merge
command to properly produce runs by tool and version when passed the--merge-runs
argument. #2488 - BUG: Eliminate
IOException
andDirectoryNotFoundException
exceptions thrown bymerge
command when splitting by rule (due to invalid file characters in rule ids). #2513 - BUG: Fix classes inside NotYetAutoGenerated folder missing
virtual
keyword for public methods and properties, by regenerate and manually sync the changes. #2537 - BUG: MSBuild Converter now accepts case insensitive keywords and supports PackageValidator msbuild log output. #2579
- BUG: Eliminate
NullReferenceException
when file hashing fails (due to file locked or other errors reading the file). #2596 - NEW: Provide
PluginDriver
property (AdditionalOptionsProvider
) that allows additional options to be exported (typically for command-line arguments). #2599 - NEW: Provide
LogFileSkippedDueToSize
that fires a warning notification if any file is skipped due to exceeding size threshold. #2599 - NEW: Provide overridable
ShouldEnqueue
predicate method to filter files from driver processing. #2599 - NEW: Provide overridable
ShouldComputeHashes
predicate method to prevent files from hashing. #2601 - NEW: Allow external set of
MaxFileSizeInKilobytes
, which will allow SDK users to change the value. (Default value is 1024) #2578 - NEW: Add a Github validation rule
GH1007
, which requires flattened result message so GHAS code scanning can ingest the log. #2580 - NEW: Provide mechanism to populate
SarifLogger
with aFileRegionsCache
instance. - NEW: Allow initialization of file regions cache in
InsertOptionalDataVisitor
(previously initialized exclusively fromFileRegionsCache.Instance
). - NEW: Provide 'RuleScanTime
trace and emitted timing data. Provide
ScanExecution` trace with no utilization. - NEW: Populate associated rule data in
LogToolNotification
as called fromSarifLogger
. #2604 - NEW: Add
--normalize-for-ghas
argument to therewrite
command to ensure rewritten SARIF is compatible with GitHub Advanced Security (GHAS) ingestion requirements. #2581 - NEW: Allow per-line rolling (partial) hash computation for a file. #2605
- NEW:
SarifLogger
now supports extensions rules data when logging (by providing aToolComponent
instance to the result logging method). #2661 - NEW:
SarifLogger
provides aComputeHashData
callback to provide hash data for in-memory scan targets. #2614 - NEW: Provide
HashUtilities.ComputeHashes(Stream)
and `ComputeHashesForText(string) helpers. #2614
v3.1.0
v3.1.0 Sdk | Driver | Converters | Multitool | Multitool Library
- BUGFIX: Loosen
System.Collections.Immutable
minimum version requirement to 1.5.0. #2504
v3.1.0-beta1
v3.1.0-beta1 Sdk | Driver | Converters | Multitool | Multitool Library
- DEPENDENCY BREAKING: SARIF.SDK now requires
System.Collections.Immutable
1.5.0. #2504
v3.0.0
v3.0.0 Sdk | Driver | Converters | Multitool | Multitool Library
- BUGFIX: Loosen Newtonsoft.JSON minimum version requirement to 6.0.8 (for .NET framework) or 9.0.1 (for all other compilations) for Sarif.Sdk. Sarif.Converts requires 8.0.1, minimally, for .NET framework compilations.
- BUGFIX: Broaden set of supported .NET frameworks for compatibility reasons. Sarif.Sdk, Sarif.Driver and Sarif.WorkItems requires net461.
- BUGFIX: Set default stack limit in Newtonsoft.JSON utilization (if
JsonConvert.Defaults
is not already configured) to address GitHub advisory GHSA-5crp-9r3c-p9vr.