Bump Sarif.Sdk from 2.4.16 to 5.4.1

[dependabot]

Updated Sarif.Sdk from 2.4.16 to 5.4.1.

Release notes

Sourced from Sarif.Sdk's releases.

4.6.5

v4.6.5 Sdk | Driver | Converters | Multitool | Multitool Library

• BUG: Fix AccessViolationException in EnumeratedArtifact.RetrieveDataFromStream when the caller-provided stream's Seek re-enters native code (e.g. ASP.NET WebAPI's SeekableBufferedRequestStream over IIS's HttpBufferlessInputStream). Always rewind via PeekableStream instead of trusting Stream.CanSeek.

4.6.4

v4.6.4 Sdk | Driver | Converters | Multitool | Multitool Library

• BUGFIX: Drop the missing-partialFingerprints check from BaseProvideRequiredResultProperties (Base1015), which removes the firing for ADO1015/ADO1017 and GH1015/GH1017. Both Advanced Security for Azure DevOps and GitHub code scanning compute partialFingerprints automatically when omitted, so the error-level "this property is required by the {service} service" message was misleading. See GHAZDO third-party SARIF docs (Sprint 245 ruleId inclusion, Sprint 255 advancedsecurity.publish.allowmissingpartialfingerprints) and GitHub code scanning SARIF support — Fingerprint generation. AI producers are already advised against persisting fingerprints by AI2011.
• BRK: Rename Microsoft.CodeAnalysis.Sarif.Multitool.OptionsInterpretter (and its test class OptionsInterpretterTests) to OptionsInterpreter / OptionsInterpreterTests (single t). External callers of Sarif.Multitool.Library constructing new OptionsInterpretter(...) must update to new OptionsInterpreter(...).
• NEW: Add partition multitool verb that splits one SARIF log into many by strategy (PerRule (default), PerRunPerRule, PerRun, PerResult, PerRunPerTarget, PerRunPerTargetPerRule, PerIndexList). Wraps SarifPartitioner.Partition, so each output gets its tool.driver.rules and run.artifacts pruned to only what the partition references.
• NEW: Add SplittingStrategy.PerIndexList plus the --indices mini-language for explicit per-result bucket assignment: <runId>:<r1>,<r2>;<runId>:...|<bucket>..., with bare-int shorthand for run 0 and SARIF URL fallback (sarif:/runs/X/results/Y, §3.10.3). Optional --spillover-bucket NAME captures uncovered results; --strict-coverage errors on uncovered results. Duplicate or out-of-range addresses error.
• NEW: Add public SDK helper Microsoft.CodeAnalysis.Sarif.Writers.PartitionFunctions (ForStrategy, ForIndexList, ParseIndexSpec, ResultAddress) to centralize partition-key derivation across SDK consumers.
• BUG: Fix System.ArgumentException: Illegal characters in path. thrown from MultithreadedAnalyzeCommandBase.IsOpcArtifact on .NET Framework when an artifact's URI yields a file path containing characters illegal in a Windows path (e.g., the ? of a URI query string, or |, <, >, "). The path is now sanitized via PathExtensions.ReplaceInvalidCharInFileName before being passed to Path.GetExtension.
• BUG: Fix InvalidOperationException: Collection was modified thrown from Newtonsoft.Json.JsonSerializerInternalWriter.SerializeDictionary inside SarifLogger.Dispose on .NET Framework when SarifRewritingVisitor.VisitReportingDescriptor ran concurrently with serialization on a peer logger that shared the same ReportingDescriptor instance. The visitor now builds a new MessageStrings dictionary and assigns the field atomically, so any concurrent reader sees a stable dictionary that nobody is mutating.

4.6.3

v4.6.3 Sdk | Driver | Converters | Multitool | Multitool Library

• BRK: Renumber AI validation rules for RFC 2119 compliance (AI1xxx = MUST/SHALL error; AI2xxx = SHOULD warning/note). AI2006 → AI1005, AI1007 → AI2014. The AI3xxx series is eliminated.
• NEW: Add AI1010.EvidenceBackingResolvable (error) — every sarif: URI in ai/evidence[].backing SHALL resolve to an element within the log file (§3.10.3).
• NEW: Add AI1011.RedactedRunMarker (error) — ai/redacted SHALL be true or absent (never false); when true, run.redactionTokens SHALL be non-empty; ai/fullLogLocation SHALL NOT appear unless ai/redacted is true.
• NEW: Add AI1012.ProvideRuleSubId (error) — AI-generated results MUST carry a hierarchical sub-component on result.ruleId beyond the base reportingDescriptor.id.
• NEW: Add AI1013.NotificationAssociatedRuleResolvable (error) — if notification.associatedRule is present, it SHALL resolve to a valid rule in tool.driver.rules[] or an extension's rules[].
• NEW: Add AI1014.ExecutionNotificationPlacement (error) — AI/EXEC/* descriptors SHALL appear only in toolExecutionNotifications; AI/CFG/* descriptors SHALL appear only in toolConfigurationNotifications.
• NEW: Add AI2015.ProvideAttackerPosition (warning) — each result SHOULD declare ai/attackerPosition. Follows the all-or-nothing pattern.
• NEW: Add AI2016.EvidenceBackingConsistency (warning) — an ai/evidence[] entry with strength: "demonstrated" SHOULD carry non-empty backing.
• NEW: Add AI2017.ProvideNotificationDescriptor (warning) — every notification SHOULD have a descriptor that resolves to a reportingDescriptor in tool.driver.notifications[].
• NEW: Add AI2018.ProvideExecutionSignalArtifact (note) — AI/EXEC/ALAS-SIGNAL notifications SHOULD include a locations[] entry referencing a valid artifact with roles containing "attachment".
• NEW: Add AI2019.ProvideNotificationTimestamp (note) — notifications SHOULD include timeUtc for execution timeline reconstruction.

4.6.2

v4.6.2 Sdk | Driver | Converters | Multitool | Multitool Library

• NEW: Add AI1003.ProvideRequiredRegionProperties validation rule — error when result locations lack a region or required region properties. Mirrors SARIF2017 at error level for AI profile.
• NEW: Add AI1004.ProvideVersionControlProvenance validation rule — error when run.versionControlProvenance is missing or empty. Ensures AI findings are traceable to source control.
• NEW: Add AI2006.ProvideMessageMarkdown validation rule — error when AI-generated findings do not include message.markdown.
• NEW: Add AI1007.ProvideExploitability validation rule — warns when result.properties["ai/exploitability"] is missing or contains an unrecognized value (valid: demonstrated, poc, theoretical). Follows the suppressions pattern (§3.27.23): exploitability must be present on all results or absent from all results; mixed presence is flagged as a data quality error.
• NEW: Add AI1012.ProvideAIHandoff validation rule — notes when run.properties["ai/handoff"] is missing or empty. This property is intended to provide human-readable handoff instructions for triaging and acting on AI-generated findings.
• NEW: Add SARIF2017.ProvideRequiredRegionProperties validation rule — warns when result locations lack a region or startLine. Fires in standard profile only (--rule-kind Sarif).
• NEW: Add RuleKind.AI to SARIF2010.ProvideCodeSnippets and SARIF2011.ProvideContextRegion so these rules fire under --rule-kind AI with no configuration file needed.
• DEL: Remove policies/ai.config.xml — AI validation now works zero-config via --rule-kind AI.

4.6.1

v4.6.1 Sdk | Driver | Converters | Multitool | Multitool Library

• NEW: Add health check query parameter support for --post-uri validation. The driver now appends ?healthcheck=true to POST URIs during validation and accepts HTTP 202 (Accepted), or 422 (Unprocessable Entity) as valid responses. This provides better support for endpoints that implement health check functionality while maintaining backwards compatibility with servers that return 422 for empty payloads.
• NEW: SarifLogger.AnalyzingTarget now optionally emits an explicit artifacts table entry (with AnalysisTarget role) for every scan target when OptionallyEmittedData.AnalysisTargets is set via --insert.

4.6.0

v4.6.0 Sdk | Driver | Converters | Multitool | Multitool Library

• BRK: Remove defunct and unsupported kusto command in Sarif.Multitool.
• BRK: Remove support for .NET Core 3.1 and .NET 6.0 in preference of a supported version of .NET, net8.0.
• BRK: Remove HashData.MD5, HashUtilities.ComputeMD5Hash due to the inherent insecurity of this algorithm.
• BRK: 'HashUtilities.ComputeHash' no longer generates MD5 hashes (only SHA1 and SHA256).
• DEP: Remove dependency on Microsoft.Azure.Kusto.Data.
• DEP: Update Azure.Identity reference from 1.10.2 to 1.13.1 in WorkItems and Sarif.Multitool.Library to resolve CVE-2024-29992 and other CVEs.
• DEP: Update Azure.Core from 1.35.0 to 1.41.1 to satisfy minimum requirement of Azure.Identity 1.12.1 (that has no known vulnerabilities).
• DEP: Update System.Text.Encodings.Web from 5.0.1 to 6.0.0 (required by transitive closure of dependency requirements from other updates).
• DEP: Update all Newtonsoft.Json references to 13.0.3 to resolve CVE-2024-21907.
• DEP: Update Microsoft.Data.SqlClient from 2.1.7 to 5.2.2 so its dependencies Microsoft.IdentityModel.JsonWebTokens and System.IdentityModel.Tokens.Jwt upgrade to non-vulnerable version 6.35.0 (GHSA-59j7-ghrg-fj52).
• BUG: Resolve process hangs when a file path is provided with a wildcard, but without a -r (recurse) flag during the multi-threaded analysis file enumeration phase.
• BUG: Fix error ERR997.NoValidAnalysisTargets when scanning symbolic link files.
• BUG: Fix error ERR997.NoValidAnalysisTargets when passing wildcard patterns (e.g., *.txt) to OrderedFileSpecifier. A recent change limited our wildcard support strictly to use of * only.
• BUG: Fix ERR999.UnhandledEngineException: System.IO.FileNotFoundException: Could not find file when a file name or directory path contains URL-encoded characters.
• BUG: Fix error ERR997.NoValidAnalysisTargets when ambiguous file/directory references are provided to OrderedFileSpecifier. Previously, the code required an explicit directory separator to be added to the end of a directory path. Now, the code inspects the file system and assumes that a reference to an existing directory was intended by the user (even without a trailing separator).
• BUG: Fixed error ERR997.NoValidAnalysisTargets | TargetParseError when processing OPC files by correctly handling programmatic usage and skipping redundant file access when a stream is provided via EnumeratedArtifact.
• BUG: Eliminate unhandled UriFormatException: Invalid URI: The format of the URI could not be determined. when creating a ZipArchiveArtifact with a relative URI.
• BUG: Refactored MultithreadedCommandBase to check for empty or oversized artifacts before attempting to load OPC artifacts. This avoids unnecessary processing and improves performance by skipping invalid inputs early.
• NEW: Allow null archive uri in MultithreadedZipArchiveArtifactProvider (which indicates that enumerated artifact paths should not include the base archive).
• NEW: Update LogTargetParseError(IAnalysisContext, Region, string, Exception) to include optional exception argument to denote code location where parse error occurred.
• NEW: MultithreadedAnalyzeCommandBase.EnumerateArtifact now supports scanning into compressed (OPC) files. Initial support file extensions are: .apk, .appx, .appxbundle, .docx, .epub, .jar, .msix, .msixbundle, .odp, .ods, .odt, .onepkg, .oxps, .pkg, .pptx, .unitypackage, .vsix, .vsdx, .xps, .xlsx, .zip.

4.5.4

v4.5.4 Sdk | Driver | Converters | Multitool | Multitool Library

• BUG: Fix incorrect base class in rule ADO2012.

4.5.3

v4.5.3 Sdk | Driver | Converters | Multitool | Multitool Library

• BUG: Restructure shared MessageResourceNames collections to ensure return of correct error messages.

4.5.2

v4.5.2 Sdk | Driver | Converters | Multitool | Multitool Library

• BUG: Update Skimmer stack in Multitool.Library to support shared MessageResourceNames collections between base rules and their derivatives.
• BUG: Fix message strings to always assume {1} is reserved for the rule's service name.
• BUG: Clean up unused resource strings in Multitool.Library.Rules.RuleResources.resx.

4.5.1

v4.5.1 Sdk | Driver | Converters | Multitool | Multitool Library

• DEP: Add explicit package references to Sarif and Sarif.Driver to resolve version conflict build error.
  System.Diagnostics.Debug 4.3.0,
  System.IO.FileSystem.Primitives 4.3.0,
  System.Text.Encoding.Extensions 4.3.0.

4.5.0

v4.5.0 Sdk | Driver | Converters | Multitool | Multitool Library

• DEP: Downgrade System.Text.Encoding.CodePages from 8.0.0 to 4.3.0 in Sarif.
• DEP: Remove explicit versioning for System.Memory and System.Runtime.CompilerServices.Unsafe.
• DEP: Remove spurious references to System.Collections.Immutable.
• DEP: Update Microsoft.Data.SqlClient reference from 2.1.2 to 2.1.7 in WorkItems and Sarif.Multitool.Library to resolve CVE-2024-0056.
• DEP: Update System.Data.SqlClient reference from 4.8.5 to 4.8.6 in WorkItems to resolve CVE-2024-0056.
• BUG: Improve FileEncoding.IsTextualData method for detecting binary files.
• BUG: Update Stack.Create method to populate missing PhysicalLocation instances when stack frames reference relative file paths.
• BUG: Fix UnsupportedOperationException in ZipArchiveArtifact.
• BUG: Fix MultithreadedAnalyzeCommandBase to return rich return code with the --rich-return-code option.
• NEW: Add IsBinary property to IEnumeratedArtifact and implement the property in ZipArchiveArtifact.
• NEW: Switch to content-based IsBinary categorization for ZipArchiveArtifacts.
• PRF: Change default max-file-size-in-kb parameter to 10 megabytes.
• PRF: Add support for efficiently peeking into non-seekable streams for binary/text categorization.
• NEW: Add a new --timeout-in-seconds parameter to AnalyzeOptionsBase, which will override the TimeoutInMilliseconds property in AnalyzeContextBase.
• NEW: --post-uri will skip sending the SARIF log to the configured endpoint if the file contains no results or fatal execution errors.
• NEW: Add the following rules:
  ADO1011.ReferenceFinalSchema,
  ADO1013.ProvideRequiredSarifLogProperties,
  ADO1014.ProvideRequiredRunProperties,
  ADO1015.ProvideRequiredResultProperties,
  ADO1016.ProvideRequiredLocationProperties,
  ADO1017.ProvideRequiredPhysicalLocationProperties,
  ADO1018.ProvideRequiredToolProperties,
  ADO2012.ProvideRequiredReportingDescriptorProperties,
  GH1011.ReferenceFinalSchema,
  GH1013.ProvideRequiredSarifLogProperties,
  GH1014.ProvideRequiredRunProperties,
  GH1015.ProvideRequiredResultProperties,
  GH1016.ProvideRequiredLocationProperties,
  GH1017.ProvideRequiredPhysicalLocationProperties,
  GH1018.ProvideRequiredToolProperties,
  GH2012.ProvideRequiredReportingDescriptorProperties.
• NEW: Add a new --rule-kind parameter to AnalyzeOptionsBase, which specifies rule kinds to run (Sarif, Ghas, Ado). Example: --rule-kind Ado;Sarif.

4.2.1

SARIF Package Release History (SDK, Driver, Converters, and Multitool)

v4.2.1 Sdk | Driver | Converters | Multitool | Multitool Library

• BUG: Resolve NotSupportedException thrown (on .NET 4.8 and earlier) on accessing DeflateStream.Length from MultithreadedZipArchiveArtifactProvider.SizeInBytes property.

4.0.0

v4.0.0 Sdk | Driver | Converters | Multitool | Multitool Library

• BRK: SarifLogger no longer allows providing a Tool instance. Use the run parameter instead (and populate it with any custom Tool object). #​2614
• BRK: SarifLogger updates version details differently. #​2611
• BRK: Add ToolComponent argument to IAnalysisLogger.Log(ReportingDescriptor, Result) method. #​2611
• BRK: Rename --normalize-for-github argument to --normalize-for-ghas for convert command and mark --normalize-for-github as obsolete. #​2581
• BRK: Update IAnalysisContext.LogToolNotification method to add ReportingDescriptor parameter. This is required in order to populated AssociatedRule data in Notification instances. The new method has an option value of null for the associatedRule parameter to maximize build compatibility. #​2604
• BRK: Correct casing of LogMissingreportingConfiguration helper to LogMissingReportingConfiguration. #​2599
• BRK: Change type of MaxFileSizeInKilobytes from int to long in IAnalysisContext and other classes. #​2599
• BRK: For Guid properties defined in SARIF spec, updated Json schema to use uuid, and updated C# object model to use Guid? instead of string. #​2555
• BRK: Mark AnalyzeCommandBase as obsolete. This type will be removed in the next significant update. #​2599
• BRK: LogUnhandledEngineException no longer has a return value (and updates the RuntimeErrors context property directly as other helpers do). #​2599
• BUG: Populate missing context region data for small, single-line scan targets. #​2616
• BUG: Increase parallelism in MultithreadedAnalyzeCommandBase by correcting task creation. []#​2618](Threading fixes sarif-sdk#2618)
• BUG: Resolve hangs due to unhandled exceptions during multithreaded analysis file enumeration phase. #​2599
• BUG: Resolve hangs due to unhandled exceptions during multithreaded analysis file hashing phase. #​2600
• BUG: Another attempt to resolve 'InvalidOperationException' with message Collection was modified; enumeration operation may not execute in MultithreadedAnalyzeCommandBase, raised when analyzing with the --hashes switch. #​2459. There was a previous attempt to fix this in #​2447.
• BUG: Resolve issue where match-results-forward command fails to generate VersionControlDetails data. #​2487
• BUG: Remove duplicated rule definitions when executing match-results-forward commands for results with sub-rule ids. #​2486
• BUG: Update merge command to properly produce runs by tool and version when passed the --merge-runs argument. #​2488
• BUG: Eliminate IOException and DirectoryNotFoundException exceptions thrown by merge command when splitting by rule (due to invalid file characters in rule ids). #​2513
• BUG: Fix classes inside NotYetAutoGenerated folder missing virtual keyword for public methods and properties, by regenerate and manually sync the changes. #​2537
• BUG: MSBuild Converter now accepts case insensitive keywords and supports PackageValidator msbuild log output. #​2579
• BUG: Eliminate NullReferenceException when file hashing fails (due to file locked or other errors reading the file). #​2596
• NEW: Provide PluginDriver property (AdditionalOptionsProvider) that allows additional options to be exported (typically for command-line arguments). #​2599
• NEW: Provide LogFileSkippedDueToSize that fires a warning notification if any file is skipped due to exceeding size threshold. #​2599
• NEW: Provide overridable ShouldEnqueue predicate method to filter files from driver processing. #​2599
• NEW: Provide overridable ShouldComputeHashes predicate method to prevent files from hashing. #​2601
• NEW: Allow external set of MaxFileSizeInKilobytes, which will allow SDK users to change the value. (Default value is 1024) #​2578
• NEW: Add a Github validation rule GH1007, which requires flattened result message so GHAS code scanning can ingest the log. #​2580
• NEW: Provide mechanism to populate SarifLogger with a FileRegionsCache instance.
• NEW: Allow initialization of file regions cache in InsertOptionalDataVisitor (previously initialized exclusively from FileRegionsCache.Instance).
• NEW: Provide 'RuleScanTimetrace and emitted timing data. ProvideScanExecution` trace with no utilization.
• NEW: Populate associated rule data in LogToolNotification as called from SarifLogger. #​2604
• NEW: Add --normalize-for-ghas argument to the rewrite command to ensure rewritten SARIF is compatible with GitHub Advanced Security (GHAS) ingestion requirements. #​2581
• NEW: Allow per-line rolling (partial) hash computation for a file. #​2605
• NEW: SarifLogger now supports extensions rules data when logging (by providing a ToolComponent instance to the result logging method). #​2661
• NEW: SarifLogger provides a ComputeHashData callback to provide hash data for in-memory scan targets. #​2614
• NEW: Provide HashUtilities.ComputeHashes(Stream) and `ComputeHashesForText(string) helpers. #​2614

3.1.0

v3.1.0 Sdk | Driver | Converters | Multitool | Multitool Library

• BUGFIX: Loosen System.Collections.Immutable minimum version requirement to 1.5.0. #​2504

3.1.0-beta1

v3.1.0-beta1 Sdk | Driver | Converters | Multitool | Multitool Library

• DEPENDENCY BREAKING: SARIF.SDK now requires System.Collections.Immutable 1.5.0. #​2504

3.0.0

v3.0.0 Sdk | Driver | Converters | Multitool | Multitool Library

• BUGFIX: Loosen Newtonsoft.JSON minimum version requirement to 6.0.8 (for .NET framework) or 9.0.1 (for all other compilations) for Sarif.Sdk. Sarif.Converts requires 8.0.1, minimally, for .NET framework compilations.
• BUGFIX: Broaden set of supported .NET frameworks for compatibility reasons. Sarif.Sdk, Sarif.Driver and Sarif.WorkItems requires net461.
• BUGFIX: Set default stack limit in Newtonsoft.JSON utilization (if JsonConvert.Defaults is not already configured) to address GitHub advisory GHSA-5crp-9r3c-p9vr.

3.0.0-beta1

SARIF Package Release History (SDK, Driver, Converters, and Multitool)

3.0.0-beta1 Sdk | Driver | Converters | Multitool | Multitool Library

• BUGFIX: Loosen Newtonsoft.JSON minimum version requirement to 6.0.8 (for .NET framework) or 9.0.1 (for all other compilations) for Sarif.Sdk. Sarif.Converts requires 8.0.1, minimally, for .NET framework compilations.
• BUGFIX: Broaden set of supported .NET frameworks for compatibility reasons. Sarif.Sdk now supports net45 forward. Sarif.Driver and Sarif.WorkItems requires net461 due to other dependencies.
• BUGFIX: Set default stack limit in Newtonsoft.JSON utilization (if JsonConvert.Defaults is not already configured) to address GitHub advisory GHSA-5crp-9r3c-p9vr.

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Thank you for your contribution, one of the team will evaluate shortly.