feat: add SARIF 2.1.0 output (-f sarif)#34
Open
ChrisJr404 wants to merge 1 commit intoknostic:masterfrom
Open
Conversation
ChrisJr404
requested review from
ar7casper,
dgeyshis,
shahar-davidson,
sounil and
yotamleo
as code owners
Lets `openant report -f sarif results_verified.json` emit a SARIF log that GitHub Code Scanning and GitLab SAST can ingest without a converter, matching what every other SAST in this category supports. Renders Go-side via the same flow as -f html: Python's `report-data` subcommand returns pre-computed JSON, and BuildSARIF turns ReportData into a SARIF map. Findings become results, verdicts get synthesized into a `rules` array (vulnerable+bypassable as level `error`, inconclusive/unclear as `warning`, everything else as `note`). File paths land as artifactLocation.uri without a startLine, since the current Finding struct doesn't carry line numbers and emitting a synthetic 1 would anchor alerts to the wrong row in Code Scanning. Each result carries a partialFingerprints entry keyed "openant/file/function/verdict/v1" so re-runs dedupe cleanly, and versionControlProvenance is populated when ReportData.RepoURL is set (including revisionId from CommitSHA when available). 15 unit tests cover envelope shape, rule dedup by verdict, level mapping, path normalization, logical location, dynamic test property propagation, fingerprint stability, VCS provenance gating, the empty-AttackVector fallback that keeps message.text non-empty per spec, the 4 KiB message cap, and an end-to-end round-trip through json.Unmarshal.
ChrisJr404
force-pushed
the
feat/sarif-output-report-format
branch
from
db4edb8 to
e4122c3
Compare
ChrisJr404
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
-f sariftoopenant report. Emits a SARIF 2.1.0 log so a scan can be uploaded to GitHub Code Scanning or GitLab SAST without writing a converter, which is the format every other SAST in this category supports.Implementation mirrors
-f html: Python'sreport-datareturns the same pre-computed JSON we already use for HTML, and the SARIF emitter is purely Go-side (no LLM round-trip, deterministic). Findings become SARIF results, verdicts get hoisted into a synthesizedruleslist.vulnerableandbypassablesurface as levelerror,inconclusiveandunclearaswarning, everything else asnote.Couple of choices worth calling out:
startLinein the location region. The currentFindingstruct only carries file + function, so I omit the region rather than emit a synthetic line 1 (which would anchor alerts to the wrong row in Code Scanning). When line numbers eventually land inReportData, the region payload insarifLocationForis the only thing that needs to grow.partialFingerprintsentry keyedopenant/file/function/verdict/v1, so successive scans dedupe cleanly in Code Scanning instead of opening fresh alerts each run.ReportData.Categoriessupply the descriptions, falling back to a generic blurb if a verdict has no category entry.versionControlProvenanceis emitted whenReportData.RepoURLis set, includingrevisionIdfromCommitSHAif available. Skipped entirely otherwise so we don't write a half-empty object.Default output path is
<resultsDir>/final-reports/report.sarif, matching the HTML default's directory layout.15 unit tests in
internal/report/sarif_test.gocover envelope shape, rule dedup, level mapping, path normalization (./strip + backslash conversion), logical location, dynamic test property propagation, fingerprint stability, VCS provenance gating, the empty-AttackVector fallback that keepsmessage.textnon-empty per spec, the 4 KiB message cap, and an end-to-end round-trip throughjson.Unmarshalto confirm the emitted log is valid JSON.go test ./...is green;gofmtandgo vetare clean.Open to a different flag shape if you'd rather. Could be a flag on
scanso it lands alongsidepipeline_output.jsonautomatically, or the rule synthesis can be split into something more granular if per-verdict rules feel too coarse for Code Scanning's per-rule severity controls.