npm - @microsoft/sarif-multitool-linux - Versions diffs - 5.0.3 → 5.0.4 - Mend

@@ -54,7 +54,7 @@
             <remarks>
             The result's <c>ruleId</c> is validated at receipt against the AI ruleId convention
             (taxonomy sub-id form or NOVEL- escape hatch). On rejection the verb writes the
-            AI-consumable error envelope (error code AI-RULEID-001) to stderr and returns
+            AI-consumable error envelope (error code AI1012) to stderr and returns
             <see cref="F:Microsoft.CodeAnalysis.Sarif.Driver.CommandBase.FAILURE"/> WITHOUT appending — an AI orchestrator can retry the
             individual result without first having to remove garbage from the event log.
             </remarks>
@@ -251,6 +251,23 @@
             SARIF file.
             </summary>
         </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.EmitFinalizeCommand.ApplyRankDerivedSecuritySeverity(Microsoft.CodeAnalysis.Sarif.Run)">
+            <summary>
+            Derives a GitHub Advanced Security <c>security-severity</c> for each rule descriptor
+            from the highest <see cref="P:Microsoft.CodeAnalysis.Sarif.Result.Rank"/> observed across the results that reference
+            it, mapping the SARIF rank scale (0–100) onto the security-severity scale (0.0–10.0)
+            by dividing by ten.
+            </summary>
+            <remarks>
+            GHAS reads <c>security-severity</c> off the rule a result references, never off a
+            taxon, so the value is stamped on <c>tool.driver.rules[]</c>. Results carry an
+            authoritative <c>ruleIndex</c> by the time the log is replayed, so association is by
+            index rather than by id. The rank sentinel <c>-1.0</c> ("unset") is excluded: a rule
+            whose results carry no rank receives nothing, and a producer-authored
+            <c>security-severity</c> is left untouched.
+            </remarks>
+            <returns>The number of rule descriptors stamped.</returns>
+        </member>
         <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.EmitFinalizeCommand.RunValidatorAndReport(System.String)">
             <summary>
             Runs the multitool validator (--rule-kind Sarif;AI) against the finalized SARIF.
@@ -274,7 +291,10 @@
             at a portable root — a GitHub-compatible blob permalink (commit-pinned in the URL) or an Azure
             DevOps repository root (commit pinning carried by <c>versionControlProvenance.revisionId</c>),
             derived from the repositoryUri by <see cref="T:Microsoft.CodeAnalysis.Sarif.Multitool.VcpPortableRoot"/> — so the finalized SARIF
-            carries no machine-specific path.
+            carries no machine-specific path. Each minted base also carries a <c>description</c> whose
+            <c>text</c> is a SARIF embedded link (§3.11.6) whose anchor names the repository and
+            abbreviated commit (<c>&lt;repo&gt;@&lt;short-sha&gt;</c>) and whose destination is a
+            browsable root-at-revision URL, unless the input base already supplied a description.
             </summary>
             <remarks>
             One repository collapses to the bare <c>SRCROOT</c> base. Multiple repositories each receive
@@ -527,7 +547,7 @@
             coordinates are URL-path escaped, ready to compose into a REST endpoint path.
             </summary>
         </member>
-        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.VcpPortableRoot.TryDerivePortableRoot(System.Uri,System.String,System.Uri@,System.Uri@,System.String@,System.String@)">
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.VcpPortableRoot.TryDerivePortableRoot(System.Uri,System.String,System.Uri@,System.Uri@,System.String@,System.Uri@,System.String@)">
             <summary>
             Mints the portable root for <paramref name="rawRepositoryUri"/>. Used at emit-finalize.
             <paramref name="canonicalRepositoryUri"/> is the clean https identity (userinfo stripped,
@@ -547,6 +567,29 @@
             SarifWorkItemFiler in order to complete the work.
             </summary>
         </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.GetCweCommand">
+            <summary>
+            Implements <c>get-cwe</c>: serves canonical MITRE CWE data from the SDK's embedded taxonomy.
+            </summary>
+            <remarks>
+            Each record's <c>ruleIdFallback</c> (<c>CWE-&lt;n&gt;/&lt;slug&gt;</c>) is the kebab-cased
+            CWE name produced by the same helper AI1012 uses, so the two always agree.
+            </remarks>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.CweOutputFormat">
+            <summary>
+            Output format for <c>get-cwe</c>.
+            </summary>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.GetCweOptions">
+            <summary>
+            Options for <c>get-cwe</c>, which serves canonical MITRE CWE data from the SDK's embedded
+            taxonomy. Each record carries a <c>ruleIdFallback</c> — the kebab-cased
+            <c>CWE-&lt;n&gt;/&lt;slug&gt;</c> a producer can drop into <c>result.ruleId</c> when it will
+            not author a sharper sub-id. The fallback is computed the same way AI1012 derives its
+            suggestion, so the two always agree.
+            </summary>
+        </member>
         <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.GetSchemaCommand">
             <summary>
             Implements <c>get-schema</c>: emits the embedded JSON Schema that validates the
@@ -620,6 +663,20 @@
             path, collapsing <c>.</c> and <c>..</c> segments.
             </summary>
         </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.GetSkillCommand.TryGetSkillDescription(System.String)">
+            <summary>
+            Returns the skill's frontmatter <c>description</c>, or <c>null</c> when the embedded resource
+            is missing or declares none. This is the single source of truth for the skill's one-line
+            summary — the same scalar a consumer reads from the emitted document's frontmatter.
+            </summary>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.GetSkillCommand.ExtractFrontmatterDescription(System.String)">
+            <summary>
+            Extracts the <c>description</c> scalar from a skill document's leading YAML frontmatter block.
+            Returns <c>null</c> when the document opens no frontmatter, declares no description, or uses a
+            multi-line block scalar (which the terse catalog does not render).
+            </summary>
+        </member>
         <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.GetSkillOptions">
             <summary>
             Options for <c>get-skill</c>, which emits an agent skill that drives the multitool emit and

@@ -6920,7 +6920,8 @@
         <member name="F:Microsoft.CodeAnalysis.Sarif.Emit.AIRuleIdConventionException.ErrorCode">
             <summary>
             Stable error code so downstream tooling can pattern-match without parsing the
-            human-readable message body.
+            human-readable message body. This is the canonical AI1012 (ProvideRuleSubId)
+            rule id, so the emit-time rejection and the post-hoc validator report one id.
             </summary>
         </member>
         <member name="P:Microsoft.CodeAnalysis.Sarif.Emit.AIRuleIdConventionException.OffendingRuleIds">
@@ -7188,6 +7189,13 @@
             Clear current cache.
             </summary>
         </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.FileRegionsCache.GetText(System.Uri,System.String)">
+            <summary>
+            Returns the full text of the artifact at <paramref name="uri"/>, reading it from the
+            file system on first access and caching the result. Returns <c>null</c> when the file
+            cannot be read (missing, I/O error, or access denied).
+            </summary>
+        </member>
         <member name="M:Microsoft.CodeAnalysis.Sarif.FileRegionsCache.ReconcileRegionCoordinate(System.Boolean,System.String,System.Int32,System.Int32)">
             <summary>
             Reconciles an authored region coordinate against the value computed from the source

@@ -1,7 +1,7 @@
 {
 	"name": "@microsoft/sarif-multitool-linux",
 	"description": "SARIF Multitool for Linux",
-	"version": "5.0.3",
+	"version": "5.0.4",
 	"scripts": {
 		"postinstall": "chmod u+x Sarif.Multitool"
 	},

@microsoft/sarif-multitool-linux 5.0.3 → 5.0.4