Idea: add support for "Static Analysis Results Interchange Format (SARIF)"

[ZyanKLee]

From the specification at OASIS:

Software developers use a variety of analysis tools to assess the quality of their programs. These tools report results which can indicate problems related to program qualities such as correctness, security, performance, compliance with contractual or legal requirements, compliance with stylistic standards, understandability, and maintainability. To form an overall picture of program quality, developers often need to aggregate the results produced by all of these tools. This aggregation is more difficult if each tool produces output in a different format.

This document defines a standard format for the output of static analysis tools, called the Static Analysis Results Interchange Format, or “SARIF”[1].

[1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html

Some tools already implement this common format. I know about eslint and cfn-lint, though there may be others.

[tomasbjerre]

Looks very interesting!

[tomasbjerre]

I started fiddling with this in a branch: https://github.com/tomasbjerre/violations-lib/tree/feature/sarif

The provided schema and the examples I find don't match. Specifically the physicalLocation has a uri attribute in examples I find, but that attribute does not exist in the schema.

[tomasbjerre]

releasing such a parser now.