Fixing NullReferenceException when --Hashes and telemetry rules are enabled
#531
Conversation
eddynaka
changed the title
NullReferenceException when --Hashes is enabledNullReferenceException when --Hashes and telemetry rules are enabled
| EndTimeUtc = invocation.EndTimeUtc, | ||
| TimeConsumed = invocation.EndTimeUtc - invocation.StartTimeUtc, | ||
| }; | ||
| } |
There was a problem hiding this comment.
this code was moved to the AnalysisSummaryExtractor in previous PRs. #ByDesign
| @@ -40,7 +40,7 @@ public static AnalysisSummary ExtractAnalysisSummary(SarifLog sarifLog, AnalyzeO | |||
| ToolVersion = tool.Driver.Version, | |||
| NormalizedPath = string.Join(";", options.TargetFileSpecifiers.Select(p => System.IO.Path.GetDirectoryName(p)).Distinct()), | |||
| SymbolPath = options.SymbolsPath, | |||
| FileAnalyzed = artifacts.Count, | |||
| FileAnalyzed = artifacts?.Count ?? 0, | |||
| @@ -85,6 +85,17 @@ public override int Run(AnalyzeOptions analyzeOptions) | |||
| analyzeOptions.Kind = new List<ResultKind> { ResultKind.Fail, ResultKind.NotApplicable, ResultKind.Pass }; | |||
| } | |||
|
|
|||
| #pragma warning disable CS0618 // Type or member is obsolete | |||
| if (analyzeOptions.ComputeFileHashes) | |||
There was a problem hiding this comment.
maybe we should make this change in SDK instead?
AnalyzeCommandBase has this check,
MultithreadedAnalyzeCommandBase does not,
if the change is made in Binskim then only Binskim is fixed but not SDK
There was a problem hiding this comment.
I was wondering about that.
Since we want to deprecate --hashes, i would move that logic to AnalyzeCommand and remove the reference from AnalyzeCommandBase.
With that, in the futhre, the options would not have --hashes by default and binskim itself would implement it.
src/BinSkim.Driver/AnalyzeOptions.cs
Outdated
| [Option( | ||
| "binskimAppInsightsKey", | ||
| HelpText = "An ApplicationInsightsKey to which will be send data. If not available, it will read from the environment variable.")] | ||
| public string BinskimAppInsightsKey { get; set; } |
There was a problem hiding this comment.
There was a problem hiding this comment.
We can't accept a change that encourages users to explicitly provide sensitive data on the command-line, this is a very poor security practice, as command-lines are persisted/logged in many contexts. In general, you do not want to compromise your own project quality/security to workaround a bug in another system. If there is a problem with ADO environment variable handling, let's get that reported and see what we can do to resolve. ADO also provides other mechanism for sharing data, including ingestion data from secured network shares (that we could lock down to a build agent account, perhaps). Let's follow up with some folks with relevant expertise offline.
There was a problem hiding this comment.
thanks for the feedback.
i will remove the change and keep it clean to fix the issue that i faced.
There was a problem hiding this comment.
Yes, and this is a very good point, thanks for making it. This isn't the kind of change that we'd want to fold into another PR, it would warrant its own issue. You can follow up with me and Ryley offline about your ADO issue.
There was a problem hiding this comment.
Just updated and sent an email with the details.
thanks for the help!
| @@ -40,7 +40,7 @@ public static AnalysisSummary ExtractAnalysisSummary(SarifLog sarifLog, AnalyzeO | |||
| ToolVersion = tool.Driver.Version, | |||
| NormalizedPath = string.Join(";", options.TargetFileSpecifiers.Select(p => System.IO.Path.GetDirectoryName(p)).Distinct()), | |||
| SymbolPath = options.SymbolsPath, | |||
| FileAnalyzed = artifacts.Count, | |||
| FileAnalyzed = artifacts?.Count ?? 0, | |||
| // FileNotAnalyzed = | |||
There was a problem hiding this comment.
created a work item for that.
With the single thread analysis, the argument
--Hasheswas translated to--insert Hashes, adding the deprecated message.When we moved to the multithreaded analysis, without that condition we would not generate the artifacts.
Since the summary was expecting the artifacts, it was accessing the number of elements directly.