sarif-rs icon indicating copy to clipboard operation
sarif-rs copied to clipboard
verified publisher icon psastras

feat: Add deny-sarif converter for cargo-deny output

Open Copilot opened this issue 10 months ago • 2 comments

This PR implements a new converter for cargo-deny that converts its JSON output to SARIF format, addressing the feature request for cargo-deny support.

Changes

  • New deny-sarif binary crate following the established patterns of existing converters
  • SARIF converter module in serde-sarif that parses cargo-deny JSONL output
  • Comprehensive test suite including integration tests with sarif-fmt
  • Full documentation with usage examples and GitHub Actions integration

Implementation Details

The converter supports all major cargo-deny diagnostic types:

  • Bans: Explicitly banned dependencies
  • Advisories: Security vulnerabilities (with RustSec URLs)
  • Licenses: License compatibility issues
  • Sources: Dependency source problems

Key features:

  • Parses JSONL format from cargo deny --format json check
  • Maps severity levels appropriately (error, warning, note)
  • Generates proper SARIF location information pointing to Cargo.toml
  • Includes help URLs for advisories and general cargo-deny documentation
  • Enhances messages with package name and version information

Usage

# Basic usage
cargo deny --format json check | deny-sarif

# With file output
cargo deny --format json check | deny-sarif > results.sarif

# Pretty print with sarif-fmt
cargo deny --format json check | deny-sarif | sarif-fmt

Example Output

warning: Package in deny list (package: tokio 1.0.0)
  ┌─ Cargo.toml:1:1
  │
1 │ [workspace]
  │ ^^^^^^^^^^^
  │
  = Package in deny list

error: Potential security vulnerability (package: vulnerable-package 0.1.0)
  ┌─ Cargo.toml:1:1
  │
1 │ [workspace]
  │ ^^^^^^^^^^^
  │
  = Memory safety vulnerability

The implementation follows the same architecture as existing converters like hadolint-sarif and clippy-sarif, ensuring consistency with the project's design patterns.

Fixes #643.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot avatar Jun 16 '25 00:06 Copilot

@copilot fix the ci failure looks like a lint error

psastras avatar Jun 16 '25 23:06 psastras

@copilot fix the ci failure looks like a lint error

Fixed the lint error - it was a clippy warning about useless use of format! in the deny converter. Also updated the CI configuration to include deny-sarif in the build matrix. Changes committed in 693d1ef.

Copilot avatar Jun 16 '25 23:06 Copilot