d99037d2b8 | ||
---|---|---|
docs | ||
images | ||
samples | ||
.gitignore | ||
.markdownlint.yaml | ||
CODE_OF_CONDUCT.md | ||
LICENSE | ||
LICENSE-CODE | ||
README.md | ||
SECURITY.md |
README.md
SARIF Tutorials
Introduction
SARIF, the Static Analysis Results Interchange Format, defines a standard format for the output of static analysis tools. It is a powerful and sophisticated format suited to the needs of a wide variety of tools. For this reason — and because the format is defined in a 220-plus page specification written in formal language! — it can be hard to learn SARIF and to figure out what parts of it you need to use.
These tutorials aim to present SARIF in a more approachable way. We'll start with some background: Why do we need SARIF? Where did it come from? What can it do? Then we'll dive into the format, exploring the most basic concepts first, then moving on to more advanced concepts.
The advanced concepts usually apply to only a subset of SARIF producers and consumers, so you don't to read everything. Just read the introductory material, then pick and choose the additional topics that interest you.
Sample files
You can find the sample files displayed in the tutorials under the samples
directory.
They are all valid SARIF files unless I say otherwise.
Links to the specification
At times, the tutorials link to a section of the SARIF specification for more detailed information or descriptions of advanced scenarios. These links look like this: §3.13: sarifLog object and they point into the HTML version of the spec. There are also PDF and .docx versions in the SARIF 2.1.0 CS01 (Committee Specification 1) folder on the OASIS web site.
The specification is definitive (and if we want to get really technical, the .docx version of the specification is definitive, but let's assume there are no bugs in the PDF or HTML converters). If it seems like something in these tutorials disagrees with the spec, let me know and I'll either fix the tutorials or make sure that a bug is filed against the spec.
Disclaimer
The SARIF specification is a Committee Specification from OASIS. But despite the fact that I'm the co-Editor (with Michael Fanning) and primary wordsmith of the specification, these tutorials are not an OASIS work product or endorsed by OASIS in any way. They represent my personal interpretation and explanation of the standard.
Status
These tutorials now contain enough information to give you a solid background in SARIF. As you will see from the "TODO" entries in the table of contents, there's much more I'd like to write about. But these are advanced topics that I will address when I have time.
If you'd like an explanation of a SARIF feature that I haven't covered, please let me know by filing an issue in this repo
Table of contents
- Introduction
- The basics
- Beyond the basics
- Advanced topics
- Tool extensions (TODO)
- Translations (TODO)
- Handling large files (TODO)
- Result matching (TODO)
- The
sarif:
URI scheme (TODO)
- Appendices
- Authoring rule metadata and result messages
- Glossary
- Resources
- The history of SARIF (TODO)
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Legal Notices
Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file, and grant you a license to any code in the repository under the MIT License, see the LICENSE-CODE file.
Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653.
Privacy information can be found at https://privacy.microsoft.com/en-us/
Microsoft and any contributors reserve all other rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise.