Fix first instance rule being used as rule description for all violations of that rule and other SARIF improvements

[Nettozx]

• Fixed issue where the first instance of a rule violation short description would get used for all subsequent rule violations, found that if you make all the rule name and descriptions empty strings, github will default to the instance descriptions
• Added setting for problem.severity
• Changed defaultConfiguration.level to use problem.severity instead of security-severity
• Added more levels for security-severity
• Added reporting of cwe ID
• Fixed issue with uncrustify version detection
• Added unit tests for sarif output

Before:

After:

[firewave]

Thanks for you contribution.

I added a remark on how to keep this in sync for future changes. Possibly not something which should addressed before/in this PR.

Also something like --errorlist-sarif might make sense.

[danmar]

Thanks for your contribution!!

I believe we'll need to rethink that getRuleDescription somehow but unfortunately I don't see a quick/simple method..

[Nettozx]

@firewave @danmar I have implemented a generic approach that will not require ruleID maintenance, but like @firewave said the security related ruleID list should get moved to --errorlist-sarif or something in the future

[danmar]

In the future.. if I don't respond for couple of days.. feel free to ping me.
It happens that I loose track of PRs.

[Nettozx]

@danmar I have simplified the approach significantly. I added genericMessage output for ErrorMessage class like you recommended and have reduced the regex to a minimum. I also removed the security violation list of errors and now I just add security tag if a CWE ID exists.

[Nettozx]

Actually I just made a discovery. If I make all the descriptions for the rules blank strings, github will default to the instance specific description for each and this solves the problem. So this should greatly simplify the addition.

[Nettozx]

@danmar @firewave I updated the description of this PR with latest results and changes. This is ready for review now.

[danmar]

Actually I just made a discovery. If I make all the descriptions for the rules blank strings, github will default to the instance specific description for each and this solves the problem. So this should greatly simplify the addition.

That is so much better 👍

Sounds like it will both simplify our job and make the user experience better.

[Nettozx]

Actually I just made a discovery. If I make all the descriptions for the rules blank strings, github will default to the instance specific description for each and this solves the problem. So this should greatly simplify the addition.

That is so much better 👍

Sounds like it will both simplify our job and make the user experience better.

@danmar this is ready for review again

[danmar]

Merge remote-tracking branch 'refs/remotes/origin/main'

for your information I prefer if people use git rebase .. instead of git merge .. because it makes the PRs cleaner. I guess it should not matter in the end though because I will squash this PR.

[danmar]

CI: I think you can fix the "dmake" failures by just running make run-dmake in the cppcheck project folder.

[danmar]

I have released 2.18.0 but if you fix this I think a 2.18.1 can be released with this fix.

[Nettozx]

CI: I think you can fix the "dmake" failures by just running make run-dmake in the cppcheck project folder.

@danmar I fixed the dmake issue.

[Nettozx]

@danmar this is ready for review

[danmar]

@Nettozx there are 5 failing tests in the CI have you looked at those?

[Nettozx]

@Nettozx there are 5 failing tests in the CI have you looked at those?

I made an update to move sarif reporter out to its own header because it was in an anonymous class so it couldn't be used for unit test originally. Now that I moved it, I updated the tests so it no longer relies on cppcheck executable and it can use internal libraries.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Nettozx]

@Nettozx there are 5 failing tests in the CI have you looked at those?

@danmar its all passing now

[danmar]

I am very sorry it took so long to review. Please feel free to ping me if it takes more than 3-4 days to get a review.

[Nettozx]

@danmar This should be ready for review again now

[Nettozx]

@danmar the one windows failure is a github action timeout not related to PR, i think you may have to just re-run that test.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud