Sarif output should use the final schema version

[C-Side]

Summary

When the sarif output is used it will use the schema https://json.schemastore.org/sarif-2.1.0-rtm.5.json which is apparently now deprecated because a final version was released. The correct schema should be https://json.schemastore.org/sarif-2.1.0.json.

Steps to reproduce:

1. run tflint anywhere with the -f=sarif flag set
2. See the output use the schema "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json"

I got the info from this validator which prints: SARIF1011: The '$schema' property must refer to the final version of the SARIF 2.1.0 schema. This enables IDEs to provide Intellisense for SARIF log files. The SARIF standard was developed over several years, and many intermediate versions of the schema were produced. Now that the standard is final, only the OASIS standard version of the schema is valid.

Command

tflint -f=sarif

Terraform Configuration

TFLint Configuration

Output

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "tflint",
          "version": "0.50.3",
          "informationUri": "https://github.com/terraform-linters/tflint"
        }
      },
      "results": []
    },
    {
      "tool": {
        "driver": {
          "name": "tflint-errors",
          "version": "0.50.3",
          "informationUri": "https://github.com/terraform-linters/tflint"
        }
      },
      "results": []
    }
  ]
}

TFLint Version

0.50.3

Terraform Version

No response

Operating System

• [ ] Linux
• [ ] macOS
• [X] Windows

[wata727]

Thank you for raising this issue. This seems to be fixed in go-sarif v2. https://github.com/owenrumney/go-sarif/pull/59

TFLint uses go-sarif v1, so we will need to update it.

[C-Side]

I guess this doesn't have super high priority, I'm not eagerly awaiting this. I just came across it and thought it would maybe be nice to let you know