Add SARIF Reporter

[jcg-2]

Description

The Static Analysis Results Interchange Format (SARIF) standard might be a more appropriate format for consideration instead of/as well as JUnit (#10)

Links

• https://sarifweb.azurewebsites.net/
• https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif

[kehoecj]

@jcg-2 This looks great - sounds like a great candidate for a report format.

[armadi1809]

@kehoecj is this still up for grabs? If so, I would like to take a shot at it.

[kehoecj]

@kehoecj is this still up for grabs? If so, I would like to take a shot at it.

Thanks for volunteering! I assigned it to you

[armadi1809]

Starting to work on this now! Sorry for the delay.

[armadi1809]

@kehoecj Quick question, is there an example SARIF Report you would like us to follow here? If not, I suggest something like this maybe?

{
  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.4",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "config-file-validator",
          "informationUri": "https://github.com/Boeing/config-file-validator/issues/32",
        }
      },
      "artifacts": [
        {
          "location": {
            "uri": "path/to/config-file.yml"
          }
        }, 
        {
            "location": {
              "uri": "path/to/config-file.toml"
            }
        }
      ],
      "results": [
        {
          "level": "error",
          "message": {
            "text": "This will be filled by the message from the validator for first file"
          },
        }, 
        "level": "error",
          "message": {
            "text": "This will be filled by the message from the validator for second file"
        },
      ]
    }
  ]
} 

[kehoecj]

I don't know much about SARIF but the structure looks good. Only question I had was the uri attribute in artifacts. Is there attribute that can be used that's more indicative of a local file?

      "artifacts": [
        {
          "location": {
            "uri": "path/to/config-file.yml"
          }
        }, 
        {
            "location": {
              "uri": "path/to/config-file.toml"
            }
        }
      ],

Also what is the version attribute supposed to represent - the version of the SARIF schema? @jcg-2 Any feedback on this?

[armadi1809]

Unfortunately looks like there is no other alternatives for the uri. From the SARIF specs:

3.4 artifactLocation object
3.4.1 General
Certain properties in this document specify the location of an artifact. SARIF represents an artifact’s location with an artifactLocation object. The most important member of an artifactLocation object is its uri property (§3.4.3). If the uri property contains a relative reference (the term used in the URI standard [[RFC 3986](https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/sarif-v2.1.0-errata01-os-complete.html#RFC3986)] for what is commonly called a “relative URI”), the uriBaseId property (§3.4.4) can sometimes be used to resolve the relative reference to an absolute URI.

For the version

The sarifLog object has a required version property that must be "2.1.0". version should come first (even though JSON is insensitive to property order) so SARIF consumers such as viewers can "sniff" the version.

[kehoecj]

Unfortunately looks like there is no other alternatives for the uri. From the SARIF specs:

3.4 artifactLocation object

3.4.1 General

Certain properties in this document specify the location of an artifact. SARIF represents an artifact’s location with an artifactLocation object. The most important member of an artifactLocation object is its uri property (§3.4.3). If the uri property contains a relative reference (the term used in the URI standard [[RFC 3986](https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/sarif-v2.1.0-errata01-os-complete.html#RFC3986)] for what is commonly called a “relative URI”), the uriBaseId property (§3.4.4) can sometimes be used to resolve the relative reference to an absolute URI.

For the version

The sarifLog object has a required version property that must be "2.1.0". version should come first (even though JSON is insensitive to property order) so SARIF consumers such as viewers can "sniff" the version.

Thanks for the explanation! That looks good to me @jackswiney @jd4235 any concerns?

[armadi1809]

Looks like there is no opposition. I will start implementing the format suggested above then!

[kehoecj]

@armadi1809 Are you still planning to work this issue?

[armadi1809]

@kehoecj sorry, the holidays and then some personal stuff got me slacking on this one. I will hopefully have something ready by Monday. Sorry again!

[kehoecj]

@kehoecj sorry, the holidays and then some personal stuff got me slacking on this one. I will hopefully have something ready by Monday. Sorry again!

No rush at all! I was cleaning up the issues and just wanted to make sure some of the assignees were still interested in working the issues.

[shiina4119]

Hi, is this issue being worked on? If not, can I make a pull request?

[kehoecj]

@shiina4119 I think it's abandoned at this point. Someone made a pull request with some changes but didn't add any tests and hasn't responded for a long time. You can definitely take it on if you're willing!