Extend client tests -> sarif_diff_by_commits tool

Author: data-douser

client/integration-tests/primitives/tools/sarif_diff_by_commits/line_level_classification/README.md

@@ -0,0 +1,20 @@
+# Integration Test: sarif_diff_by_commits - line_level_classification
+
+## Purpose
+
+Validates that the `sarif_diff_by_commits` tool correctly handles
+line-level granularity classification. Uses `HEAD..HEAD` (empty diff)
+so all results are classified as pre-existing regardless of their
+line positions.
+
+## Inputs
+
+- `results.sarif`: SARIF with 3 results across 2 rules in 3 files
+- `refRange`: `HEAD..HEAD` (produces an empty diff)
+- `granularity`: `line`
+
+## Expected Behavior
+
+Returns structured output with `"granularity": "line"`, all 3 results
+in `preExistingResults`, and 0 results in `newResults`, since the
+empty diff has no changed files or hunks to match against.

client/integration-tests/primitives/tools/sarif_diff_by_commits/line_level_classification/after/monitoring-state.json

@@ -0,0 +1,5 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "success": true,
+  "description": "Successfully classified all results as pre-existing with empty diff (line granularity)"
+}

client/integration-tests/primitives/tools/sarif_diff_by_commits/line_level_classification/after/results.sarif

@@ -0,0 +1,107 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "version": "2.20.4",
+          "rules": [
+            {
+              "id": "js/sql-injection",
+              "name": "js/sql-injection",
+              "shortDescription": {
+                "text": "Database query built from user-controlled sources"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "8.8"
+              }
+            },
+            {
+              "id": "js/xss",
+              "name": "js/xss",
+              "shortDescription": {
+                "text": "Cross-site scripting"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "6.1"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from user input."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/db.js"
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 5,
+                  "endColumn": 38
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from request body."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/api.js"
+                },
+                "region": {
+                  "startLine": 15,
+                  "startColumn": 3,
+                  "endColumn": 40
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/xss",
+          "ruleIndex": 1,
+          "message": {
+            "text": "XSS vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/views.js"
+                },
+                "region": {
+                  "startLine": 30,
+                  "startColumn": 10,
+                  "endColumn": 50
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

client/integration-tests/primitives/tools/sarif_diff_by_commits/line_level_classification/before/monitoring-state.json

@@ -0,0 +1,5 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "expectedSuccess": true,
+  "description": "Test sarif_diff_by_commits line-level classification with empty diff"
+}

client/integration-tests/primitives/tools/sarif_diff_by_commits/line_level_classification/before/results.sarif

@@ -0,0 +1,107 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "version": "2.20.4",
+          "rules": [
+            {
+              "id": "js/sql-injection",
+              "name": "js/sql-injection",
+              "shortDescription": {
+                "text": "Database query built from user-controlled sources"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "8.8"
+              }
+            },
+            {
+              "id": "js/xss",
+              "name": "js/xss",
+              "shortDescription": {
+                "text": "Cross-site scripting"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "6.1"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from user input."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/db.js"
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 5,
+                  "endColumn": 38
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from request body."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/api.js"
+                },
+                "region": {
+                  "startLine": 15,
+                  "startColumn": 3,
+                  "endColumn": 40
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/xss",
+          "ruleIndex": 1,
+          "message": {
+            "text": "XSS vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/views.js"
+                },
+                "region": {
+                  "startLine": 30,
+                  "startColumn": 10,
+                  "endColumn": 50
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

client/integration-tests/primitives/tools/sarif_diff_by_commits/line_level_classification/test-config.json

@@ -0,0 +1,17 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "arguments": {
+    "refRange": "HEAD..HEAD",
+    "granularity": "line"
+  },
+  "assertions": {
+    "responseContains": [
+      "\"granularity\": \"line\"",
+      "\"preExistingResults\"",
+      "\"newResults\"",
+      "\"totalPreExisting\": 3",
+      "\"totalNew\": 0",
+      "\"totalResults\": 3"
+    ]
+  }
+}

client/internal/testing/params_test.go

@@ -1,11 +1,42 @@
 package testing
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 )
 
+// projectTmpDir creates a temporary directory under the project-local .tmp/
+// directory instead of the OS temp directory (avoids CWE-377/CWE-378).
+// Registers t.Cleanup to remove the directory after the test.
+func projectTmpDir(t *testing.T, name string) string {
+	t.Helper()
+	// Walk up from this test file to find the repo root (contains codeql-workspace.yml)
+	_, thisFile, _, ok := runtime.Caller(0)
+	if !ok {
+		t.Fatal("runtime.Caller failed")
+	}
+	dir := filepath.Dir(thisFile)
+	for {
+		if _, err := os.Stat(filepath.Join(dir, "codeql-workspace.yml")); err == nil {
+			break
+		}
+		parent := filepath.Dir(dir)
+		if parent == dir {
+			t.Fatal("could not find repo root (codeql-workspace.yml)")
+		}
+		dir = parent
+	}
+	tmpBase := filepath.Join(dir, ".tmp", fmt.Sprintf("test-params-%s-%d", name, os.Getpid()))
+	if err := os.MkdirAll(tmpBase, 0o755); err != nil {
+		t.Fatalf("create project tmp dir: %v", err)
+	}
+	t.Cleanup(func() { os.RemoveAll(tmpBase) })
+	return tmpBase
+}
+
 func TestBuildToolParams_TestConfig(t *testing.T) {
 	// Create a temp test fixture with test-config.json
 	dir := t.TempDir()
@@ -229,7 +260,7 @@ func TestBuildToolParams_SARIFCompareAlertsWithConfig(t *testing.T) {
 }
 
 func TestBuildToolParams_SARIFDiffByCommitsWithConfig(t *testing.T) {
-	dir := t.TempDir()
+	dir := projectTmpDir(t, "sarif-diff-by-commits")
 	testDir := filepath.Join(dir, "tools", "sarif_diff_by_commits", "file_level_classification")
 	beforeDir := filepath.Join(testDir, "before")
 	os.MkdirAll(beforeDir, 0o755)

server/dist/codeql-development-mcp-server.js

@@ -60,14 +60,16 @@ This resource provides a complete reference of the default tools exposed by the
 
 ## SARIF Analysis Tools
 
-| Tool                     | Description                                                                                          |
-| ------------------------ | ---------------------------------------------------------------------------------------------------- |
-| `sarif_compare_alerts`   | Compare code locations of two SARIF alerts for overlap (sink, source, any-location, full-path modes) |
-| `sarif_diff_by_commits`  | Correlate SARIF results with a git diff to classify findings as "new" or "pre-existing"              |
-| `sarif_diff_runs`        | Diff two SARIF files to find added, removed, and changed rules/results across analysis runs          |
-| `sarif_extract_rule`     | Extract all data for a specific rule from multi-rule SARIF. Returns a valid SARIF JSON subset        |
-| `sarif_list_rules`       | List all rules in a SARIF file with result counts, severity, precision, and tags                     |
-| `sarif_rule_to_markdown` | Convert per-rule SARIF data to markdown with Mermaid dataflow diagrams                               |
+| Tool                      | Description                                                                                          |
+| ------------------------- | ---------------------------------------------------------------------------------------------------- |
+| `sarif_compare_alerts`    | Compare code locations of two SARIF alerts for overlap (sink, source, any-location, full-path modes) |
+| `sarif_deduplicate_rules` | Find duplicate rules across two SARIF files using fingerprint-first, full-path-fallback overlap      |
+| `sarif_diff_by_commits`   | Correlate SARIF results with a git diff to classify findings as "new" or "pre-existing"              |
+| `sarif_diff_runs`         | Diff two SARIF files to find added, removed, and changed rules/results across analysis runs          |
+| `sarif_extract_rule`      | Extract all data for a specific rule from multi-rule SARIF. Returns a valid SARIF JSON subset        |
+| `sarif_list_rules`        | List all rules in a SARIF file with result counts, severity, precision, and tags                     |
+| `sarif_rule_to_markdown`  | Convert per-rule SARIF data to markdown with Mermaid dataflow diagrams                               |
+| `sarif_store`             | Cache SARIF content in the session store and return a cache key for use by downstream SARIF tools    |
 
 ### `sarif_list_rules` Response Format