fix: harden SARIF for GitHub Code Scanning

[Darkroom4364]

Summary:

• emit repo-relative SARIF artifact URIs for relative paths and proper file URIs for absolute paths
• add tool.driver.rules metadata with default levels, security tags, security-severity, and result ruleIndex references
• add stable partialFingerprints for GitHub Code Scanning alert identity
• cover the builder helpers and real CLI SARIF fixture output

Verified current gaps:

• current SARIF emitted relative findings as file://tests/..., which is not a repo-relative artifact URI; fixed
• current SARIF results lacked partialFingerprints; fixed
• current SARIF lacked tool.driver.rules metadata and ruleIndex links; fixed

Skipped:

• live upload validation to GitHub Code Scanning, because this local workspace does not have an upload-token workflow context; the PR adds regression coverage for the GitHub-compatible report shape instead

Validation:

• cargo fmt
• cargo test report::sarif
• cargo test test_sarif_output_valid
• cargo test
• cargo clippy
• git diff --check

Closes #311

Summary by CodeRabbit

• New Features

  • Enhanced SARIF report generation with comprehensive rule metadata and security severity scoring.
  • Improved path URI handling with better Windows absolute-path and URI-scheme detection.
  • Added result fingerprinting and expanded metadata fields for improved code-scanning tool integration.

• Tests

  • Added validation for SARIF metadata, rule mappings, and security-severity properties.

[coderabbitai]

📝 Walkthrough

Walkthrough

SARIF output is enhanced with rule metadata collection, computed partial fingerprints, and improved URI handling to improve GitHub Code Scanning compatibility. Rule metadata is aggregated from findings, fingerprints are computed from finding identity and location, and the complete rules array is emitted in the SARIF driver section with each result mapped by index.

Changes

SARIF Rule Metadata and Fingerprints

Layer / File(s)	Summary
Path URI handling and import expansion src/report/sarif.rs	Imports expanded and path_to_uri updated to normalize backslashes, detect URI schemes, strip leading ./, and generate properly encoded URIs.
Rule metadata and fingerprint helpers src/report/sarif.rs	Helper functions for URI-scheme detection, Windows absolute paths, rule aggregation via RuleMetadata and collect_rules, severity text formatting, and fingerprint computation (line-hash and start-column).
SARIF generation with rule index and fingerprints src/report/sarif.rs	Result construction sets ruleIndex from precomputed rule-index map, uses computed artifact_uri in locations, includes partialFingerprints with line-hash and column fingerprints, and emits rules array in SARIF driver section.
Unit and integration test coverage src/report/sarif.rs, tests/integration.rs	Unit tests validate path_to_uri for relative/absolute paths; integration test assertions verify presence/non-emptiness of tool-driver rule metadata, correct ruleIndex ↔ ruleId mapping, artifact URI format (no file:// for repo-relative), and required primaryLocationLineHash fingerprint and rule security-severity properties.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• PwnKit-Labs/foxguard#268: Modifies src/report/sarif.rs to add depName property to SARIF results alongside other output changes.

Suggested reviewers

• peaktwilight

Poem

🐰 Our SARIF grows more precise today,
With rules and fingerprints on display,
GitHub Code Scanning will smile with glee,
At metadata perfect and URIs free!
Hop hop, the findings shine so bright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: harden SARIF for GitHub Code Scanning' directly describes the main change: improving SARIF output for GitHub Code Scanning compatibility.
Linked Issues check	✅ Passed	The PR implements all key requirements from issue #311: repo-relative artifact URIs, tool.driver.rules metadata with severity/security-severity, partialFingerprints, ruleIndex references, and test coverage.
Out of Scope Changes check	✅ Passed	All changes in src/report/sarif.rs and tests/integration.rs are directly scoped to GitHub Code Scanning SARIF improvements with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue-311-sarif-github

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/report/sarif.rs`:
- Around line 30-36: The current branch handling paths uses normalized,
is_windows_drive_absolute, and encoded to build file:// URIs but doesn't treat
UNC paths correctly; add a branch that detects UNC-style absolute paths (when
normalized starts with "//") before the existing starts_with('/') check and
produce a host-based URI like file://server/path by stripping the leading
double-slash from encoded (or otherwise removing exactly one of the leading
slashes) so the output is "file://{host_and_path}" rather than "file:////...";
keep the existing is_windows_drive_absolute handling unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1457cf76-2dc0-45dd-97b5-c0684c36bb49

📥 Commits

Reviewing files that changed from the base of the PR and between 2da1ebd and fc7737d.

📒 Files selected for processing (2)

• src/report/sarif.rs
• tests/integration.rs

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Handle UNC absolute paths as host-based file:// URIs.

UNC paths (e.g., \\server\share\app.js) normalize to //server/share/app.js, but this branch emits file:////server/... instead of file://server/..., which can break downstream path resolution.

🔧 Proposed fix + regression test

 fn path_to_uri(path: &str) -> String {
@@
-    if normalized.starts_with('/') {
+    if normalized.starts_with("//") {
+        // UNC path: //server/share/file -> file://server/share/file
+        format!("file:{encoded}")
+    } else if normalized.starts_with('/') {
         format!("file://{encoded}")
     } else if is_windows_drive_absolute(normalized) {
         format!("file:///{encoded}")
@@
     fn absolute_paths_emit_file_uris() {
         assert_eq!(path_to_uri("/tmp/app.js"), "file:///tmp/app.js");
         assert_eq!(path_to_uri("C:\\tmp\\app.js"), "file:///C:/tmp/app.js");
+        assert_eq!(
+            path_to_uri("\\\\server\\share\\app.js"),
+            "file://server/share/app.js"
+        );
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if normalized.starts_with('/') {
	format!("file://{encoded}")
	} else if is_windows_drive_absolute(normalized) {
	format!("file:///{encoded}")
	} else {
	encoded
	}
	if normalized.starts_with("//") {
	// UNC path: //server/share/file -> file://server/share/file
	format!("file:{encoded}")
	} else if normalized.starts_with('/') {
	format!("file://{encoded}")
	} else if is_windows_drive_absolute(normalized) {
	format!("file:///{encoded}")
	} else {
	encoded
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/report/sarif.rs` around lines 30 - 36, The current branch handling paths
uses normalized, is_windows_drive_absolute, and encoded to build file:// URIs
but doesn't treat UNC paths correctly; add a branch that detects UNC-style
absolute paths (when normalized starts with "//") before the existing
starts_with('/') check and produce a host-based URI like file://server/path by
stripping the leading double-slash from encoded (or otherwise removing exactly
one of the leading slashes) so the output is "file://{host_and_path}" rather
than "file:////..."; keep the existing is_windows_drive_absolute handling
unchanged.