Support SARIF output format

Question

Support SARIF output format

Closed this issue a year ago · 9 comments

Currently ZARN's output is just plain text on the command line, this is very limiting.

There is a standard called SARIF (https://sarifweb.azurewebsites.net): "The Static Analysis Results Interchange Format (SARIF) is an industry standard format for the output of static analysis tools."

Using SARIF, it is possible to integrate the results with several other platforms, have more consistency in the results structure, etc. It is a great wish that ZARN has a "--sarif" option for outputs of this type.

Answer 1 · 2023-11-11T19:35:21.000Z

@htrgouvea, I have a doubt regarding supporting SARIF output format. Does this issue is regarding supporting all subset of information that SARIF can represent or only a subset which represents ZARN output possibilities?

Answer 2 · 2023-11-11T19:36:59.000Z

Hi @scriptprivate,
Just for the possibilities of ZARN. Today I think it would be: vulnerability title, line and file.
Maybe there are some more

Answer 3 · 2023-11-11T19:39:43.000Z

Thanks for the response, @htrgouvea.
In this case, could you please assign me this issue?

Answer 4 · 2023-11-11T22:01:18.000Z

Of course @scriptprivate! I'll leave it reserved for you for 5 days! Thanks!

Answer 5 · 2023-11-15T23:27:52.000Z

Greetings, @htrgouvea
I pushed my commits for supporting SARIF output format at develop branch of my ZARN fork, as required by the contributing docs, but I did not understood clearly the testing part of the documentation. What do you mean by "submit in the same PR a testing code (under t/ folder) to cover that completely"?
Thank you in advance for your response

Answer 6 · 2023-11-15T23:30:59.000Z

Hi @scriptprivate, You can ignore this part of the tests, I haven't implemented anything like that yet. Can you open the PR? Thanks!

Answer 7 · 2023-11-16T17:02:54.000Z

Hi @scriptprivate, I merged your code into develop, but it still doesn't support the output of multiple files. I'll wait for a FIX for this to close the issue and move the code to main.

Answer 8 · 2023-11-16T17:18:45.000Z

Greetings @htrgouvea,
I'm already working on this, at the latest, by the end of the day I will already have fixed this issue. But my expectation is to have fixed it by the next hour or so. I just made some small changes and tests locally and it seems that when analyzing multiple files it passes through them but the next analyzed file overwrites the output of the previous one until the last analyzed file, which outputs is stored just fine, so probably it's just a matter of setting some kind of breakpoint.

Answer 9 · 2023-11-17T00:26:18.000Z

Thanks @scriptprivate and @giovannism20 for the job! The code is already in the develop branch, I'm going to make some small adjustments and it should be in main by tomorrow.