Documentation
¶
Overview ¶
Package sarif provides conversion functions to transform Gemara evaluation results into SARIF (Static Analysis Results Interchange Format) format.
SARIF is a standard format for static analysis tool output, enabling integration with code scanning platforms like GitHub Code Scanning, Azure DevOps, and other security analysis tools.
This package converts EvaluationLog entries into SARIF v2.1.0 format, where each AssessmentLog becomes a SARIF result. The conversion supports optional catalog enrichment to include control and requirement details in the SARIF output.
Index ¶
- func FromEvaluationLog(evaluationLog gemara.EvaluationLog, artifactURI string, ...) ([]byte, error)
- type ArtifactLocation
- type Location
- type LogicalLocation
- type Message
- type PhysicalLocation
- type Region
- type ReportingDescriptor
- type ResultEntry
- type Run
- type SarifReport
- type Snippet
- type Tool
- type ToolComponent
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FromEvaluationLog ¶
func FromEvaluationLog(evaluationLog gemara.EvaluationLog, artifactURI string, catalog *gemara.Catalog) ([]byte, error)
FromEvaluationLog converts the evaluation results into a SARIF document (v2.1.0). Each AssessmentLog is emitted as a SARIF result. The rule id is derived from the control id and requirement id.
Parameters:
- evaluationLog: The evaluation log to convert
- artifactURI: File path or URI for PhysicalLocation.artifactLocation.uri. If empty, PhysicalLocation will be nil (no resource URI available). For GitHub Code Scanning, typically use a file path like "README.md".
- catalog: Optional catalog data to enrich SARIF output with requirement text and recommendations. If nil, only basic information is included.
PhysicalLocation identifies the artifact (file/repository) where the result was found. LogicalLocation identifies the logical component (assessment step) that produced the result. Region is left nil as we don't have file-specific line/column data.
Types ¶
type ArtifactLocation ¶
type Location ¶
type Location struct {
PhysicalLocation *PhysicalLocation `json:"physicalLocation,omitempty"`
LogicalLocations []LogicalLocation `json:"logicalLocations,omitempty"`
}
type LogicalLocation ¶
type LogicalLocation struct {
FullyQualifiedName string `json:"fullyQualifiedName,omitempty"`
}
type PhysicalLocation ¶
type PhysicalLocation struct {
ArtifactLocation ArtifactLocation `json:"artifactLocation"`
Region *Region `json:"region,omitempty"`
}
type ReportingDescriptor ¶
type ResultEntry ¶
type Run ¶
type Run struct {
Tool Tool `json:"tool"`
Results []ResultEntry `json:"results,omitempty"`
}
type SarifReport ¶
type SarifReport struct {
Schema string `json:"$schema"`
Version string `json:"version"`
Runs []Run `json:"runs"`
}
Minimal SARIF v2.1.0 model we need for export without external deps
type Tool ¶
type Tool struct {
Driver ToolComponent `json:"driver"`
}
type ToolComponent ¶
type ToolComponent struct {
Name string `json:"name"`
InformationURI string `json:"informationUri,omitempty"`
Version string `json:"version,omitempty"`
SemanticVersion string `json:"semanticVersion,omitempty"`
DottedQuadFileVersion string `json:"dottedQuadFileVersion,omitempty"`
Rules []ReportingDescriptor `json:"rules,omitempty"`
}
Source Files