[SARIF EXPORT]: Crash on export-collect: Unhandled exception. System.InvalidCastException: Unable to cast object of type 'System.Collections.Concurrent.ConcurrentBag`1[Microsoft.CST.AttackSurfaceAnalyzer.Objects.CompareResult]' to type 'System.Collections.Generic.List`1[Microsoft.CST.AttackSurfaceAnalyzer.Objects.CompareResult]'.

Describe the bug I’m currently trying to automate our manual “Attack Surface Analyser” step into our CI. The scanning of both the baseline and the new system state seem to be fine. However when running the “export-collect”-step, I’m seeing this failure:

[2022-04-28T13:52:01.085Z] [06:52:00 INF] Completed Analysis in 00h:00m:02s:531ms.
[2022-04-28T13:52:01.085Z] Unhandled exception. System.InvalidCastException: Unable to cast object of type 'System.Collections.Concurrent.ConcurrentBag`1[Microsoft.CST.AttackSurfaceAnalyzer.Objects.CompareResult]' to type 'System.Collections.Generic.List`1[Microsoft.CST.AttackSurfaceAnalyzer.Objects.CompareResult]'.
[2022-04-28T13:52:01.085Z]    at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.GenerateSarifLog(Dictionary`2 output, IEnumerable`1 rules) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 765
[2022-04-28T13:52:01.086Z]    at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.WriteSarifLog(Dictionary`2 output, IEnumerable`1 rules, String outputFilePath) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 705
[2022-04-28T13:52:01.086Z]    at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.ExportCompareResults(ConcurrentDictionary`2 resultsIn, ExportOptions opts, String baseFileName, String analysesHash, IEnumerable`1 rules) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 680
[2022-04-28T13:52:01.086Z]    at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.RunExportCollectCommand(ExportCollectCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 627
[2022-04-28T13:52:01.086Z]    at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c.<Main>b__9_2(ExportCollectCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 90
[2022-04-28T13:52:01.086Z]    at CommandLine.ParserResultExtensions.MapResult[T1,T2,T3,T4,T5,T6,T7,T8,T9,TResult](ParserResult`1 result, Func`2 parsedFunc1, Func`2 parsedFunc2, Func`2 parsedFunc3, Func`2 parsedFunc4, Func`2 parsedFunc5, Func`2 parsedFunc6, Func`2 parsedFunc7, Func`2 parsedFunc8, Func`2 parsedFunc9, Func`2 notParsedFunc)
[2022-04-28T13:52:01.086Z]    at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.Main(String[] args) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 72
script returned exit code -532462766

Might be related to #638 and #643.

Background: In the past, we manually scanned our software using the GUI of `Microsoft Attack Surface Analyzer v1.0.0. Now we are trying to automate this and would also like to use the latest version of the software (v2.3.277 when I installed it).

To Reproduce

• Baseline scan: asa collect -a --overwrite --runid baseline
• Install and run software to be scanned
• New scan: asa collect -a --overwrite --runid installed
• Run comparison:

mkdir asareport
asa export-collect --firstrunid baseline --secondrunid installed --verbose --outputpath "ABSOLUTEPATHTO\asareport" --outputsarif

Expected behavior Report files are written and software does not crash.

System Configuration (please complete the following information):

• OS: Windows
• OS Version: Windows 10 Pro, amd64, 21H1, 19043.165, en_US running on VirtualBox v6.1.34
• Application Version: AttackSurfaceAnalyzer v.2.3.277+40072595ef
• CLI or GUI: cli

Additional Context I haven’t tried the version before #643 yet but will do so to see if downgrading fixes our problem.