microsoft · michaelcfanning · Dec 28, 2022 · Dec 6, 2022 · Dec 6, 2022 · Dec 7, 2022
@@ -53,6 +53,13 @@
           "defaultConfiguration": {
             "enabled": true
           }
+        },
+        {
+          "id": "GH1007",
+          "name": "FlattenResultMessage",
+          "defaultConfiguration": {
+            "enabled": true
+          }
         }
       ]
     }

@@ -30,4 +30,7 @@
   <Properties Key='GH1006.ProvideCheckoutPath.Options'>
     <Property Key='RuleEnabled' Value='Error' />
   </Properties>
+  <Properties Key='GH1007.FlattenResultMessage.Options'>
+    <Property Key='RuleEnabled' Value='Error' />
+  </Properties>
 </Properties>
@@ -12,6 +12,7 @@
 * BUGFIX: Eliminate `IOException` and `DirectoryNotFoundException` exceptions thrown by `merge` command when splitting by rule (due to invalid file characters in rule ids). [#2513](https://github.com/microsoft/sarif-sdk/pull/2513)
 * BUGFIX: Fix classes inside NotYetAutoGenerated folder missing `virtual` keyword for public methods and properties, by regenerate and manually sync the changes. [#2537](https://github.com/microsoft/sarif-sdk/pull/2537)
 * FEATURE: Allow external set of `MaxFileSizeInKilobytes`, which will allow SDK users to change the value. (Default value is 1024) [#2578](https://github.com/microsoft/sarif-sdk/pull/2578)
+* FEATURE: Add a Github validation rule `GH1007`, which requires flattened result message so GHAS code scanning can ingest the log. [#2580](https://github.com/microsoft/sarif-sdk/issues/2580)
 
 ## **v3.1.0** [Sdk](https://www.nuget.org/packages/Sarif.Sdk/3.1.0) | [Driver](https://www.nuget.org/packages/Sarif.Driver/3.1.0) | [Converters](https://www.nuget.org/packages/Sarif.Converters/3.1.0) | [Multitool](https://www.nuget.org/packages/Sarif.Multitool/3.1.0) | [Multitool Library](https://www.nuget.org/packages/Sarif.Multitool.Library/3.1.0)
 

diff --git a/src/Sarif.Multitool.Library/Rules/GH1007.FlattenResultMessage.cs b/src/Sarif.Multitool.Library/Rules/GH1007.FlattenResultMessage.cs
@@ -0,0 +1,44 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System.Collections.Generic;
+
+using Microsoft.Json.Pointer;
+
+namespace Microsoft.CodeAnalysis.Sarif.Multitool.Rules
+{
+    public class FlattenResultMessage : SarifValidationSkimmerBase
+    {
+        public override ReportingConfiguration DefaultConfiguration => new ReportingConfiguration
+        {
+            Level = FailureLevel.Error,
+            Enabled = this.EnabledByDefault
+        };
+
+        /// <summary>
+        /// GH1007
+        /// </summary>
+        public override string Id => RuleId.FlattenResultMessage;
+
+        public override MultiformatMessageString FullDescription => new MultiformatMessageString { Text = RuleResources.GH1007_FlattenResultMessage_FullDescription_Text };
+
+        protected override IEnumerable<string> MessageResourceNames => new string[] {
+            nameof(RuleResources.GH1007_FlattenResultMessage_Error_Default_Text)
+        };
+
+        public override bool EnabledByDefault => false;
+
+        protected override void Analyze(Result result, string resultPointer)
+        {
+            if (string.IsNullOrEmpty(result.Message.Text))
+            {
+                // {0}: The 'text' property of this result message is absent. GitHub Advanced Security code
+                // scanning will reject this file because it does not support the argumented message now.
+                // Try to populate the flattened message text in 'message.text' property.
+                LogResult(
+                    resultPointer.AtProperty(SarifPropertyName.Message),
+                    nameof(RuleResources.GH1007_FlattenResultMessage_Error_Default_Text));
+            }
+        }
+    }
+}
@@ -47,6 +47,7 @@ public static class RuleId
         public const string ReviewArraysThatExceedConfigurableDefaults = "GH1004";
         public const string LocationsMustBeRelativeUrisOrFilePaths = "GH1005";
         public const string ProvideCheckoutPath = "GH1006";
+        public const string FlattenResultMessage = "GH1007";
 
         // TEMPLATE:
         // public const string RuleFriendlyName = "SARIFnnnn";

@@ -450,4 +450,10 @@ Semantics: Assuming the reader of the log file (an end user or another tool) has
   <data name="SARIF2016_FileUrisShouldBeRelative_Note_ShouldNotContainBackSlash_Text" xml:space="preserve">
     <value>{0}: The relative file URL '{1}' contains one or more backslashes, which will be preserved when concatenating to an absolute URL. This can result in inconsistent representations, compared to URLs created from an absolute file path, which may be regarded as not equivalent. Replace all backslashes with forward slashes.</value>
   </data>
+  <data name="GH1007_FlattenResultMessage_Error_Default_Text" xml:space="preserve">
+    <value>{0}: The 'text' property of this result message is absent. GitHub Advanced Security code scanning will reject this file because it does not support the argumented message now. Try to populate the flattened message text in 'message.text' property.</value>
+  </data>
+  <data name="GH1007_FlattenResultMessage_FullDescription_Text" xml:space="preserve">
+    <value>GitHub Advanced Security code scanning will reject a SARIF file that express result messages with 'message.id' and 'message.arguments' but without the 'message.text' property since the arugmented message format is not supported yet. Please populate the flattened message text in 'message.text' property.</value>
+  </data>
 </root>
@@ -411,6 +411,14 @@ public void GH1006_ProvideCheckoutPath_Valid()
         public void GH1006_ProvideCheckoutPath_Invalid()
             => RunInvalidTestForRule(RuleId.ProvideCheckoutPath);
 
+        [Fact]
+        public void GH1007_FlattenResultMessage_Valid()
+            => RunValidTestForRule(RuleId.FlattenResultMessage);
+
+        [Fact]
+        public void GH1007_FlattenResultMessage_Invalid()
+            => RunInvalidTestForRule(RuleId.FlattenResultMessage);
+
         private void RunArrayLimitTest(string testFileNameSuffix)
         {
             // Some of the actual limits are impractically large for testing purposes,

diff --git a/...tData/Multitool/ValidateCommand/ExpectedOutputs/GH1007.FlattenResultMessage_Invalid.sarif b/...tData/Multitool/ValidateCommand/ExpectedOutputs/GH1007.FlattenResultMessage_Invalid.sarif
@@ -0,0 +1,72 @@
+{
+  "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.6.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "SARIF Functional Testing",
+          "rules": [
+            {
+              "id": "GH1007",
+              "name": "FlattenResultMessage",
+              "fullDescription": {
+                "text": "GitHub Advanced Security code scanning will reject a SARIF file that express result messages with 'message.id' and 'message.arguments' but without the 'message.text' property since the arugmented message format is not supported yet. Please populate the flattened message text in 'message.text' property."
+              },
+              "messageStrings": {
+                "Error_Default": {
+                  "text": "{0}: The 'text' property of this result message is absent. GitHub Advanced Security code scanning will reject this file because it does not support the argumented message now. Try to populate the flattened message text in 'message.text' property."
+                }
+              },
+              "defaultConfiguration": {
+                "enabled": false,
+                "level": "error"
+              },
+              "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html"
+            }
+          ]
+        }
+      },
+      "invocations": [
+        {
+          "executionSuccessful": true
+        }
+      ],
+      "artifacts": [
+        {
+          "location": {
+            "uri": "FunctionalTestOutput.ValidateCommand/GH1007.FlattenResultMessage_Invalid.sarif",
+            "uriBaseId": "TEST_DIR"
+          }
+        }
+      ],
+      "results": [
+        {
+          "ruleId": "GH1007",
+          "ruleIndex": 0,
+          "level": "error",
+          "message": {
+            "id": "Error_Default",
+            "arguments": [
+              "runs[0].results[0].message"
+            ]
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 29,
+                  "startColumn": 22
+                }
+              }
+            }
+          ]
+        }
+      ],
+      "columnKind": "utf16CodeUnits"
+    }
+  ]
+}
diff --git a/...estData/Multitool/ValidateCommand/ExpectedOutputs/GH1007.FlattenResultMessage_Valid.sarif b/...estData/Multitool/ValidateCommand/ExpectedOutputs/GH1007.FlattenResultMessage_Valid.sarif
@@ -0,0 +1,28 @@
+{
+  "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.6.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "SARIF Functional Testing"
+        }
+      },
+      "invocations": [
+        {
+          "executionSuccessful": true
+        }
+      ],
+      "artifacts": [
+        {
+          "location": {
+            "uri": "FunctionalTestOutput.ValidateCommand/GH1007.FlattenResultMessage_Valid.sarif",
+            "uriBaseId": "TEST_DIR"
+          }
+        }
+      ],
+      "results": [],
+      "columnKind": "utf16CodeUnits"
+    }
+  ]
+}
diff --git a/...Sarif/TestData/Multitool/ValidateCommand/Inputs/GH1007.FlattenResultMessage_Invalid.sarif b/...Sarif/TestData/Multitool/ValidateCommand/Inputs/GH1007.FlattenResultMessage_Invalid.sarif
@@ -0,0 +1,41 @@
+{
+  "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.6.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "SARIF Functional Testing",
+          "version": "1.2.3",
+          "rules": [
+            {
+              "id": "TEST1001",
+              "fullDescription": {
+                "text": "Argumented message."
+              },
+              "messageStrings": {
+                "DoesExist": {
+                  "text": "'{0}' is an apparent access token of '{1}'."
+                }
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "TEST1001",
+          "ruleIndex": 0,
+          "message": {
+            "id": "DoesExist",
+            "arguments": [
+              "123456789",
+              "Alibaba Cloud service"
+            ]
+          }
+        }
+      ],
+      "columnKind": "utf16CodeUnits"
+    }
+  ]
+}
diff --git a/...s.Sarif/TestData/Multitool/ValidateCommand/Inputs/GH1007.FlattenResultMessage_Valid.sarif b/...s.Sarif/TestData/Multitool/ValidateCommand/Inputs/GH1007.FlattenResultMessage_Valid.sarif
@@ -0,0 +1,31 @@
+{
+  "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.6.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "SARIF Functional Testing",
+          "version": "1.2.3",
+          "rules": [
+            {
+              "id": "TEST1001",
+              "fullDescription": {
+                "text": "Argumented message."
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "TEST1001",
+          "message": {
+            "text": "'123456789' is an apparent access token of 'Alibaba Cloud service'."
+          }
+        }
+      ],
+      "columnKind": "utf16CodeUnits"
+    }
+  ]
+}