8.9 KiB
Output of multi-value results
Multiple message values, no flow path
Results of the query https://lgtm.com/query/rule:1790078/lang:javascript/ are
reported via the select
select first, "Character '" + first +
"' is repeated $@ in the same character class.", repeat, "here"and the json/yaml file has entries
message:
text: |-
Character ''' is repeated [here](1) in the same character class.
Character ''' is repeated [here](2) in the same character class.
Character ''' is repeated [here](3) in the same character class.Their display in lgtm is here.
Multiple values of first produce distinct multiple results, multiple values of
repeat produce multiple relatedLocations within one results array entry.
relatedLocations:
- id: 1
physicalLocation:
artifactLocation:
uri: static/js/tinymce/jscripts/tiny_mce/plugins/paste/editor_plugin_src.js
uriBaseId: '%SRCROOT%'
index: 41
region:
startLine: 722
startColumn: 74
endColumn: 75
message:
text: here
- id: 2
...
- id: 3
...
This is consistent with the use of first as an anchor for alerts and for path
problems.
However, things get more complicated when there are flow paths. Thus, the approach of section Multiple message values and flow paths should also be used here for consistency.
See also
- Full results: ../data/treeio/results.yaml
- Trimmed test set: ../data/treeio/test_set_1.yaml
Multiple message values and flow paths
The query com.lgtm/javascript-queries:js/unsafe-jquery-plugin
(full version CWE-079/UnsafeJQueryPlugin.ql, lgtm.com results here)
has select
select sink.getNode(), source, sink, "Potential XSS vulnerability in the $@.", plugin,
"'$.fn." + plugin.getPluginName() + "' plugin"The full results are found in results.yaml, with a testing subset in [[file:../data/treeio/test_set_1.yaml::Potential XSS vulnerability in the \['$.fn.datepicker' plugin\](1).][test_set_1.yaml]]; the results for this query are
message:
text: |-
Potential XSS vulnerability in the ['$.fn.datepicker' plugin](1).
Potential XSS vulnerability in the ['$.fn.datepicker' plugin](2).
Potential XSS vulnerability in the ['$.fn.datepicker' plugin](3).with 3 relatedLocations and 6 threadFlows.
The original query's first column is a sink (sink.getNode()), so the
threadFlows should terminate there – and they do.
locations:
- physicalLocation:
artifactLocation:
uri: static/js/jquery-ui-1.10.3/ui/jquery.ui.datepicker.js
uriBaseId: '%SRCROOT%'
index: 61
region:
startLine: 1027
startColumn: 6
endColumn: 14
In the above query, the source is connected to the plugin (possibly
restricting the result set),
and for this particular result, the first two threadFlows' first locations are
contained in the first relatedLocation's line range.
Similarly, threadFlows 2 & 3 are contained in the second relatedLocation.
This need not be visible from the output by itself, but we can assume the results are a straight nested product: $$ 1\ result \times 3\ {relatedLocations\over result} \times 2\ {threadFlows \over location} $$
This way, we can group a relatedLocation with one or more threadFlows and
thus separate one of these clusters into separate results for cleaner
exporting / viewing.
Instead of
- message
- text: |-
Potential XSS vulnerability in the ['$.fn.datepicker' plugin](1).
Potential XSS vulnerability in the ['$.fn.datepicker' plugin](2).
Potential XSS vulnerability in the ['$.fn.datepicker' plugin](3).
- relatedLocations
- id 1
- id 2
- id 3
- codeFlows
- threadFlows
- threadFlows
- threadFlows
- threadFlows
- threadFlows
- threadFlowsthis becomes a triple, with the first one:
- message
- text: |-
Potential XSS vulnerability in the ['$.fn.datepicker' plugin](1).
- relatedLocations
- id 1
- codeFlows
- threadFlows
- threadFlows
As a note, the standard's 3.37 threadFlow object entry does not connect the
two, and a query may or may not connect them. Even if the there is a logical
connection, there need not be a physical (location) connection, so a
threadFlow's region may or may not overlap with a relatedLocation's.
Using
sarif-results-summary \
-s data/treeio/treeio \
-r data/treeio/results.sarif | \
sed -n "/modal-form.html:89:35:93:14/,/RESULT/p" |lesswe see a query result with 3 relatedLocations and 3 threadFlows with very
obvious connections between them. More importantly, the ordering is
consistent.
Multiple message values and source/sink pairs
As a special case of Multiple message values and flow paths, we can report only the (source, sink) pairs and drop the flow paths. This is useful in result reports spanning many repositories and multiple tools.
Considering
Potential XSS vulnerability in the ['$.fn.datepicker' plugin](1).found in test_set_1.yaml, stripping the threadFlows paths, and looking at the
first two threadFlows gives the following simplified structure.
Note that without the flow paths, the first two results are now identical
(source, sink) pairs; the same holds for 2,3 and 4,5.
- ruleId: com.lgtm/javascript-queries:js/unsafe-jquery-plugin
codeFlows:
- threadFlows:
- locations:
- location:
physicalLocation:
artifactLocation:
uri: static/js/jquery-ui-1.10.3/ui/jquery-ui.js
uriBaseId: '%SRCROOT%'
index: 72
region:
startLine: 9598
startColumn: 28
endColumn: 35
message:
text: options
- location:
physicalLocation:
artifactLocation:
uri: static/js/jquery-ui-1.10.3/ui/jquery.ui.datepicker.js
uriBaseId: '%SRCROOT%'
index: 61
region:
startLine: 1027
startColumn: 6
endColumn: 14
message:
text: altField
- threadFlows:
- locations:
- location:
physicalLocation:
artifactLocation:
uri: static/js/jquery-ui-1.10.3/ui/jquery-ui.js
uriBaseId: '%SRCROOT%'
index: 72
region:
startLine: 9598
startColumn: 28
endColumn: 35
message:
text: options
- location:
physicalLocation:
artifactLocation:
uri: static/js/jquery-ui-1.10.3/ui/jquery.ui.datepicker.js
uriBaseId: '%SRCROOT%'
index: 61
region:
startLine: 1027
startColumn: 6
endColumn: 14
message:
text: altField