From 8d50cca37d2473c75ab6da4ee5ab53f96e935e84 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Fri, 30 Aug 2024 16:05:05 -0400 Subject: [PATCH] SARIF support moved from GSA to separate features in PRs 659 686 and 698 --- .gitignore | 3 + schema/metaschema/sarif-module.xml | 513 +++++++++++++++++++++++++++++ 2 files changed, 516 insertions(+) create mode 100644 schema/metaschema/sarif-module.xml diff --git a/.gitignore b/.gitignore index dd2c593d..95712acd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,8 @@ # IDE configuration files *.xpr +.vscode +.DS_Store +.history/ # Files generated by Hugo and related tools /website/resources diff --git a/schema/metaschema/sarif-module.xml b/schema/metaschema/sarif-module.xml new file mode 100644 index 00000000..0bccfbe2 --- /dev/null +++ b/schema/metaschema/sarif-module.xml @@ -0,0 +1,513 @@ + + + + SARIF Metaschema Module + 0.1.0 + sarif + + https://json.schemastore.org/sarif/2.1.0 + + https://json.schemastore.org/sarif-2.1.0.json + + SARIF Model Version + The version of the SARIF Model used for conforming instances. + + + + + + + + + Property Bag + Key/value pairs that provide additional information about the object. + + + Tag + A set of distinct strings that provide additional information. + + + + + + + Tool Component Unique Identifier + A stable, unique identifier for the tool component. + + + + Tool Component Name + The name of the tool component. + + + Tool Component Organization + The organization or company that produced the tool component. + + + Tool Component Product + A product suite to which the tool component belongs. + + + Tool Component Version + The tool component version, in whatever format the component natively provides. + + + Tool Component Semantic Version + The tool component version in the format specified by Semantic Versioning 2.0. + + + Tool Component Information URI + The absolute URI at which information about this version of the tool component can be found. + + + Rule + An array of reportingDescriptor objects relevant to the analysis performed by the tool component. + rule + + + + + + Reporting Descriptor + Metadata that describes a specific report produced by the tool, as part of the analysis it provides or its runtime reporting. + + Reporting Descriptor Identifier + A stable, opaque identifier for the report. + + + Reporting Descriptor Unique Identifier + A stable, unique identifier for the reporting descriptor. + + + + Reporting Descriptor Name + A report identifier that is understandable to an end user. + + + Short Description + A concise description of the report. Should be a single sentence that is understandable when visible space is limited to a single line of text. + shortDescription + + + Full Description + A description of the report. Should, as far as possible, provide details sufficient to enable resolution of any problem indicated by the result. + fullDescription + + + Help URI + A URI where the primary documentation for the report can be found. + + + + + Multi-format Message String + A message string or message format string rendered in multiple formats. + + + Text + A plain text message string or format string. + + + Markdown + A Markdown message string or format string. + + + + + Tool + The analysis tool used. + + + driver + + + + + + Artifacts + Artifacts analyzed by the tool to yield results. + + + Artifact Location + The location of the artifact. + location + + + + + Results + Results from the run of a tool. + + Rule Identifier + The stable, unique identifier of the rule, if any, to which this result is relevant. + + + Rule Identifier + The stable, unique identifier of the rule, if any, to which this result is relevant. + + + Result Unique Identifier + A stable, unique identifier for the result. + + + + A reference used to locate the rule descriptor relevant to this result. + rule + + + Result Kind + A value that categorizes results by evaluation state. + + + + + + + + + + + + + Severity Level + A value specifying the severity level of the result. + + + + + + + + + + + Result Message + A message that describes the result. The first sentence of the message only will be displayed when visible space is limited. + + + Scanned Artifact + Identifies the artifact that the analysis tool was instructed to scan. This need not be the same as the artifact where the result actually occurred. + analysisTarget + + + Result Location + The set of locations where the result was detected. Specify only one location unless the problem indicated by the result can only be corrected by making a change at every specified location. + location + + + + Occurrence Count + A positive integer specifying the number of times this logically unique result was observed in this run. + + + Result Related Location + A set of locations relevant to this result. + relatedLocation + + + + Result Provenance + Information about how and when the result was detected. + provenance + + + + + The value '{ . }' is not greater than or equal to '-1'. + + + + + + Reporting Descriptor Reference + Information about how to locate a relevant reporting descriptor. + + Reporting Descriptor Identifier + The id of the descriptor. + + + Reporting Descriptor Unique Identifier + A stable, unique identifier for the reporting descriptor. + + + + Index + The index into an array of descriptors in toolComponent.ruleDescriptors, toolComponent.notificationDescriptors, or toolComponent.taxonomyDescriptors, depending on context. + + + + + At least one id, guid, or index must be provided. + + + + + Message + Encapsulates a message intended to be read by the end user. + + Message Identifier + The id of the message. + + + + Text + A plain text message string. + + + Markdown + A Markdown message string. + + + Argument + A sequence of strings to substitute into the message string. + + + + + + At least one id or text must be provided. + + + + + Artifact Location + Specifies the location of an artifact. + + + URI + A valid relative or absolute URI. + + + Index + The index within the run artifacts array of the artifact object associated with the artifact location. + + + The index '{ . }' is not greater than or equal to '-1'. + + + + + Description + A short description of the artifact location. + description + + + + + Location + A location within a programming artifact. + + Location Identifier + A value that distinguishes this location from all other locations within a single result object. + + + + Physical Location + A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact. + + + Logical Location + The logical locations associated with the result. + + + Location Message + A message relevant to the location. + + + + + The id '{ . }' is not greater than or equal to '-1'. + + + + + + Physical Location + A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact. + + + Address + A physical or virtual address, or a range of addresses, in an 'addressable region' (memory or a binary file). + + + + The location of the artifact. + + + Region + Specifies a portion of the artifact. + + + Context Region + Specifies a portion of the artifact that encloses the region. Allows a viewer to display additional context around the region. + contextRegion + + + + + At least one address or artifactLocation must be provided. + + + + + Logical Location + A logical location of a construct that produced a result. + + + Logical Location Name + Identifies the construct in which the result occurred. For example, this property might contain the name of a class or a method. + + + Index + The index within the logical locations array. + + + The index '{ . }' is not greater than or equal to '-1'. + + + + + Fully Qualified Name + The human-readable fully qualified name of the logical location. + + + Decorated Name + The machine-readable name for the logical location, such as a mangled function name provided by a C++ compiler that encodes calling convention, return type and other details along with the function name. + + + Parent Index + Identifies the index of the immediate parent of the construct in which the result was detected. For example, this property might point to a logical location that represents the namespace that holds a type. + + + The index '{ . }' is not greater than or equal to '-1'. + + + + + Kind + The type of construct this logical location component refers to. Should be one of 'function', 'member', 'module', 'namespace', 'parameter', 'resource', 'returnType', 'type', 'variable', 'object', 'array', 'property', 'value', 'element', 'text', 'attribute', 'comment', 'declaration', 'dtd' or 'processingInstruction', if any of those accurately describe the construct. + + + + + Region + A region within an artifact where a result was detected. + + + Start Line + The line number of the first character in the region. + + + + Start Column + The column number of the first character in the region. + + + + End Line + The line number of the last character in the region. + + + + End Column + The column number of the character following the end of the region. + + + + Character Offset + The zero-based offset from the beginning of the artifact of the first character in the region. + + + The offset '{ . }' is not greater than or equal to '-1'. + + + + + + Character Length + The length of the region in characters. + + + + Byte Offset + The zero-based offset from the beginning of the artifact of the first byte in the region + + + The offset '{ . }' is not greater than or equal to '-1'. + + + + + + Byte Length + The length of the region in bytes. + + + + Region Message + A message relevant to the region. + + + + + At least a startLine, charOffset, or byteOffset must be provided. + + + + + Result Provanance + Contains information about how and when a result was detected. + + + First Detection Time + The Coordinated Universal Time (UTC) date and time at which the result was first detected. See \"Date/time properties\" in the SARIF spec for the required format. + + + + Last Detection Time + The Coordinated Universal Time (UTC) date and time at which the result was most recently detected. See \"Date/time properties\" in the SARIF spec for the required format. + + + + Conversion Source + An sequence of physicalLocation objects which specify the portions of an analysis tool's output that a converter transformed into the result. + conversionSource + + + + + + Run + Describes a single run of an analysis tool, and contains the reported output of that run. + + + Tool + Information about the tool or tool pipeline that generated the results in this run. A run can only contain results produced by a single tool or tool pipeline. A run can aggregate results from multiple log files, as long as context around the tool run (tool command-line arguments and the like) is identical for all aggregated files. + + + Artifact + A sequence of artifacts relevant to the run. + + + + Result + The set of results contained in an SARIF log. The results array can be omitted when a run is solely exporting rules metadata. It must be present (but may be empty) if a log file represents an actual scan. + + + + + + Static Analysis Results Interchange Format + A standard format for the output of static analysis tools. + sarif + + + + + + + +

Note, Metaschema does not support an anonymous top-level assembly without a key name in JSON and YAML, which is required for SARIF.

+
+
+
\ No newline at end of file