Fixed SARIF format to allow display in Code Scanning

aegilops · aegilops · commit 040e3343866a · 2025-10-02T16:26:27.000+01:00
diff --git a/src/malwareMatcher.ts b/src/malwareMatcher.ts
@@ -172,7 +172,7 @@ export interface SarifResult {
   properties?: Record<string, unknown>;
   locations: SarifResultLocation[];
 }
-export interface SarifRun { tool: { driver: { name: string; informationUri?: string; rules: SarifRule[] } }; results: SarifResult[]; }
+export interface SarifRun { tool: { driver: { name: string; version: string; informationUri?: string; rules: SarifRule[] } }; results: SarifResult[]; }
 export interface SarifLog { version: string; $schema: string; runs: SarifRun[]; }
 
 export function buildSarifPerRepo(matches: MalwareMatch[], advisories: MalwareAdvisoryNode[]): Map<string, SarifLog> {
@@ -212,18 +212,30 @@ export function buildSarifPerRepo(matches: MalwareMatch[], advisories: MalwareAd
       ruleIndex: ruleIds.indexOf(m.advisoryGhsaId),
       level: "error",
       message: { text: `Malware advisory ${m.advisoryGhsaId} matched package ${m.purl}${m.vulnerableVersionRange ? ` in range ${m.vulnerableVersionRange}` : ""}` },
-      properties: {
-        purl: m.purl,
-        ecosystem: m.ecosystem,
-        version: m.version,
-        vulnerableVersionRange: m.vulnerableVersionRange,
-      },
-      locations: [{ physicalLocation: { artifactLocation: { uri: m.purl } } }]
+      // properties: {
+      //   purl: m.purl,
+      //   ecosystem: m.ecosystem,
+      //   version: m.version,
+      //   vulnerableVersionRange: m.vulnerableVersionRange,
+      // },
+      locations: [{ physicalLocation: { artifactLocation: { uri: `file:///${m.purl}` } } }]
     }));
     const sarif: SarifLog = {
       version: "2.1.0",
       $schema: "https://json.schemastore.org/sarif-2.1.0.json",
-      runs: [{ tool: { driver: { name: our_tool_name, informationUri: our_tool_url, rules } }, results }]
+      runs: [
+        {
+          tool: {
+            driver: {
+              name: our_tool_name,
+              version: "0.1.0",
+              informationUri: our_tool_url,
+              rules: rules
+            }
+          },
+          results: results
+        }
+      ]
     };
     sarifMap.set(repo, sarif);
   }
