{"id":163,"date":"2023-05-25T09:20:03","date_gmt":"2023-05-25T16:20:03","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/powerplatform\/?p=163"},"modified":"2023-05-25T09:20:03","modified_gmt":"2023-05-25T16:20:03","slug":"annotating-power-platform-checker-results","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powerplatform\/annotating-power-platform-checker-results\/","title":{"rendered":"Annotating Power Platform Checker results"},"content":{"rendered":"<blockquote>\n<p>In this first guest blog, it is my pleasure to introduce a blog written by Phil Cole about annotating Power Platform Checker Results. Phil is Senior Consultant at TechLabs London and is a community star who has written lots of amazing blogs on Power Platform topics, like Connectors, Power Fx, ALM and more.<\/p>\n<p>This blog is all about the Power Platform Solution Checker results and how to annotate them in your pipelines.<\/p>\n<\/blockquote>\n<p>How can we quickly identify new issues exposed by the Solution Checker? If we are in the fortunate position of having zero issues then new issues are easy to identify. For more than a handful of issues we might have to compare against previous runs of the solution checker to identify the newly introduced issues. Let\u2019s investigate how to improve this situation.<\/p>\n<h2>Power Platform Checker SARIF Output<\/h2>\n<p>As discussed in an <a href=\"https:\/\/philcole.org\/post\/solution-checker-ppbt\/\">earlier blog<\/a> I wrote, the <a href=\"https:\/\/learn.microsoft.com\/en-us\/power-platform\/alm\/devops-build-tool-tasks#quality-check\">Power Platform Checker<\/a> Azure DevOps task outputs its results as a SARIF file which can be viewed within Azure DevOps using the <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=sariftools.scans\">SARIF SAST Scans Tab<\/a> extension.<\/p>\n<p>The issues reported by the checker may change due to:<\/p>\n<ul>\n<li>Changes in the solution under development<\/li>\n<li>Microsoft adding new rules to the checker (e.g. Flow recursive check)<\/li>\n<li>Microsoft changing the severity of a rule from \u2018Warning\u2019 to \u2018Critical\u2019. (e.g. OData deprecation)<\/li>\n<li>Changes to the configuration of the power platform checker task (e.g. excluding rules or web resources)<\/li>\n<\/ul>\n<p>Using the SARIF Scans Azure DevOps Extension we can see that all issues are identified as \u2018New\u2019.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker1-1024x542.png\" alt=\"Image PowerPlatformChecker1\" width=\"640\" height=\"339\" class=\"alignnone size-large wp-image-170\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker1-1024x542.png 1024w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker1-300x159.png 300w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker1-768x407.png 768w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker1-1536x814.png 1536w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker1-2048x1085.png 2048w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<h2>Introducing SARIF multi-tool<\/h2>\n<p><a href=\"https:\/\/github.com\/microsoft\/sarif-sdk\/blob\/main\/docs\/multitool-usage.md\">SARIF multi-tool<\/a> is part of the <a href=\"https:\/\/github.com\/microsoft\/sarif-sdk\">SARIF SDK<\/a> and, among others features, allows us to match results between two SARIF files. This allows us to identify if an issue is New, Unchanged, Updated or Absent.<\/p>\n<p>Once <a href=\"https:\/\/nodejs.org\/\">node.js<\/a> is installed we can invoke SARIF multi-tool via <code>npx<\/code>, e.g.<\/p>\n<p><script src=\"https:\/\/gist.github.com\/Laskewitz\/b9e241c4a9c8d8354e214e4008e70744.js\"><\/script> <code>Annotated.sarif<\/code> now indicates if an issue is New, Unchanged, Updated or Absent compared to the <code>Baseline.sarif<\/code>.<\/p>\n<h2>Incorporating into Azure DevOps pipeline<\/h2>\n<p>Now that we know about SARIF multi-tool and how to use it we can integrate it into an Azure DevOps pipeline. We want an Azure DevOps pipeline that:<\/p>\n<ol>\n<li>Creates a solution zip from an unpacked solution held in source control (git)<\/li>\n<li>Runs the solution checker on the solution zip<\/li>\n<li>Downloads the previous solution checker results from the latest build on the main branch, these are contained in the CodeAnalysisLogs artifact<\/li>\n<li>Calls a PowerShell script that annotates the SARIF generated by the solution checker (step 2), with the \u2018baseline\u2019 SARIF of the latest successful build on the main branch (step 3) using the <code>npx @microsoft\/sarif-multitool match-results-forward<\/code> discussed above.<\/li>\n<li>Publishes both the original (step 2) and annotated (step 4) SARIF files as a build artifact<\/li>\n<\/ol>\n<h2>Outcome<\/h2>\n<p>Before delving into the detailed workings let\u2019s examine the outcome. After running our pipeline, we can see that there are two SARIF files show in the scans tab. The original SARIF file output by the checker, and an annotated version.<\/p>\n<p>We can use the baseline filters to more easily what see has changed.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker2.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker2-1024x463.png\" alt=\"Image PowerPlatformChecker2\" width=\"640\" height=\"289\" class=\"alignnone size-large wp-image-178\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker2-1024x463.png 1024w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker2-300x136.png 300w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker2-768x347.png 768w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker2-1536x694.png 1536w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker2.png 1919w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>We can see that it\u2019s easy to see (and filter out) unchanged issues.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker3.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker3-1024x533.png\" alt=\"Image PowerPlatformChecker3\" width=\"640\" height=\"333\" class=\"alignnone size-large wp-image-179\" srcset=\"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker3-1024x533.png 1024w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker3-300x156.png 300w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker3-768x399.png 768w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker3-1536x799.png 1536w, https:\/\/devblogs.microsoft.com\/powerplatform\/wp-content\/uploads\/sites\/79\/2023\/05\/PowerPlatformChecker3.png 1836w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<h2>Azure DevOps pipeline<\/h2>\n<p>The Azure DevOps pipeline that achieves this is shown below. A key concept is the use of a pipeline resource which allows the DevOps pipeline to obtain the CodeAnalysisLogs artifact from a previous run on a different branch. It\u2019s intended that this pipeline is used within a pull request validation build.<\/p>\n<p><script src=\"https:\/\/gist.github.com\/Laskewitz\/8c4cacbda0a0896ac50ed69019af760c.js\"><\/script><\/p>\n<h2>PowerShell script: BaselineCheckerResults.ps1<\/h2>\n<p>The following PowerShell script locates the original and latest SARIF files, runs SARIF multi-tool, generates an annotated SARIF file and makes the output files available to subsequent Azure DevOps tasks to via variables.<\/p>\n<p><script src=\"https:\/\/gist.github.com\/Laskewitz\/99ab28ca1858e590fea87dafbd9dd4f6.js\"><\/script><\/p>\n<h2>Challenges<\/h2>\n<p>Some challenges were encountered writing this blog! Here\u2019s a brief explanation to remind us how they were overcome.<\/p>\n<h2>SARIF Schema Version<\/h2>\n<p>Each SARIF file contains a Schema version. In the current release of the SARIF SDK (v4.10) the SARIF multitool utility generates SARIF files with a schema version that is not yet published. A <a href=\"https:\/\/github.com\/microsoft\/sarif-sdk\/issues\/2662\">GitHub issue<\/a> exists, so I\u2019m sure this will get resolved in due course. This glitch only causes a problem when trying to use the SARIF viewer extension in VS Code, the Azure DevOps SARIF Viewer was not affected. There is a commented snippet of code in the PowerShell (above) which will alter the schema version if this is an issue for you.<\/p>\n<h2>Pipeline Artifact vs Build Artifact<\/h2>\n<p>Whilst writing this blog I spent quite a lot of time trying to understand why SARIF files in the \u2018CodeAnalysisArtifact\u2019 were not detected by the Azure DevOps SARIF Scans Extension. Only after scanning through the comments of the extension did I discover that one must use the PublishBuildArtifacts@1 task instead of the modern PublishPipelineArtifact@1 task.<\/p>\n<h2>SARIF Viewer in ADO Defaults<\/h2>\n<p>By default, the SARIF Viewer in Azure DevOps lists \u2018New\u2019, \u2018Updated\u2019 or \u2018Absent\u2019 issues. It does not list \u2018Unchanged\u2019 issues. Thus, if we exposed just the annotated SARIF file it could be very easy think there we were no issues. So that it\u2019s obvious that issues exist we output two SARIF files:<\/p>\n<ul>\n<li>The original SARIF file generated by the solution checker, where all issues are identified as \u2018New\u2019, and,<\/li>\n<li>The annotated version that will easily allow identification of New\/Updated\/Unchanged\/Absent issues.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<ul>\n<li>Sarif multi-tool will allow \u2018baselining\u2019 of a SARIF file with an earlier SARIF file so that new, unchanged, updated, or absent issues can be easily identified<\/li>\n<li>Running sarif-multitool adds approximately 30 seconds to a pipeline.<\/li>\n<li>This technique is most useful for solutions with many existing issues where finding new issues is time consuming.<\/li>\n<li>We\u2019re not enforcing thresholds on the number of issues &#8211; this was covered in the previous blog.<\/li>\n<\/ul>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/power-apps\/maker\/data-platform\/use-powerapps-checker\">Use solution checker to validate your model-driven apps in Power Apps<\/a><\/li>\n<li><a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=sariftools.scans\">SARIF SAST Scans Tab<\/a><\/li>\n<li><a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=MS-SARIFVSCode.SARIF-viewer\">VS Code SARIF Viewer Extension<\/a><\/li>\n<li><a href=\"https:\/\/pumascan.com\/resources\/sarif-output-format\/\">Puma Scan Professional SARIF Output Format<\/a> also finding that Publish Build Artifacts must be used instead of Publish Pipeline Artifact.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In this first guest blog, it is my pleasure to introduce a blog written by Phil Cole about annotating Power Platform Checker Results. Phil is Senior Consultant at TechLabs London and is a community star who has written lots of amazing blogs on Power Platform topics, like Connectors, Power Fx, ALM and more. This blog [&hellip;]<\/p>\n","protected":false},"author":115431,"featured_media":186,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[24,25],"class_list":["post-163","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powerplatform","tag-alm","tag-solution-checker"],"acf":[],"blog_post_summary":"<p>In this first guest blog, it is my pleasure to introduce a blog written by Phil Cole about annotating Power Platform Checker Results. Phil is Senior Consultant at TechLabs London and is a community star who has written lots of amazing blogs on Power Platform topics, like Connectors, Power Fx, ALM and more. This blog [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/posts\/163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/users\/115431"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/comments?post=163"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/posts\/163\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/media\/186"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/media?parent=163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/categories?post=163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powerplatform\/wp-json\/wp\/v2\/tags?post=163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}