If an external artifact is a text artifact, a SARIF file will include an artifactContent object inside a result.locations.region.snippet property to:
allow a SARIF viewer to present the contents of the region even if the artifact from which it was taken is not available.
allow an end user examining a SARIF log file to see the relevant content without opening another file.
improve result matching
Problem
The text property can be limited in scope, especially in traditional SAST scanning scenarios where individual offending lines (or a small subset) of code are flagged. This doesn't allow a human to, with just the SARIF file, view the surrounding context within which the text exists.
Proposed Solution
An optional context property that tools can populate with a larger window of text (such as the function/method body within which the flagged line of code is implemented), which accompanies the text that is flagged by a SAST run, can help a human to understand the context within which the flagged code exists.
Additionally, when using Generative AI to aid in SAST triage, the LLM's large input context window can be leveraged by using the optional context text to give the generative model additional prompting tokens that are likely to improve the performance of the model's output.
Context
If an external artifact is a text artifact, a SARIF file will include an
artifactContent
object inside aresult.locations.region.snippet
property to:Problem
The
text
property can be limited in scope, especially in traditional SAST scanning scenarios where individual offending lines (or a small subset) of code are flagged. This doesn't allow a human to, with just the SARIF file, view the surrounding context within which thetext
exists.Proposed Solution
An optional
context
property that tools can populate with a larger window of text (such as the function/method body within which the flagged line of code is implemented), which accompanies thetext
that is flagged by a SAST run, can help a human to understand the context within which the flagged code exists.Additionally, when using Generative AI to aid in SAST triage, the LLM's large input context window can be leveraged by using the optional
context
text to give the generative model additional prompting tokens that are likely to improve the performance of the model's output.