We have a field for UriBaseId , but we don't have any option to specify the list of originalUriBaseIds .

https://github.com/microsoft/sarif-tutorials/blob/main/samples/OriginalUriBaseIds.sarif#L15

Correct me if I'm wrong.

@owenrumney thanks for your project!

Now, I'm trying to migrate trivy sarif template from Go Template to Go code.

I'd like to have help.markdown field for the rule. this is recommended on Github: reportingDescriptor objects that represent rules.

What is the best way to add it?

thanks for your help!

👋 Hi! How one could save a new property to some existing property bag?

E.g. I have the following SARIF file:

...
"runs": [
    {
      ...
      "properties": {
        "somePropertyA": "some value",
        "tags": [
          "somePropertyA"
        ]
      }
    }
  ]
...

I want to save somePropertyB additionally to that Run object.
Tried creating new property bags and accessing the existing property field, but was unable to solve it.

Thanks!

I'd like to set up defaultConfiguration.
Now I'm doing next:

r := sw.run.AddRule(data.vulnerabilityId).
...
r.DefaultConfiguration = &sarif.ReportingConfiguration{
	Level: toSarifErrorLevel(data.severity),
}

is it ok?

The current version of sarif template for trivy contains field fullName. but i can't find information about it.
maybe it's already deprecated.

@owenrumney what do you think about it?

A lot has changed with this library and the documentation needs bringing up to date accordingly

isn't 1.0.13 technically a breaking change?

go get: github.com/owenrumney/[email protected] updating to
	github.com/owenrumney/[email protected]: parsing go.mod:
	module declares its path as: github.com/owenrum/go-sarif
	        but was required as: github.com/owenrumney/go-sarif

Can you add the 3.49.4 deprecatedIds property to rules? Currently I am putting it in properties field, but since it's an official field it should not be in a field under properties. Thanks!

Hi @owenrumney!
It seems that I already bore you, sorry!

githbub can't accept a report without vulnerabilities / misconfigurations, because:

"results": null

should trivy handle this case itself?
thanks a lot again!

I'm attempting to use this library to build out a code scan in github. Based on this definition

https://docs.github.com/en/code-security/secure-coding/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object

ReportingDescriptor in github == Rule here.

I believe that we should change Properties from a map[string]string to simply Properities

Which would match what Run has setup today.

Also would be nice to have a corresponding AttachPropertyBag method on this struct like we do here on Run.

Let me know your thoughts. I'm happy to PR that change in.

According to the spec:

In addition to those properties that are explicitly documented, every object defined in this document MAY contain a property named properties whose value is a property bag. This allows SARIF producers to include information about each object that is not explicitly specified in the SARIF format.

This sounds a bit hairy to implement - would every object have a PropertyBag object? How would the interface to that look? For my usecase, I'm looking to set properties on run, toolComponent and result but I thought it'd be worthwhile to discuss this in general.

Also, gratz on v1.0.0!

messageStrings added in #63 is missing the omitempty tag so it's always showing up in results, e.g.:

"rules": [
  {
    "id": "CVE-123-456",
    "shortDescription": {
      "text": "..."
    },
    "messageStrings": null
  }
]

Hi @owenrumney!

Tell me, please, Are there any plans to support ruleIndex field for the result items?
result-object: result-object

thanks!

Hello! this is Shaopeng from Microsoft Sarif team. Our team creates and maintains the Sarif format standard.
https://github.com/oasis-tcs/sarif-spec
https://github.com/microsoft/sarif-sdk
https://github.com/microsoft/sarif-js-sdk
https://github.com/microsoft/sarif-website

Glad to see ‎go-sarif supports Sarif format for Go Language!

Question, can we update to the latest Sarif schema, (no breaking changes)

I have created a PR just for find and replace:
#25

Thank you,

Hello!

https://sarifweb.azurewebsites.net/Validation says that sarif-2.1.0-rtm.5.json is not final version.

[SARIF1011](http://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html): $schema: The '$schema' property value 'https://json.schemastore.org/sarif-2.1.0-rtm.5.json' does not refer to the final version of the SARIF 2.1.0 schema. If you are using an earlier version of the SARIF format, consider upgrading your analysis tool to produce the final version. If this file does in fact conform to the final version of the schema, upgrade the tool to populate the '$schema' property with a URL that refers to the final version of the schema.

Looks like sarif-2.1.0-rtm.5.json > sarif-2.1.0.json and sarif-2.1.0.rtm-6.json doesn't exist.

Can you help me understand what I am missing?

Best Regards, Dmitriy!