C/C++: Paths reported in sarif results contain extra back slashes in latest version of CodeQL (2.19.2) #17972
Comments
smowton
changed the title
|
Hi @jacob-ronstadt, Thanks for the report. We're currently discussing internally whether this change is correct or not. |
|
For reference, it looks like when we fixed #15245, we inadvertently introduced this issue, related to this part of the SARIF spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/sarif-v2.1.0-errata01-os-complete.html#_Toc141790717. If I'm understanding correctly, only text inside of links should be double escaped. All other places should be escaped once. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the issue
Expr used as source in data flow. Source is a string that doesn't match a given pattern:
e.getValue().toString().toLowerCase().matches(pattern)Source is used in the output message:
select f, message, source, source.asIndirectExpr().toString()In the source code the string is a function argument hard-coded such as:
L"\\some\\bad\\path\\test\\test.txt"In the sarif file results from running codeql database analyze with --format=sarif-latest, the same source code, and using the same commands for building and analyzing the database, previous versions of CodeQL CLI (2.17.6 tested) show this as:
"message":{"text":"\\some\\bad\\path\\test\\test.txt"}}]}],while CodeQL CLI 2.19.2 show:
"message":{"text":"\\\\some\\\\bad\\\\path\\\\test\\\\test.txt"}}]}],The text was updated successfully, but these errors were encountered: