Bug: SARIF report not according to specification(snippet, message)Β #818
Description
Describe the bug
The produced SARIF report has both message and snippet fields in region as string instead of object.
https://json.schemastore.org/sarif-2.1.0.json
"region": {
"description": "A region within an artifact where a result was detected.",
"additionalProperties": false,
"type": "object",
"properties": {
"startLine": {
"description": "The line number of the first character in the region.",
"type": "integer",
"minimum": 1
},
"startColumn": {
"description": "The column number of the first character in the region.",
"type": "integer",
"minimum": 1
},
"endLine": {
"description": "The line number of the last character in the region.",
"type": "integer",
"minimum": 1
},
"endColumn": {
"description": "The column number of the character following the end of the region.",
"type": "integer",
"minimum": 1
},
"charOffset": {
"description": "The zero-based offset from the beginning of the artifact of the first character in the region.",
"type": "integer",
"default": -1,
"minimum": -1
},
"charLength": {
"description": "The length of the region in characters.",
"type": "integer",
"minimum": 0
},
"byteOffset": {
"description": "The zero-based offset from the beginning of the artifact of the first byte in the region.",
"type": "integer",
"default": -1,
"minimum": -1
},
"byteLength": {
"description": "The length of the region in bytes.",
"type": "integer",
"minimum": 0
},
"snippet": {
"$ref": "#/definitions/artifactContent",
"description": "The portion of the artifact contents within the specified region."
},
"message": {
"$ref": "#/definitions/message",
"description": "A message relevant to the region."
},
"sourceLanguage": {
"description": "Specifies the source language, if any, of the portion of the artifact specified by the region object.",
"type": "string"
},
"properties": {
"$ref": "#/definitions/propertyBag",
"description": "Key/value pairs that provide additional information about the region."
}
}
} "artifactContent": {
"description": "Represents the contents of an artifact.",
"type": "object",
"additionalProperties": false,
"properties": {
"text": {
"description": "UTF-8-encoded content from a text artifact.",
"type": "string"
},
"binary": {
"description": "MIME Base64-encoded content from a binary artifact, or from a text artifact in its original encoding.",
"type": "string"
},
"rendered": {
"$ref": "#/definitions/multiformatMessageString",
"description": "An alternate rendered representation of the artifact (e.g., a decompiled representation of a binary region)."
},
"properties": {
"$ref": "#/definitions/propertyBag",
"description": "Key/value pairs that provide additional information about the artifact content."
}
}
} "message": {
"description": "Encapsulates a message intended to be read by the end user.",
"type": "object",
"additionalProperties": false,
"properties": {
"text": {
"description": "A plain text message string.",
"type": "string"
},
"markdown": {
"description": "A Markdown message string.",
"type": "string"
},
"id": {
"description": "The identifier for this message.",
"type": "string"
},
"arguments": {
"description": "An array of strings to substitute into the message string.",
"type": "array",
"minItems": 0,
"uniqueItems": false,
"default": [],
"items": {
"type": "string"
}
},
"properties": {
"$ref": "#/definitions/propertyBag",
"description": "Key/value pairs that provide additional information about the message."
}
},
"anyOf": [
{
"required": ["text"]
},
{
"required": ["id"]
}
]
}To reproduce
Snippet and messages has most often occurred when checking licenses.
cargo-deny version
0.18.9
What OS were you running cargo-deny on?
Linux
Additional context
If you come to the same conclusion regarding the specification.
I have a branch ready: main...npetzall:cargo-deny:sarif_snippet_message
Minimal implementation, can be expanded if needed.