SARIF (Static Analysis Results Interchange Format) is a standardized format for the output of static analysis tools. It facilitates the integration of static analysis results into various workflows, ensuring consistent and structured reporting across different tools and platforms.
 |
SARIF |
1. Introduction
SARIF is a JSON-based format designed to represent the output of static analysis tools. It includes information about the tool, the rules it uses, and the results of its analysis. SARIF helps in aggregating results from different tools, making it easier to track, analyze, and manage code quality and security issues.
2. Where is SARIF Used?
SARIF is widely used in:
- Static Application Security Testing (SAST): Detects security vulnerabilities within the source code.
- Software Composition Analysis (SCA): Identifies vulnerabilities in third-party libraries and dependencies.
- Container Scanning: Detects vulnerabilities in container images.
- Continuous Integration/Continuous Deployment (CI/CD) Pipelines: Integrates security and quality checks into automated workflows.
3. SARIF Examples
3.1 SAST Example in SARIF:
{
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "SASTTool",
"rules": [
{
"id": "SAST001",
"shortDescription": { "text": "SQL Injection" },
"fullDescription": { "text": "Potential SQL injection vulnerability." }
}
]
}
},
"results": [
{
"ruleId": "SAST001",
"message": { "text": "Potential SQL injection vulnerability in 'userInput'." },
"locations": [
{
"physicalLocation": {
"artifactLocation": { "uri": "src/main/java/com/example/App.java" },
"region": { "startLine": 42, "startColumn": 13 }
}
}
]
}
]
}
]
}
3.2 SCA Example in SARIF
{
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "SCATool",
"rules": [
{
"id": "SCA001",
"shortDescription": { "text": "Vulnerability in dependency" },
"fullDescription": { "text": "Identifies vulnerabilities in dependencies." }
}
]
}
},
"results": [
{
"ruleId": "SCA001",
"message": { "text": "Vulnerability found in 'library1' version 1.2.3" },
"locations": [
{
"physicalLocation": {
"artifactLocation": { "uri": "package.json" },
"region": { "startLine": 10, "startColumn": 5 }
}
}
],
"properties": {
"dependencyName": "library1",
"dependencyVersion": "1.2.3",
"severity": "High",
"vulnerabilityDetails": { "cve": "CVE-2023-12345", "description": "Example vulnerability description for CVE-2023-12345." }
}
}
]
}
]
}
3.3 Container Scanning Example in SARIF
{
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "ContainerScanTool",
"rules": [
{
"id": "CNT001",
"shortDescription": { "text": "Vulnerability in container image" },
"fullDescription": { "text": "Identifies vulnerabilities in container images." }
}
]
}
},
"results": [
{
"ruleId": "CNT001",
"message": { "text": "Vulnerability found in base image 'nginx:latest'" },
"locations": [
{
"physicalLocation": {
"artifactLocation": { "uri": "Dockerfile" },
"region": { "startLine": 1, "startColumn": 1 }
}
}
],
"properties": {
"imageName": "nginx",
"imageTag": "latest",
"severity": "Critical",
"vulnerabilityDetails": { "cve": "CVE-2023-56789", "description": "Example vulnerability description for CVE-2023-56789." }
}
}
]
}
]
}
Conclusion
SARIF standardizes the reporting of static analysis results, providing a consistent format that can be easily integrated into various security and quality assurance workflows. This standardization facilitates better tracking, management, and remediation of security and quality issues across different tools and environments.
For more details on SARIF, you can refer to the official SARIF documentation.
