sarif-1.0.0.json

OBSOLETE (use "step" instead): An identifier for the location, unique within the scope of the code flow within which it occurs.

The 0-based sequence number of the location in the code flow within which it occurs.

A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact.

The fully qualified name of the method or function that is executing.

A key used to retrieve the annotation's logicalLocation from the logicalLocations dictionary.

The name of the module that contains the code that is executing.

The thread identifier of the code that is executing.

A message relevant to this annotation.

Categorizes the location.

Classifies state transitions in code locations relevant to a taint analysis.

The fully qualified name of the target on which this location operates. For an annotation of kind 'call', for example, the target refers to the fully qualified logical name of the function called from this location.

An ordered set of strings that comprise input or return values for the current operation. For an annotation of kind 'call', for example, this property may hold the ordered list of arguments passed to the callee.

A dictionary, each of whose keys specifies a variable or expression, the associated value of which represents the variable or expression value. For an annotation of kind 'continuation', for example, this dictionary might hold the current assumed values of a set of global variables.

A key used to retrieve the target's logicalLocation from the logicalLocations dictionary.

OBSOLETE (use "importance" instead): True if this location is essential to understanding the code flow in which it occurs.

Specifies the importance of this location in understanding the code flow in which it occurs. The order from most to least important is "essential", "important", "unimportant". Default: "important".

The source code at the specified location.

A set of messages relevant to the current annotated code location.

Key/value pairs that provide additional information about the code location.

A message relevant to a code location

An array of 'physicalLocation' objects associated with the annotation.

An array of 'annotatedCodeLocation' objects, each of which describes a single location visited by the tool in the course of producing the result.

A message relevant to the code flow

Key/value pairs that provide additional information about the code flow.

A string that identifies the kind of exception, for example, the fully qualified type name of an object that was thrown, or the symbolic name of a signal.

A string that describes the exception.

A call stack that is relevant to a result.

An array of exception objects each of which is considered a cause of this exception.

A string that represents the location of the file to change as a valid URI.

An array of replacement objects, each of which represents the replacement of a single range of bytes in a single file specified by 'uri'.

A string that identifies the conceptual base for the 'uri' property (if it is relative), e.g.,'$(SolutionDir)' or '%SRCROOT%'.

The path to the file within its containing file.

A string that identifies the conceptual base for the 'uri' property (if it is relative), e.g.,'$(SolutionDir)' or '%SRCROOT%'.

Identifies the key of the immediate parent of the file, if this file is nested.

The offset in bytes of the file within its containing file.

The length of the file in bytes.

The MIME type (RFC 2045) of the file.

The contents of the file, expressed as a MIME Base64-encoded byte sequence.

An array of hash objects, each of which specifies a hashed value for the file, along with the name of the algorithm used to compute the hash.

Key/value pairs that provide additional information about the file.

A string that describes the proposed fix, enabling viewers to present a proposed change to an end user.

One or more file changes that comprise a fix for a result.

A string that identifies the message format used to format the message that describes this result. The value of formatId must correspond to one of the names in the set of name/value pairs contained in the 'messageFormats' property of the rule object whose 'id' property matches the 'ruleId' property of this result.

An array of strings that will be used, in combination with a message format, to construct a result message.

The hash value of some file or collection of files, computed by the algorithm named in the 'algorithm' property.

The name of the algorithm used to compute the hash value specified in the 'value' property.

The command line used to invoke the tool.

The contents of any response files specified on the tool's command line.

The date and time at which the run started. See "Date/time properties" in the SARIF spec for the required format.

The date and time at which the run ended. See "Date/time properties" in the SARIF spec for the required format.

The machine that hosted the analysis tool run.

The account that ran the analysis tool.

The process id for the analysis tool run.

The fully qualified path to the analysis tool.

The working directory for the analysis rool run.

The environment variables associated with the analysis tool process, expressed as key/value pairs.

Key/value pairs that provide additional information about the run.

A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact.

A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact.

The human-readable fully qualified name of the logical location where the analysis tool produced the result. If 'logicalLocationKey' is not specified, this member is can used to retrieve the location logicalLocation from the logicalLocations dictionary, if one exists.

A key used to retrieve the location logicalLocation from the logicalLocations dictionary, when the string specified by 'fullyQualifiedLogicalName' is not unique.

The machine-readable fully qualified name for the logical location where the analysis tool produced the result, such as the mangled function name provided by a C++ compiler that encodes calling convention, return type and other details along with the function name.

Key/value pairs that provide additional information about the location.

Identifies the construct in which the result occurred. For example, this property might contain the name of a class or a method.

Identifies the key of the immediate parent of the construct in which the result was detected. For example, this property might point to a logical location that represents the namespace that holds a type.

The type of construct this logicalLocationComponent refers to. Should be one of 'function', 'member', 'module', 'namespace', 'package', 'resource', or 'type', if any of those accurately describe the construct.

A string that describes the condition that was encountered.

An identifier for the condition that was encountered.

The stable, unique identifier of the rule (if any) to which this notification is relevant. If 'ruleKey' is not specified, this member can be used to retrieve rule metadata from the rules dictionary, if it exists.

A key used to retrieve the rule metadata from the rules dictionary that is relevant to the notification.

A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact.

A value specifying the severity level of the notification.

The thread identifier of the code that generated the notification.

The date and time at which the analysis tool generated the notification.

Key/value pairs that provide additional information about the notification.

The location of the file as a valid URI.

A string that identifies the conceptual base for the 'uri' property (if it is relative), e.g.,'$(SolutionDir)' or '%SRCROOT%'.

A region within a file where a result was detected.

The line number of the first character in the region.

The column number of the first character in the region.

The line number of the last character in the region.

The column number of the last character in the region.

The zero-based offset from the beginning of the file of the first byte or character in the region.

The length of the region in bytes or characters.

A non-negative integer specifying the offset in bytes from the beginning of the file at which bytes are to be removed, inserted or both. An offset of 0 shall denote the first byte in the file.

The number of bytes to delete, starting at the byte offset specified by offset, measured from the beginning of the file.

The MIME Base64-encoded byte sequence to be inserted at the byte offset specified by the 'offset' property, measured from the beginning of the file.

The stable, unique identifier of the rule (if any) to which this notification is relevant. If 'ruleKey' is not specified, this member can be used to retrieve rule metadata from the rules dictionary, if it exists.

A key used to retrieve the rule metadata from the rules dictionary that is relevant to the notification.

A value specifying the severity level of the result. If this property is not present, its implied value is 'warning'.

A string that describes the result. The first sentence of the message only will be displayed when visible space is limited.

Contains information that can be used to construct a formatted message that describes a result.

One or more locations where the result occurred. Specify only one location unless the problem indicated by the result can only be corrected by making a change at every specified location.

A source code or other file fragment that illustrates the result.

A unique identifier for the result.

A string that contributes to the unique identity of the result.

An array of 'stack' objects relevant to the result.

An array of 'codeFlow' objects relevant to the result.

A grouped set of locations and messages, if available, that represent code areas that are related to this result.

The state of a result relative to a baseline of a previous run.

An array of 'fix' objects, each of which represents a proposed fix to the problem indicated by the result.

Key/value pairs that provide additional information about the result.

A stable, opaque identifier for the rule.

A rule identifier that is understandable to an end user.

A concise description of the rule. Should be a single sentence that is understandable when visible space is limited to a single line of text.

A string that describes the rule. Should, as far as possible, provide details sufficient to enable resolution of any problem indicated by the result.

A set of name/value pairs with arbitrary names. The value within each name/value pair shall consist of plain text interspersed with placeholders, which can be used to format a message in combination with an arbitrary number of additional string arguments.

A value specifying the default severity level of the result.

A URI where the primary documentation for the rule can be found.

Key/value pairs that provide additional information about the rule.

The analysis tool that was run.

The runtime environment of the analysis tool run.

A dictionary, each of whose keys is a URI and each of whose values is an array of file objects representing the location of a single file scanned during the run.

A dictionary, each of whose keys specifies a logical location such as a namespace, type or function.

The set of results contained in an SARIF log. The results array can be omitted when a run is solely exporting rules metadata. It must be present (but may be empty) in the event that a log file represents an actual scan.

A list of runtime conditions detected by the tool in the course of the analysis.

A list of conditions detected by the tool that are relevant to the tool's configuration.

A dictionary, each of whose keys is a string and each of whose values is a 'rule' object, that describe all rules associated with an analysis tool or a specific run of an analysis tool.

An identifier for the run.

A stable identifier for a run, for example, 'nightly Clang analyzer run'. Multiple runs of the same type can have the same stableId.

A global identifier that allows the run to be correlated with other artifacts produced by a larger automation process.

The 'id' property of a separate (potentially external) SARIF 'run' instance that comprises the baseline that was used to compute result 'baselineState' properties for the run.

The hardware architecture for which the run was targeted.

An array of stack frames that represent a sequence of calls, rendered in reverse chronological order, that comprise the call stack.

A message relevant to this call stack.

Key/value pairs that provide additional information about the stack.

The fully qualified name of the method or function that is executing.

A message relevant to this stack frame.

The uri of the source code file to which this stack frame refers.

A string that identifies the conceptual base for the 'uri' property (if it is relative), e.g.,'$(SolutionDir)' or '%SRCROOT%'.

The line of the location to which this stack frame refers.

The line of the location to which this stack frame refers.

The name of the module that contains the code of this stack frame.

The thread identifier of the stack frame.

A key used to retrieve the stack frame logicalLocation from the logicalLocations dictionary, when the 'fullyQualifiedLogicalName' is not unique.

The address of the method or function that is executing.

The offset from the method or function that is executing.

The parameters of the call that is executing.

Key/value pairs that provide additional information about the stack frame.

The name of the tool.

The name of the tool along with its version and any other useful identifying information, such as its locale.

The tool version, in whatever format the tool natively provides.

The tool version in the format specified by Semantic Versioning 2.0.

The binary version of the tool's primary executable file (for operating systems such as Windows that provide that information).

A version that uniquely identifies the SARIF logging component that generated this file, if it is versioned separately from the tool.

The tool language (expressed as an ISO 649 two-letter lowercase culture code) and region (expressed as an ISO 3166 two-letter uppercase subculture code associated with a country or region).

Key/value pairs that provide additional information about the tool.