Skip to content

New sarif-issues command to create , close github issue and manage the issues lifecycle #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
japroc wants to merge 53 commits into
base: main
Choose a base branch
from
Open

New sarif-issues command to create , close github issue and manage the issues lifecycle #133

japroc wants to merge 53 commits into from

Conversation

@japroc
Copy link
Contributor

@japroc japroc commented Sep 4, 2025
edited
Loading

Summary

  • add a sarif-issues CLI command that reads SARIF, correlates against existing GitHub issues, and manages issue lifecycle
  • enhance SARIF helpers (path resolution, code-flow formatting, correlation metadata) to support the new command
  • document the workflow, severity filters, dry-run output, and add supporting engineering notes

Documentation

Read sarif-issues reference doc for details: docs/reference/cmd-sarif-issues.md

japroc added 12 commits August 21, 2025 09:52
@japroc
feat: introduce CreateIssue vcs plugin method, and create-issue cmd
dac2098
@japroc
feat: add gihtub plugins methods to update and list issues
13cc07e
@japroc
feat: introduce a cmd to create gh issues from sarif report
10ff8b8
@japroc
fix: better relative path handling on create-issue-from-sarif
2a60d2d 
- extract SARIF location parsing to a dedicated function
- simplify title
@japroc
introduce body parser for later gh issue correlation
8a5f1cf
@japroc
feat: introduce a Correlator struct to match known and new issues
a7a8afd
@japroc
feat(create-issues-from-sarif): managed opening, correlation and clos…
8a8483d 
…ure of github issues
@japroc
chore: remove github copilot instructions
5c32c09
@japroc
add git to dockerfile runtime stage
cf1076f
@japroc
move git from .build-deps
9baa3e6
@japroc
feat: crerate-issues-from-sarif takes fallback namepsace, repository …
109c975 
…and ref values from env vars
@japroc
feat: add labels and assignees support
5d547d3
@japroc japroc self-assigned this Sep 17, 2025
@japroc japroc added the enhancement New feature or request label Sep 17, 2025
japroc added 16 commits September 17, 2025 09:06
@japroc
feat: add reference information to github issue
f8a7a61
@japroc
feat: create an issue comment on issue closure
3a309cc 
- create a vcs interface to create an issue comment
- github plugin implements create an issue comment method
- gitlab and bitbucket implement stubs
- create-issues-from-sarif command writes a comment to an issue before
  closure when a vulnerability is resolved
@japroc
feat: update issue header
2aa16d7
@japroc
misc: better markdown property parsing
fc6487e
@japroc
feat: write display severity instead of raw sarif level value
b0b0f08
@japroc
chore: rename cmd
6e56599
@japroc
docs: add sarif-issues command reference documentation
1467fce
@japroc
refactor: remove redundant code
c426323
@japroc
refactor: remove duplicate API calls
9921efd
@japroc
refactor: large processSARIFReport function decomposition
3107fa3
@japroc
refactor: split sarif-issues cmd to multi-file structure
b8c7787
@japroc
refactor: remove redundant commands
8d16328
@japroc
tests: add sarif issues utils tets
20d6532
@japroc
fix: better metadata parsing to support more edge cases for sarif-iss…
f1f8d12 
…ues command
@japroc
fix: correctly handle relative paths from outside of repo
bb48bd3
@japroc
docs: update usage examples for sarif-issues command to recommend run…
0fe9607 
…ning from repository root
japroc added 12 commits October 10, 2025 08:21
@japroc
feat: ad rule id toissue body metadata
a8f75bd
@japroc
feat: write rule shoty desecription in issue header instead of rule id
5815b6e
@japroc
feat: take issue details from different fields
fb6d5d8
@japroc
feat: enhance SARIF message formatting to include descriptions and hy…
0c82e4a 
…perlinks for CodeQL and Snyk styles
@japroc
feat: add git metadata fallback support for SARIF issues command and …
fc5c52b 
…update usage examples
@japroc
feat: implement filtering of open issues by source folder scope for S…
4a6ba2a 
…ARIF issues command
@japroc
feat: add code flow formatting to SARIF issue body and implement corr…
f86e606 
…esponding tests
@japroc
refactor: replace local subfolder normalization with internal package…
f287f9e 
… functions for improved path handling in SARIF issue processing
@japroc
feat: implement BuildGitHubPermalink function for constructing GitHub…
b2c7bd0 
… permalinks and update related usages in SARIF processing
@japroc
refactor: migrate extractFileURIFromResult and extractRegionFromResul…
4981fde 
…t to internalsarif package and update usages in SARIF issue processing
@japroc
refactor: move computeSnippetHash function to issuecorrelation package
f99bfdb
@japroc
refactor: consolidate displayRuleHeading logic into a single function…
f4bc926 
… and update tests accordingly
@japroc japroc marked this pull request as ready for review October 12, 2025 14:34
japroc added 8 commits October 12, 2025 17:21
@japroc
feat: add default source-folder handling for SARIF issues command
87c94a7
@japroc
fix: update variable names from opts to options for consistency in is…
1fa1eed 
…sue processing
@japroc
refactor: update closeUnmatchedIssues and processSARIFReport function…
a421b60 
…s to return closed issue count and handle logging improvements
@japroc
feat: add configurable severity levels for SARIF issues command and u…
41c2a59 
…pdate documentation
@japroc
feat: implement dry-run mode for SARIF issues command
d312ef2
@japroc
docs: update cmd-sarif-issues documentation to reflect changes in met…
e20b3ab 
…adata enrichment and required parameters validation
@japroc
Resolve merge conflict in cmd/root.go
17dae77 
- Combined imports from both branches (sarifissues and upload)
- Integrated logger initialization from main branch
- Added all command initializations with proper logger parameters
- Fixed sarifissues.Init call to use correct signature (no logger parameter)
- Maintained all command registrations from both branches
@japroc
refactor: update sarifissues command to utilize a global logger and a…
7500570 
…djust function signatures for improved logging
@japroc japroc requested a review from shikari-ac October 12, 2025 17:19
@japroc japroc changed the title issue vm draft New sarif-issues command to create , close github issue and manage the issues lifecycle Oct 12, 2025
shikari-ac
shikari-ac requested changes Oct 13, 2025
View reviewed changes
@shikari-ac
Copy link
Contributor

shikari-ac commented Oct 13, 2025
edited
Loading

General comment. There are several single-feature dependencies (see files in cmd/sarif-issues) that could be reused elsewhere. I’m working on generalizing them into reusable modules. The plan is to reuse the same logic for parsing SARIF and creating/closing findings to support inline PR comments.

Overall, the code looks good to me. We can refactor further as more requirements arrive. I’m already covering part of this in cmd/sarif-comments. In general, I recommend creating globally available dependencies to avoid tight coupling to any specific cmd/feature.

I do have a concern about streaming the list of open issues over RPC. I’m using the same approach for PR comments. Is there any throughput limit where a large list would impact RPC transfer?

My understanding is:

  • We should aim to keep individual RPC messages small (≈1 - 2 MiB).
  • gRPC’s default (hashicorp) max message size is about 4 MiB; larger messages can hurt latency or even fail unless limits are increased.

hashicorp/go-plugin doesn’t provide automatic chunking.

FYI: we should be careful with RPC message sizes. If we approach these limits, migrating the interface to gRPC should be our first step.

@japroc
feat: add body filtering capability to list issues command on plugin …
2a56acb 
…side

- to filter relevant issues by bofy-filter, and don't send not relevant items over RPC
- Introduced `BodyFilter` parameter in `VCSListIssuesRequest` to filter issues based on body content.
- Implemented `filterIssuesByBody` function to handle substring matching for issue bodies.
- Updated `ListIssues` method to apply the body filter if provided, enhancing issue retrieval based on specific criteria.
- Added unit tests for body filtering functionality to ensure correct behavior.
@japroc japroc requested a review from shikari-ac November 2, 2025 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shikari-ac shikari-ac Awaiting requested review from shikari-ac

Requested changes must be addressed to merge this pull request.

Assignees

@japroc japroc

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@japroc @shikari-ac