fix: Align SARIF field names with official schema formatting (URI-fields)#95
Merged
owenrumney merged 2 commits intoowenrumney:mainfrom Mar 26, 2025
Merged
Conversation
Owner
|
THanks @cppvik - that's a schoolboy error on my part, I'll fix the generator to prevent that going forward. |
Contributor
Author
|
My pleasure, thank you for the project! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In both SARIF schemas for v2.1.0 and v2.2, the
URIsubstring in field names is stylized asUri.This PR updates the affected fields in the Go implementation to match the official SARIF schema conventions.
To illustrate the issue, here’s the validation result of
test/v210/testdata/new_simple_report_with_propertybag.json(before the fix), generated by SARIF Validator.Note the
JSON1005error onruns[0].tool.driver.informationURI:Details
{ "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.6.json", "version": "2.1.0", "runs": [ { "results": [ { "ruleId": "JSON1005", "ruleIndex": 0, "level": "error", "message": { "id": "default", "arguments": [ "runs[0].tool.driver.informationURI", "informationURI" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/home/site/wwwroot/UploadedFiles/97678355-6867-45a2-9f01-2dfdd452781c.json" }, "region": { "startLine": 23, "startColumn": 27 } } } ], "properties": { "jsonPath": "runs[0].tool.driver.informationURI" } }, { "ruleId": "SARIF2003", "ruleIndex": 1, "level": "note", "message": { "id": "Note_Default", "arguments": [ "runs[0]" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/home/site/wwwroot/UploadedFiles/97678355-6867-45a2-9f01-2dfdd452781c.json" }, "region": { "startLine": 5, "startColumn": 5 } } } ] }, { "ruleId": "SARIF2005", "ruleIndex": 2, "message": { "id": "Warning_ProvideToolVersion", "arguments": [ "runs[0].tool.driver", "tfsec", "'version', 'semanticVersion', 'dottedQuadFileVersion'" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/home/site/wwwroot/UploadedFiles/97678355-6867-45a2-9f01-2dfdd452781c.json" }, "region": { "startLine": 18, "startColumn": 19 } } } ] }, { "ruleId": "SARIF2012", "ruleIndex": 3, "level": "note", "message": { "id": "Note_ProvideMetadataForAllViolatedRules", "arguments": [ "runs[0].tool.driver" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/home/site/wwwroot/UploadedFiles/97678355-6867-45a2-9f01-2dfdd452781c.json" }, "region": { "startLine": 18, "startColumn": 19 } } } ] } ], "tool": { "driver": { "name": "SarifWeb", "organization": "SarifWeb", "product": "SarifWeb", "fullName": "SarifWeb 1.0.0.0", "version": "1.0.0.0", "semanticVersion": "1.0.0", "rules": [ { "id": "JSON1005", "name": "AdditionalPropertiesProhibited", "fullDescription": { "text": "An object contains a property not defined by the schema, and the schema does not permit additional properties." }, "messageStrings": { "default": { "text": "{0}: The schema does not define a property '{1}', and the schema does not permit additional properties." } }, "defaultConfiguration": { "level": "error" } }, { "id": "SARIF2003", "name": "ProvideVersionControlProvenance", "fullDescription": { "text": "Provide 'versionControlProvenance' to record which version of the code was analyzed, and to enable paths to be expressed relative to the root of the repository." }, "messageStrings": { "Note_Default": { "text": "{0}: This run does not provide 'versionControlProvenance'. As a result, it is not possible to determine which version of code was analyzed, nor to map relative paths to their locations within the repository." } }, "defaultConfiguration": { "level": "note" }, "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" }, { "id": "SARIF2005", "name": "ProvideToolProperties", "fullDescription": { "text": "Provide information that makes it easy to identify the name and version of your tool.\r\n\r\nThe tool's 'name' property should be no more than three words long. This makes it easy to remember and allows it to fit into a narrow column when displaying a list of results. If you need to provide more information about your tool, use the 'fullName' property.\r\n\r\nThe tool should provide either or both of the 'version' and 'semanticVersion' properties. This enables the log file consumer to determine whether the file was produced by an up to date version, and to avoid accidentally comparing log files produced by different tool versions.\r\n\r\nIf 'version' is used, facilitate comparison between versions by specifying a version number that starts with an integer, optionally followed by any desired characters." }, "messageStrings": { "Warning_ProvideToolVersion": { "text": "{0}: The tool '{1}' does not provide any of the version-related properties {2}. Providing version information enables the log file consumer to determine whether the file was produced by an up to date version, and to avoid accidentally comparing log files produced by different tool versions." }, "Warning_ProvideConciseToolName": { "text": "{0}: The tool name '{1}' contains {2} words, which is more than the recommended maximum of {3} words. A short tool name is easy to remember and fits into a narrow column when displaying a list of results. If you need to provide more information about your tool, use the 'fullName' property." }, "Warning_UseNumericToolVersions": { "text": "{0}: The tool '{1}' contains the 'version' property '{2}', which is not numeric. To facilitate comparison between versions, specify a 'version' that starts with an integer, optionally followed by any desired characters." }, "Warning_ProvideToolnformationUri": { "text": "{0}: The tool '{1}' does not provide 'informationUri'. This property helps the developer responsible for addessing a result by providing a way to learn more about the tool." } }, "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" }, { "id": "SARIF2012", "name": "ProvideRuleProperties", "fullDescription": { "text": "Rule metadata should provide information that makes it easy to understand and fix the problem.\r\n\r\nProvide the 'name' property, which contains a \"friendly name\" that helps users see at a glance the purpose of the rule. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'.\r\n\r\nProvide the 'helpUri' property, which contains a URI where users can find detailed information about the rule. This information should include a detailed description of the invalid pattern, an explanation of why the pattern is poor practice (particularly in contexts such as security or accessibility where driving considerations might not be readily apparent), guidance for resolving the problem (including describing circumstances in which ignoring the problem altogether might be appropriate), examples of invalid and valid patterns, and special considerations (such as noting when a violation should never be ignored or suppressed, noting when a violation could cause downstream tool noise, and noting when a rule can be configured in some way to refine or alter the analysis)." }, "messageStrings": { "Note_FriendlyNameNotAPascalIdentifier": { "text": "{0}: '{1}' is not a Pascal-case identifier. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'." }, "Note_ProvideFriendlyName": { "text": "{0}: The rule '{1}' does not provide a \"friendly name\" in its 'name' property. The friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName', that helps users see at a glance the purpose of the analysis rule." }, "Note_ProvideHelpUri": { "text": "{0}: The rule '{1}' does not provide a help URI. Providing a URI where users can find detailed information about the rule helps users to understand the result and how they can best address it." }, "Note_ProvideMetadataForAllViolatedRules": { "text": "'{0}' does not provide a 'rules' property. 'rules' contain information that helps users understand why each rule fires and what the user can do to fix it." }, "Note_ProvideRuleMetadata": { "text": "'{0}' does not provide metadata for rule '{1}'. Rule metadata contains information that helps the user understand why each rule fires and what the user can do to fix it." } }, "defaultConfiguration": { "level": "note" }, "helpUri": "http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html" } ] } }, "invocations": [ { "startTimeUtc": "2025-03-26T15:28:50.409Z", "endTimeUtc": "2025-03-26T15:28:51.388Z", "executionSuccessful": true } ], "columnKind": "utf16CodeUnits" } ] }Also noted a couple of minor text issues in descriptions in schemas when copied contents from the spec, also included in this PR.