Suppress Issue Permanently is spell wrong in the context menu

As we convert to Github actions we should set up our unit test runner to execute

The console.log right now is super verbose, which is helpful for debugging but not necessary for everyday users. The console.log should be behind a debug settings flag of some form, so it can be enabled selectively should a user want it

When running the DevSkim CLI against large files (10 MB+), progress is extremely slow. Since it's a bit less likely that these large files will contain interesting results, I think we should cap file sizes to analyze around maybe 100k or so, with the ability for the user to change if they want.

What

When a finding-region is specified for a condition the plugin doesn't search the region

Why

When a finding-region is matched with regex the values are strings. On the line below a string is added to an integer resulting in a string.

Example

finding-region(-5,5) and the rule match is on line 16

findingRange.start.line + regionMatch[1]
16 + "-5" === "16-5"

So "16-5" is passed into GetDocumentPosition()

"16-5"++ is NaN which causes problems with the rest of the function

Similar behavior for endPos

findingRange.end.line + regionMatch[2] + 1
16 + "5" + 1 === "1651"

While the NaN bug doesn't occur the line number is inaccurate

How to fix

Use unary operators to cast the finding-range values to integers

It appears that DevSkim doesn't clear it's output from the "Problems" pane when an active file is closed, leading to duplicate problem reports and general overwhelming spamming of the problems pane over the course of a day. 🤢

Hi,

in some piece of code using LLVM libs:

if (const auto constExpr = dyn_cast<ConstantExpr>(value)) {
    if (constExpr->getOpcode() == Instruction::BitCast)
        return getAlignment(constExpr->getOperand(0));
        // This is not a rand() call:        ^~~~
}

I get the rand part of the getOperand() call to be highlighted telling me:

[Devskim: Finding DS148264]
Do not use weak/non-cryptographic random number generators
Severity: [Important]

Apparently, this is not a rand() call at all. I guess the engine is doing a substring match only, not a full word match...

ciao,
Mario

After #47 we should then run that NPM against the code (note, should exclude the rules directory)

xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
xmlns:d="http://schemas.microsoft.com/expression/blend/2008"

I'm getting a warning in the form of a wavy purple line under the http text and an DS137138 error message in the output window in xaml files.
Show potential Fixes, has a 'surpress permanently' but it does nothing.
I don't see any obvious way to turn this off. I've read the guidance on this, but simply ignoring it is not acceptable. Also it only works for file that are open in the VS editor, closed files are ignored.
I personally wouldn't use this tool if I can't manage/get rid of these messages, but I do like the concept of this tool so I'm hoping you can fix this up for the v1.

trying to install it with ext install vscode-devskim and there is no extension of that name in the marketplace

Running DevSkim commands in vscode via Cmd+Shift+P, results in an error message:

command 'devskim.scanWorkspace' not found

This occurs in any workspace, except the workspace which was open when I originally installed the DevSkim extension. In the workspace which was open when I originally installed the DevSkim extension, the commands work correctly.

Here are my vscode User settings:

{
    "workbench.colorTheme": "Material Theme Darker High Contrast",
    "workbench.iconTheme": "eq-material-theme-icons-darker",
    "terminal.integrated.rightClickBehavior": "copyPaste",
    "editor.minimap.enabled": false,
    "terminal.integrated.fontWeight": "600",
    "breadcrumbs.enabled": true,
    "window.zoomLevel": 0,
    "eslint.provideLintTask": true,
    "eslint.alwaysShowStatus": true,
    "eslint.validate": [
        "javascript",
        "javascriptreact"
    ],
    "editor.tokenColorCustomizations": {
        "comments": "#a8a790"
    },
    "java.configuration.checkProjectSettingsExclusions": false,
    "javascript.updateImportsOnFileMove.enabled": "always",
    "editor.suggestSelection": "first",
    "vsintellicode.modify.editor.suggestSelection": "automaticallyOverrodeDefaultValue",
    "workbench.panel.defaultLocation": "right",
    "workbench.startupEditor": "newUntitledFile",
    "extensions.autoUpdate": false,
    "explorer.confirmDragAndDrop": false,
    "devskim.enableBestPracticeRules": true,
    "devskim.enableManualReviewRules": true,
    "devskim.manualReviewerName": "mojave"
}

As we convert to Github actions we should produce the NPM package

What

Matched rules with conditions highlight the wrong text

Why

When DevSkimWorker.MatchesConditionPattern() returns true MatchesConditions() returns false

This causes the problem to be pushed as suppressed finding

How to fix

Invert the logic so the function is returning false when there are no matches

if(!DevSkimWorker.MatchesConditionPattern(condition, documentContents, findingRange, langID))

I'm using the VS Code DevSkim extension. When I recently updated to VSCode Insiders 1.34, this extension is causing the editor text cursor to jump around.

Basically, if DevSkim finds anything to report, it places all the issues into the Problems Pane.

In this case, I was editing a PowerShell script file. When I attempt to edit a function which has issues reported by DevSkim, the cursor automatically jumps to the line containing the function declaration after every key press. Infuriating. I disabled DevSkim in one Visual Studio Code window and the issue went away, while it persists in the window where the window has not been reloaded to pick up the fact that I had disabled the extension.

Here's some relevant information you probably need:

Visual Studio Code Insiders Info

Version: 1.34.0-insider (user setup)
Commit: 0ab39f4148f242e7b0802330385fc99b4845aa31
Date: 2019-04-08T05:19:58.162Z
Electron: 3.1.8
Chrome: 66.0.3359.181
Node.js: 10.2.0
V8: 6.6.346.32
OS: Windows_NT x64 10.0.17763

PowerShell Extension version: 1.12.0
DevSkim Version: 0.2.2

As we port our pipeline to GitHub actions, we should have it do the .vsix production

When a single line contains both a finding that can be suppressed (i.e a finding of severity crit, important, etc.) and a finding that gets marked as reviewed (severity "manual-review"), choosing to mark one as reviewed and the other as suppressed causes the two comments to overlap slightly e.g.

//DevSkim: reviewed DS123456 on 2016-//DevSkim: ignore DS1357924 until 2017-01-2112-21

the suppression above is being inserted in the middle of the date instead of at the end of the line as expected

On Visual Studio Code, installing DevSkim crashes the extension engine and you can not use any other extension.

VSCode Insider-build 1.21.0

I just tried the plug-in on my project, and it's giving me 251 errors in the auto-generated yarn.lock.

file: 'file:///c%3A/Users/tim-m/projects/naming/synonymgraph/yarn.lock'
severity: 'Error'
message: '
Severity: [Important]

A token or key was found in source code. If this represents a secret, it should be moved somewhere else.

More Info:
https://github.com/Microsoft/DevSkim/blob/master/guidance/DS173237.md'
at: '7,74'
source: 'Devskim:Do not store tokens or keys in source code.'

Because it's auto-generated it can't be modified to disable a lint error, and so if DevSkim is enabled I have a huge number of "errors" that I can't eliminate in any way (that I can find in the docs).

My workaround is just to disable DevSkim. Let me know if there's a better way.