Add SARIF output format
llaville opened this issue · comments
New Feature
Summary
SARIF (Static Analysis Results Interchange Format) is an OASIS Standard that defines an output file format.
Description
The SARIF standard is used to streamline how static analysis tools share their results by implementing a subset of the SARIF 2.1.0 JSON schema.
It would be cool to have a such output format in PHPLint.
Other Static Tool Analysers like
- PHPMD add an implementation since v2.10.0
- Exakat add its own implementation since v2.1.8
- On my suggestion Exakat has implemented my library
bartlett/sarif-php-sdk - Even if my proposal was not accepted on PHPStan, there is an independant SARIF formatter for PHPStan lead by another contributor.
Because I don't found any PHP library that support SARIF v2 specifications, I've published a PHP SDK as a new bartlett/sarif-php-sdk package already available on packagist that implement the full v2.1.0 specifications.
There are many examples of all Sarif objects, in my github project page, that make it easy to include in any other PHP Static Tool Analyser.
Here is a preview of what it will look like !
Suppose we analyse PHPLint source code with command bin/phplint examples/ tests/
Then you should get with v9.0.3 something like the following output
And if we add the log-sarif option (bin/phplint examples/ tests/ -vvv --log-sarif) we could get on standard output, following result :
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "PHPLint",
"version": "9.1.0",
"informationUri": "https://github.com/overtrue/phplint"
}
},
"originalUriBaseIds": {
"WORKINGDIR": {
"uri": "file:///shared/backups/github/phplint/"
}
},
"results": [
{
"message": {
"text": "unexpected end of file in line 4"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "tests/fixtures/syntax_error.php",
"uriBaseId": "WORKINGDIR"
},
"region": {
"startLine": 4
}
}
}
]
},
{
"message": {
"text": "False can not be used as a standalone type in line 12"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "tests/fixtures/php-8.2_syntax.php",
"uriBaseId": "WORKINGDIR"
},
"region": {
"startLine": 12
}
}
}
]
}
]
}
]
}It's not yet completed, but a nice begin, isn't it ?
Finally this feature will be re-integrated into next version 9.2.0. Will come shortly now !
The solution is based on new version 1.2.0 bartlett/sarif-php-sdk (see https://github.com/llaville/sarif-php-sdk/releases/tag/1.2.0)
Available now : https://github.com/overtrue/phplint/releases/tag/9.2.0
E.g:
NB: By default the SARIF report is (like PHP json_encode native function) unprettified (not human-readable)