Idea: add support for "Static Analysis Results Interchange Format (SARIF)"

Question

Idea: add support for "Static Analysis Results Interchange Format (SARIF)"

ZyanKLee opened this issue 3 years ago · comments

From the specification at OASIS:

Software developers use a variety of analysis tools to assess the quality of their programs. These tools report results which can indicate problems related to program qualities such as correctness, security, performance, compliance with contractual or legal requirements, compliance with stylistic standards, understandability, and maintainability. To form an overall picture of program quality, developers often need to aggregate the results produced by all of these tools. This aggregation is more difficult if each tool produces output in a different format.

This document defines a standard format for the output of static analysis tools, called the Static Analysis Results Interchange Format, or “SARIF”[1].

[1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html

Some tools already implement this common format. I know about eslint and cfn-lint, though there may be others.

Tomas Bjerre · Answer 1 · Thu Nov 04 2021 01:29:28 GMT+0800 (China Standard Time)

Looks very interesting!

Tomas Bjerre · Answer 2 · Wed Nov 17 2021 03:45:17 GMT+0800 (China Standard Time)

I started fiddling with this in a branch:
https://github.com/tomasbjerre/violations-lib/tree/feature/sarif

The provided schema and the examples I find don't match. Specifically the physicalLocation has a uri attribute in examples I find, but that attribute does not exist in the schema.

Tomas Bjerre · Answer 3 · Tue Dec 07 2021 11:55:24 GMT+0800 (China Standard Time)

releasing such a parser now.