overtrue / phplint

:bug: A tool that can speed up linting of php files by running several lint processes at once.
MIT License
988 stars 88 forks source link

Add SARIF output format #186

Closed llaville closed 6 months ago

llaville commented 1 year ago

New Feature

Summary

SARIF (Static Analysis Results Interchange Format) is an OASIS Standard that defines an output file format.

Description

The SARIF standard is used to streamline how static analysis tools share their results by implementing a subset of the SARIF 2.1.0 JSON schema.

It would be cool to have a such output format in PHPLint.

Other Static Tool Analysers like

Because I don't found any PHP library that support SARIF v2 specifications, I've published a PHP SDK as a new bartlett/sarif-php-sdk package already available on packagist that implement the full v2.1.0 specifications.

There are many examples of all Sarif objects, in my github project page, that make it easy to include in any other PHP Static Tool Analyser.

llaville commented 1 year ago

Here is a preview of what it will look like !

Suppose we analyse PHPLint source code with command bin/phplint examples/ tests/ Then you should get with v9.0.3 something like the following output

phplint-9-0-3

And if we add the log-sarif option (bin/phplint examples/ tests/ -vvv --log-sarif) we could get on standard output, following result :

{
    "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
    "version": "2.1.0",
    "runs": [
        {
            "tool": {
                "driver": {
                    "name": "PHPLint",
                    "version": "9.1.0",
                    "informationUri": "https://github.com/overtrue/phplint"
                }
            },
            "originalUriBaseIds": {
                "WORKINGDIR": {
                    "uri": "file:///shared/backups/github/phplint/"
                }
            },
            "results": [
                {
                    "message": {
                        "text": "unexpected end of file in line 4"
                    },
                    "locations": [
                        {
                            "physicalLocation": {
                                "artifactLocation": {
                                    "uri": "tests/fixtures/syntax_error.php",
                                    "uriBaseId": "WORKINGDIR"
                                },
                                "region": {
                                    "startLine": 4
                                }
                            }
                        }
                    ]
                },
                {
                    "message": {
                        "text": "False can not be used as a standalone type in line 12"
                    },
                    "locations": [
                        {
                            "physicalLocation": {
                                "artifactLocation": {
                                    "uri": "tests/fixtures/php-8.2_syntax.php",
                                    "uriBaseId": "WORKINGDIR"
                                },
                                "region": {
                                    "startLine": 12
                                }
                            }
                        }
                    ]
                }
            ]
        }
    ]
}

It's not yet completed, but a nice begin, isn't it ?

llaville commented 6 months ago

Finally this feature will be re-integrated into next version 9.2.0. Will come shortly now !

llaville commented 6 months ago

The solution is based on new version 1.2.0 bartlett/sarif-php-sdk (see https://github.com/llaville/sarif-php-sdk/releases/tag/1.2.0)

llaville commented 6 months ago

Available now : https://github.com/overtrue/phplint/releases/tag/9.2.0

E.g: sarif-log

NB: By default the SARIF report is (like PHP json_encode native function) unprettified (not human-readable)