GitHub - andrew/sarif: A Ruby SDK for SARIF (Static Analysis Results Interchange Format) 2.1.0.

sarif-ruby

A Ruby SDK for SARIF (Static Analysis Results Interchange Format) 2.1.0.

SARIF is an OASIS standard format for representing static analysis tool output. This gem provides Ruby classes for creating, reading, and manipulating SARIF files.

Installation

Add to your Gemfile:

Or install directly:

Usage

Creating SARIF output

require "sarif"

log = Sarif::Log.new(
  version: "2.1.0",
  runs: [
    Sarif::Run.new(
      tool: Sarif::Tool.new(
        driver: Sarif::ToolComponent.new(
          name: "my-linter",
          version: "1.0.0",
          information_uri: "https://example.com/my-linter"
        )
      ),
      results: [
        Sarif::Result.new(
          rule_id: "no-unused-vars",
          level: "warning",
          message: Sarif::Message.new(text: "Variable 'x' is unused"),
          locations: [
            Sarif::Location.new(
              physical_location: Sarif::PhysicalLocation.new(
                artifact_location: Sarif::ArtifactLocation.new(uri: "src/main.rb"),
                region: Sarif::Region.new(start_line: 10, start_column: 5)
              )
            )
          ]
        )
      ]
    )
  ]
)

# Write to file
Sarif.dump(log, "results.sarif")

# Write pretty-printed JSON
Sarif.dump(log, "results.sarif", pretty: true)

# Get JSON string
json = log.to_json(pretty: true)

Reading SARIF files

# Load from file
log = Sarif.load("results.sarif")

# Parse JSON string
log = Sarif.parse(json_string)

# Access data
log.runs.each do |run|
  puts "Tool: #{run.tool.driver.name}"

  run.results&.each do |result|
    puts "  #{result.rule_id}: #{result.message.text}"

    result.locations&.each do |location|
      loc = location.physical_location
      puts "    #{loc.artifact_location.uri}:#{loc.region&.start_line}"
    end
  end
end

Defining rules

Sarif::Run.new(
  tool: Sarif::Tool.new(
    driver: Sarif::ToolComponent.new(
      name: "my-linter",
      version: "1.0.0",
      rules: [
        Sarif::ReportingDescriptor.new(
          id: "no-unused-vars",
          name: "NoUnusedVariables",
          short_description: Sarif::MultiformatMessageString.new(
            text: "Disallow unused variables"
          ),
          full_description: Sarif::MultiformatMessageString.new(
            text: "Variables that are declared but never used are likely mistakes."
          ),
          default_configuration: Sarif::ReportingConfiguration.new(
            level: "warning"
          ),
          help_uri: "https://example.com/rules/no-unused-vars"
        )
      ]
    )
  ),
  results: [
    Sarif::Result.new(
      rule_id: "no-unused-vars",
      rule_index: 0,
      message: Sarif::Message.new(text: "Variable 'x' is unused")
    )
  ]
)

Result levels

SARIF defines four severity levels:

"error" - A serious problem
"warning" - A potential problem (default)
"note" - Informational finding
"none" - No severity

Sarif::Result.new(
  rule_id: "security-issue",
  level: "error",
  message: Sarif::Message.new(text: "SQL injection vulnerability")
)

Available classes

The gem provides classes for all SARIF 2.1.0 types:

Class	Description
`Sarif::Log`	Root object containing runs
`Sarif::Run`	Single tool execution
`Sarif::Tool`	Tool metadata
`Sarif::ToolComponent`	Tool driver or extension
`Sarif::Result`	Individual finding
`Sarif::Message`	Human-readable message
`Sarif::Location`	Where a result was detected
`Sarif::PhysicalLocation`	File and region
`Sarif::ArtifactLocation`	File path or URI
`Sarif::Region`	Line/column range
`Sarif::ReportingDescriptor`	Rule definition
`Sarif::ReportingConfiguration`	Rule configuration
`Sarif::Fix`	Proposed fix
`Sarif::Invocation`	Tool execution details
...	And 40+ more

Regenerating classes

Classes are generated from the official SARIF JSON schema. To regenerate:

bundle exec rake sarif:generate

License

MIT License. See LICENSE for details.