Lib.rs

Development tools | Command line utilities
#static-analysis #clippy #sarif #command-line-tool

app clippy-sarif

Convert clippy output to SARIF

by Paul Sastrasinh and 13 contributors

40 releases

0.6.6 Sep 2, 2024
0.6.0 Jul 30, 2024
0.4.2 Sep 7, 2023
0.4.1 Jul 30, 2023
0.2.15 Jul 6, 2021

#16 in Development tools

Download history 5953/week @ 2024-07-18 7441/week @ 2024-07-25 9183/week @ 2024-08-01 11187/week @ 2024-08-08 6706/week @ 2024-08-15 7580/week @ 2024-08-22 13415/week @ 2024-08-29 13894/week @ 2024-09-05 12010/week @ 2024-09-12 12365/week @ 2024-09-19 16299/week @ 2024-09-26 12764/week @ 2024-10-03 10860/week @ 2024-10-10 13992/week @ 2024-10-17 9710/week @ 2024-10-24 15970/week @ 2024-10-31

52,733 downloads per month

MIT license

57KB
1K SLoC

Workflow Status

clippy-sarif

This crate provides a command line tool to convert cargo clippy diagnostic output into SARIF.

The latest documentation can be found here.

clippy is a popular linter / static analysis tool for rust. More information can be found on the official repository: https://github.com/rust-lang/rust-clippy

SARIF or the Static Analysis Results Interchange Format is an industry standard format for the output of static analysis tools. More information can be found on the official website: https://sarifweb.azurewebsites.net/.

Installation

clippy-sarif may be installed via cargo

cargo install clippy-sarif

via cargo-binstall

cargo binstall clippy-sarif

or downloaded directly from Github Releases

# make sure to adjust the target and version (you may also want to pin to a specific version)
curl -sSL https://github.com/psastras/sarif-rs/releases/download/clippy-sarif-v0.6.6/clippy-sarif-x86_64-unknown-linux-gnu -o clippy-sarif

Fedora Linux

sudo dnf install <cli_name> # ex. cargo binstall clippy-sarif

Nix

Through the nix cli,

nix --accept-flake-config profile install github:psastras/sarif-rs#clippy-sarif

Usage

For most cases, simply run cargo clippy with json output and pipe the results into clippy-sarif.

Example

cargo clippy --message-format=json | clippy-sarif

If you are using Github Actions, SARIF is useful for integrating with Github Advanced Security (GHAS), which can show code alerts in the "Security" tab of your repository.

After uploading clippy-sarif output to Github, clippy diagnostics are available in GHAS.

Example

on:
  workflow_run:
    workflows: ["main"]
    branches: [main]
    types: [completed]

name: sarif

jobs:
  upload-sarif:
    runs-on: ubuntu-latest
    if: ${{ github.ref == 'refs/heads/main' }}
    steps:
      - uses: actions/checkout@v2
      - uses: actions-rs/toolchain@v1
        with:
          profile: minimal
          toolchain: stable
          components: clippy,rustfmt
          override: true
      - uses: Swatinem/rust-cache@v1
      - run: cargo install clippy-sarif sarif-fmt
      - run: cargo clippy --all-targets --all-features --message-format=json |
          clippy-sarif | tee results.sarif | sarif-fmt
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: results.sarif

In some cases, the path to the file contained in the SARIF report may be different than what is expected. This can happen for example if running clippy-sarif from a different folder than the crate folder. In this case consider using a tool like jq to amend to path:

Example

cat results.sarif \
    | jq --arg pwd "some_folder/my_crate" '.runs[].results[].locations[].physicalLocation.artifactLocation.uri |= $pwd + "/" + .' \
    > results.sarif.tmp

Note that this maybe be fixed in a future release.

License: MIT

Dependencies

~4–6.5MB
~114K SLoC