DevSkim icon indicating copy to clipboard operation
DevSkim copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Add Scan All Workspace Files Command to DevSkim VS Code

Open gfs opened this issue 2 years ago • 4 comments

Is your feature request related to a problem? Please describe. Previous versions of the DevSkim VS Code Extension had a palette command to trigger a scan of all files in the workspace. This was removed with 1.0 due to the new Language Server mechanism, which meant we weren't directly dealing with file paths on disk anymore. We've received some user feedback #555 that this feature should be brought back.

Describe the solution you'd like Reimplement the Scan All Files in Workspace command

gfs avatar Jun 30 '23 14:06 gfs

The Microsoft Sarif Viewer has an extension-to-extension api that would be great as an addition to this feature;

https://code.visualstudio.com/api/references/vscode-api#extensions https://www.nuget.org/packages/Sarif.Viewer.VisualStudio.Interop/2.0.0-csd.1.0.3

martijn-coolminds avatar May 15 '24 13:05 martijn-coolminds

Hey @martijn-coolminds can you elaborate a bit more on the integration you'd like to see with the SARIF Viewer Extension? Is it that you'd want to run a full scan of all files in the workspace, output a sarif and have it open in the SARIF Viewer (if also installed)?

gfs avatar May 22 '24 20:05 gfs

Yeah, exactly that! The plugin allows for inter plugin communication. I'm under the impression that it would allow to send the results directly to the sarif viewer.

martijn-coolminds avatar May 23 '24 07:05 martijn-coolminds

I'll see if I can take a look into that possibility - the linked NuGet for full Visual Studio I believe, but it looks like this is also possible with the VS Code version as long as the sarif log is written to a file on disk first: https://github.com/Microsoft/sarif-vscode-extension?tab=readme-ov-file#api.

I think that would be something neat to potentially add onto the end of this feature, but this issue first requires some other changes first to be able to enumerate + scan all the files in the workspace. I'm not yet sure when I'll be able to revisit this but I think the overall change that would support opening as a sarif log would require something like the following:

  1. Add a "Scan all Files in Workspace" command palette option - needs to enumerate all files in the workspace, open them for reading and pass their contents to the Language Server for scanning and report those issues in the intellisense issue viewer like the current extension does for each file that is open.
  2. Add a second "Open current Results in SARIF Viewer" command to the command palette, this would need to them take all the issues that are currently active in DevSkim and export those to a sarif file - the least error prone way to do this would likely leverage the existing sarif writer code from DevSkim which would require feeding those issues back to the language server via a new JSON RPC command, which would return the sarif result, also via another JSON RPC command. This would also allow supporting loading just the currently displayed results in a SARIF Viewer, without performing step 1.
  3. Write that sarif result to a temp file (unless there is another API to pass the sarif text directly) and then call the above API to load that result with the VS Code SARIF Viewer.

gfs avatar May 23 '24 23:05 gfs