SARIF is the Static Analysis Results Interchange Format, this project seeks to provide a simple interface to generate reports in the SARIF format.
This example is taken directly from the Microsoft sarif pages
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": {
"driver": {
"name": "ESLint",
"informationUri": "https://eslint.org",
"rules": [
{
"id": "no-unused-vars",
"shortDescription": {
"text": "disallow unused variables"
},
"helpUri": "https://eslint.org/docs/rules/no-unused-vars",
"properties": {
"category": "Variables"
}
}
]
}
},
"artifacts": [
{
"location": {
"uri": "file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js"
}
}
],
"results": [
{
"level": "error",
"message": {
"text": "'x' is assigned a value but never used."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js",
"index": 0
},
"region": {
"startLine": 1,
"startColumn": 5
}
}
}
],
"ruleId": "no-unused-vars",
"ruleIndex": 0
}
]
}
]
}
One of the projects I like to contribute to is tfsec - this is a static analysis tool for Terraform which produces output in many formats. Generating SARIF reports is missing functionality and felt like it warranted being moved out to a project of its own.
For more information about SARIF, you can visit the Oasis Open site.
Add an import to go get github.com/shaopeng-gh/go-sarif/sarif
There are a number of ways to load in the content of a sarif report.
sarif.Open
takes a file path and loads the sarif from that location. Returns a report and any corresponding error
sarif.FromBytes
takes a slice of byte and returns a report and any corresponding error.
sarif.FromString
takes a string of the sarif content and returns a report and any corresponding error.
Creating a new Sarif report is done by passing the version, the only supported at the moment is 2.1.0
for a detailed example check the example folder example/main.go