typos icon indicating copy to clipboard operation
typos copied to clipboard

Published 20 hours ago verified publisher icon crate-ci

Support Sarif reporting format

Open halkeye opened this issue 3 years ago • 7 comments

OASIS Static Analysis Results Interchange Format is a newish standardization format for analysis tools.

It would be great if typos can support outputting that format.

Looks like there is already libraries to generate the format so it shouldn't be a hard lift.

halkeye avatar Oct 15 '22 20:10 halkeye

I can make the attempt if desired, but I learned with the github actions formatter it might not be desirable so wanted to ask/talk about it first.

halkeye avatar Oct 15 '22 20:10 halkeye

Following the initial link, I only saw references to it being a draft and not finalized. Though other documents I later found refer to it as approved with no draft mention.

The docs for the Rust API seem to caution use of the lib itself.

Also, any idea on how adoption of this has been so far?

epage avatar Oct 15 '22 23:10 epage

Also, any idea on how adoption of this has been so far?

I learned about it playing with codeql (eslint template) on github actions. They recommend https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github

So it feels like microsoft and github are both pushing for it.

halkeye avatar Oct 16 '22 00:10 halkeye

At times, it felt like I was reading about a security feature and at times it felt more broad.

The alert tracking sounds nice, like it might offer some of the static analysis benefits of a tool I managed at a prior job that allowed adding new static analysis without being buried under the weight of the backlog.

Overall, I would be in favor of this depending on the level of maturity of library support for it. Depending on how this evolves, we'd need to be prepared for how we expose versioning. Would we just do serif, serif-2, serif-2.1 or something else?

epage avatar Oct 16 '22 02:10 epage

Since this is the typos project, I feel compelled to note: it’s SARIF, not SERIF. 😛

andersk avatar Jan 02 '23 20:01 andersk

When coming up with a name for the project, I was tempted to make the name include a typo but figured that'd be too aggravating, either for people typing the command name (and spelling it correctly) or when running the command.

epage avatar Jan 03 '23 02:01 epage

I was wondering if anyone is working on this issue? I would like to add this support, but I am not a professional rust developer, so the code quality may be poor.

Zxilly avatar Jun 19 '24 18:06 Zxilly