* Fix rewriting files with no issues to suppress
Fixes an issue where the Suppress command would rewrite a file essentially as is (but potentially change whitespace) even if all the detected issues in the file were filtered out by the rule filter.
* Respect original newline characters when adding suppression comments
* Rewrite edge case handling for placing multi line comments at the start of the line when the line ends with `\` and might be a multi-line continuation to avoid putting the comment inside the multiline string.
* Add tests cases for fixes
* Fix readme typo from #628
* Add guidance for weak random rule
* Add guidance for outdated TLS protocol
* Add guidance for XXE rule
* Add guidance for weak cipher mode rule
* Point disabled cert validation rules at complete guidance
* Add guidance for DPAPI entropy rule
* Use existing HTTPS guidance for Ruby rule
* Add guidance for strncat rule
* Add guidance for strncpy rule
* Add guidance for 3DES rule
* Add guidance for C gets rule
* Add guidance for C strcat rule
* Add guidance for C strcpy rule
* Add guidance for C malloc rule
* Add guidance for banned C function rule
* Add guidance for InitializeSecurityContext rule
* Add guidance for PowerShell restricted function rule
* Add guidance for NOT implementing MD5/SHA1 rule
* Add guidance for objective-c format string rule
* Add guidance for memcpy rule
* Point C++ TLS version rule to existing guidance
* Point .NET outdated SSL rule to general guidance
* Add guidance for seeding RNG with time rule
* Add guidance for mcrypt rules
* Add guidance for debug rule
* Add guidance for iOS uniqueIdentifier rule
* Add guidance for obj-c xss rule
* Add guidance for eval XSS rule
* Add guidance for hardcoded secret rule
* Add guidance for C FILE copy rule
* Add guidance for PHP file include rule
* Add guidance for ASPNET Controller rule
* Add guidance for iOS NSUserDefaults rule
* Add guidance for hashing time rule
* Remove optional encryption rule (applies to unknown tech?)
* Add test condition that guidance must have content
* Update changelog for guidance changes
* Add tests to identify rules with missing or incomplete guidance
* Also consider guidance with "TO DO" incomplete
* Point DES rules at same guidance
* Add guidance for .NET TLS config
* Add guidance for .NET Framework 4.7.2 rule
* Add guidance for .NET Core advisory 4021279
* Add guidance for Microsoft.IdentityModel.Tokens rule
* Add guidance for unsafe keyword rule
* Add guidance for JS setTimeout rule
* Add guidance for weak/broken hash algo rule
* Add guidance for disabling cert validation rule
* Add guidance for avoid $_REQUEST rule
* Add guidance for PHP XSS rule
* Add guidance for strlen rule
* Add guidance for Python datetime rule
* Add changelog for guidance changes
* Add debug info to guidance tests to troubleshoot CI
* Fix finding guidance for DevSkim CLI in CI
* Fix Default Option Settings When Deserializing Options Json
OutputTextFormat and OutputFileFormat were defaulting to string.Empty when deserialized because the default set for instantiating differed from the default value used for command parsing.
* Update Changelog.md
* Append Job Id and Attempt to Pipeline Signed Artifacts
If the pipeline fails during deployment the failed job cannot be rerun because this task will fail because the signed_binaries artifact already exists. However, the entire task also can't be re-run because the extensions have already been published by the time it hits this point. This PR adds a unique value so the failed job can be rerun in the case of temporary failures like API key rotations.
* Update Changelog.md
* Add IDs to the extension runs as well.
* Update dependencies
* Improve Confidence Reporting
Adds Confidence Field to Issue Record
Sets Confidence to either Confidence of Pattern if specified, or confidence of overall rule if specified
Report Confidence and Severity in special Github sarif fields.
Add Confidence values to rules
* Update Guidance (#600)
Fixed typo
Tokens/keys in source code
DES->AES Guidance
* Update Changelog.md
---------
Co-authored-by: Cristián Rojas <injcristianrojas@gmail.com>
* Move Github Release task to last item in CLI publish
Have been having issues with the github release task failing. It should run after the nuget release task to avoid missing publication to nuget.
* Update Changelog.md
* Run Update Settings Generator Manually
Fix#576
Source Generation appears to have been failing on build for the update settings method resulting in the VS Extension not detecting any issues. Change to manually run the generation and explicitly include the otherwise would be generated source.
* Update Changelog.md
The scanWorkspace command was supposed to be remove during the bump to major version 1, but was missed.
Co-authored-by: Rob Stewart <robstewart@microsoft.com>
Co-authored-by: Gabe Stocco <98900+gfs@users.noreply.github.com>
* Fix#554
Fixes an issue where we ensured that the .NET install tool had installed the proper version of .NET, but then we called the version of dotnet on the path to start the language server.
* Update Changelog.md
* Rev version to 1.0, remove alpha flag
* Improve VS option description clarity
* Simplify pipeline triggers
* Adds Is Fixable to DevSkimRuleProcession to Ensure fixes are applicable before returning via analyze command
* Remove extra usings
* Clean up
---------
Co-authored-by: David Alcantar <50344095+daalcant@users.noreply.github.com>
Dan Fiedler
Gabe Stocco
Justin Schneider
David Alcantar
Maj Soklič
Cristián Rojas
dependabot[bot]
Rob Jack Stewart
Andrew Trompler