User:FiftysMan/SARIF

The Static Analysis Results Interchange Format (SARIF, pronounced ) is an open standard file format for the output of static analysis tools. It is an OASIS Committee Specification produced by the OASIS SARIF Technical Committee.

Goals
The stated goals of the SARIF format are: "* Comprehensively capture the range of data produced by commonly used static analysis tools.
 * Be a useful format for analysis tools to emit directly, and also an effective interchange format into which the output of any analysis tool can be converted.
 * Be suitable for use in a variety of scenarios related to analysis result management and be extensible for use in new scenarios.
 * Reduce the cost and complexity of aggregating the results of various analysis tools into common workflows.
 * Capture information that is useful for assessing a project’s compliance with corporate policy or certification standards.
 * Adopt a widely used serialization format that can be parsed by readily available tools.
 * Represent analysis results for all kinds of artifacts, including source code and object code."

Object model and serialization format
The SARIF specification defines an object model and a JSON serialization of that object model. The JSON serialization is defined in the JSON schema sarif-schema-2.1.0.json.

The root object is the sarifLog object which represents an entire log file. The sarifLog contains a collection of run objects, each of which describes a single invocation of a single analysis tool. The run in turn contains a collection of result objects, each of which describes a condition observed by the tool in the code being analyzed. This condition might be an issue that detracts from code quality, but it can also be a neutral observation such as "This executable file was compiled with version 5 of the C compiler."

The SARIF object model also includes (among other objects)
 * tool: describes the analysis tool that was run.
 * invocation: describes how the analysis tool was invoked (for instance, its command line parameters).
 * location: describes where in the code a result was detected.
 * codeFlow: describes a simulated execution path through the code that leads to the detection of a result.
 * message: provides user-facing text describing a result or certain other elements of the object model.

Security considerations
Certain features of the SARIF format raises security considerations for the consumers of SARIF files, for example:
 * A location can contain an absolute file: URI, which reveals details of the file system layout on the machine that executed the analysis tool.
 * An invocation can contain information such as the working directory, user account, and environment variables on the machine that executed the analysis tool, which reveals details about the machine and its users.
 * A message can contain text in Markdown format (specifically, GitHub Flavored Markdown, and since Markdown can include arbitrary HTML, it raises the same security considerations as HTML itself.