<html><head><title></title></head><body><!-- rte-version 0.2 9947551637294008b77bce25eb683dac --><div class="rte-style-maintainer rte-pre-wrap" data-color="global-default" bbg-color="default" data-bb-font-size="medium"bbg-font-size="medium" style="white-space: pre-wrap; font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth";"style="white-space: pre-wrap; font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth"; color: rgb(0, 0, 0);">Ping.<div><br></div><div>Are there any other objections or comments on this RFC?</div><div><br></div><div>Original message rendered here: <a bbg-destination="rte:bind"data-destination="rte:bind" href="https://gist.github.com/envp/3a5fdd33115b91c391c22e5e8a5210f4">https://gist.github.com/envp/3a5fdd33115b91c391c22e5e8a5210f4</a><br><div class="rte-style-maintainer" data-color="global-default"bbg-color="default" data-bb-font-size="medium" bbg-font-size="medium" style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth";"style="font-size: small; font-family: "Courier New", Courier, "BB.FixedWidth"; color: rgb(0, 0, 0);"><br><div class="bbg-rte-fold-content" data-header="From: aaron@aaronballman.com At: 03/11/21 13:23:02" data-digest="From: aaron@aaronballman.com At: 03/11/21 13:23:02" style=""><div class="bbg-rte-fold-summary">From: aaron@aaronballman.com At: 03/11/21 13:23:02</div>To: <a spellcheck="false" bbg-destination="mailto:vyenamandra@bloomberg.net" href="mailto:vyenamandra@bloomberg.net"> Vaibhav Yenamandra (BLOOMBERG/ 919 3RD A ) </a><br>Cc: <a spellcheck="false"bbg-destination="mailto:druoso@bloomberg.net" href="mailto:druoso@bloomberg.net"> Daniel Ruoso (BLOOMBERG/ 919 3RD A ) </a>, <a spellcheck="false"bbg-destination="mailto:dbeer1@bloomberg.net" href="mailto:dbeer1@bloomberg.net"> Daniel Beer (BLOOMBERG/ 919 3RD A ) </a>, <a spellcheck="false"bbg-destination="mailto:cfe-dev@lists.llvm.org" href="mailto:cfe-dev@lists.llvm.org"> cfe-dev@lists.llvm.org</a><br>Subject: Re: [cfe-dev] [RFC] Emit SARIF Diagnostics via -fdiagnostics-format=sarif</div><br><blockquote>On Thu, Mar 11, 2021 at 1:00 PM Vaibhav Yenamandra (BLOOMBERG/ 919 3RD<br>A) via cfe-dev <<a spellcheck="false"bbg-destination="mailto:rte:bind" data-destination="mailto:rte:bind" href="mailto:cfe-dev@lists.llvm.org">cfe-dev@lists.llvm.org</a>> wrote:<br>><br>> Hello Everyone,<br>><br>> Below is an RFC on extending the clang `-fdiagnostics-format` option's to<br>> let clang to emit machine readable json diagnostics. Feedback is highly <br>appreciated!<br>><br>> # Why<br>> Machine consumable diagnostics are important for writing generic static<br>> analysis wrappers and harnesses that want to interact with code bases through<br>> clang, There are two options to consider for the diagnostic format to use in<br>> clang:<br>><br>> 1. Mimic `gcc-9 -fdiagnostics-format=json`, covered in the previous work <br>section<br>> 2. Emit [SARIF][0] diagnostic information, a cross-language standardized <br>format<br>> that is already supported in `clang/lib/StaticAnalyzer` (through <br>`--analyzer-output=sarif`)<br>><br>> We propose (2) as it is a standardized format, which should make it easier <br>for tools to<br>> implement support for it.<br><br>I'd support option #2 -- SARIF has a lot of nice tooling support<br>that's forming in the industry (such as<br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github)">https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in<br>-your-code/uploading-a-sarif-file-to-github)</a>.<br>I'm not super excited about #1 given the existence of #2.<br><br>> ## Previous Work<br>><br>> ### `gcc-9 -fdiagnostics-format=json`<br>> GCC [recently][1] [implemented][2] serializing diagnostics to JSON. This <br>option<br>> could be implemented as a `-fdiagnostics-format=json-gcc` in clang to signal<br>> users of its intended interoperability with the corresponding gcc option.<br>> The schema for this format may be inferred from [current gcc code][3].<br>><br>> While not community standard, it can be expected to be reasonably stable as <br>the<br>> [original patch][2] states the flag emits machine readable diagnostics.<br>><br>> ## SARIF diagnostics in LLVM<br>><br>> [SARIF][0] (Static Analysis Results Interchange Format) is a standard format<br>> for the output for static analysis tools.<br>><br>> Clang StaticAnalyzer already implements a SARIF diagnostic consumer in<br>> [D53814][4], this should allow us to implement (necessary, if any) extra <br>fields<br>> to the diagnostics output<br>><br>> ### Mapping clang diagnostics to SARIF<br>><br>> This section assumes the typical compiler diagnostic which looks like what is<br>> provided in the [expressive diagnostics page][5]<br>><br>> In SARIF, the attributes can be mapped to the [`results`][7] property as <br>follows:<br>> 1. File name where the diagnostic occurs is relocated to the <br>[`physicalLocation`][8]<br>> property<br>> 2. Line/Column of the caret marking the error can be stored in the <br>[`region`][9]<br>> property, this can also encode the source range to which an error corresponds<br>> 3. The error message can be transferred to the [`message`][10]<br>> 4. Each of the locations can store the rendered caret & snippet from clang <br>using the<br>> [`snippet`][12] property for that region<br>> 5. Nested diagnostics (typically `note` level items) can be represented using <br>the<br>> [`locationRelationShip`][14] object<br>> 6. Fixit hints can be communicated through the [`fixes`][13] property<br><br>This looks sensible to me.<br><br>~Aaron<br><br>> ## Interface Changes<br>><br>> We propose the following interface changes:<br>><br>> - Input: Extend the `-fdiagnostics-format` flag to recognize: <br>`-fdiagnostics-format=sarif`<br>> - Output: Clang will emit SARIF formatted diagnostics when <br>`-fdiagnostics-format=sarif` is provided.<br>><br>> ## Diagnostic Examples<br>><br>> Various examples for what are available on this github gist (which also <br>renders this message in markdown): <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://gist.github.com/envp/3a5fdd33115b91c391c22e5e8a5210f4#diagnostic-examples">https://gist.github.com/envp/3a5fdd33115b91c391c22e5e8a5210f4#diagnostic-example<br>s</a><br>><br>><br>> [0]: <a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html">https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html</a><br>> [1]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://developers.redhat.com/blog/2019/03/08/usability-improvements-in-gcc-9">https://developers.redhat.com/blog/2019/03/08/usability-improvements-in-gcc-9</a><br>> [2]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=478dd60ddcf17773ebd1af367c9dcaee2401f797">https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=478dd60ddcf17773ebd1af367c9dca<br>ee2401f797</a><br>> [3]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://github.com/gcc-mirror/gcc/blob/master/gcc/diagnostic-format-json.cc">https://github.com/gcc-mirror/gcc/blob/master/gcc/diagnostic-format-json.cc</a><br>> [4]: <a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://reviews.llvm.org/D53814">https://reviews.llvm.org/D53814</a><br>> [5]: <a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://clang.llvm.org/diagnostics.html">https://clang.llvm.org/diagnostics.html</a><br>> [6]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://github.com/microsoft/sarif-tutorials/blob/main/docs/2-Basics.md#results">https://github.com/microsoft/sarif-tutorials/blob/main/docs/2-Basics.md#results</a><br>> [7]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012463">https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc1<br>6012463</a><br>> [8]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012634">https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc1<br>6012634</a><br>> [9]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012641">https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc1<br>6012641</a><br>> [10]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012655">https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc1<br>6012655</a><br>> [11]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012632">https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc1<br>6012632</a><br>> [12]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10127889">https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_To<br>c10127889</a><br>> [13]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10128072">https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_To<br>c10128072</a><br>> [14]: <br><a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10127919">https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_To<br>c10127919</a><br>><br>> _______________________________________________<br>> cfe-dev mailing list<br>> <a spellcheck="false"bbg-destination="mailto:rte:bind" data-destination="mailto:rte:bind" href="mailto:cfe-dev@lists.llvm.org">cfe-dev@lists.llvm.org</a><br>> <a bbg-destination="rte:bind"spellcheck="false" data-destination="rte:bind" href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br></blockquote><br></div></div></div></body></html>