{"meta":{"title":"Prise en charge de SARIF pour l’analyse du code","intro":"Vérifiez que vos fichiers SARIF des outils tiers sont conformes aux normes GitHub.","product":"Sécurité et qualité du code","breadcrumbs":[{"href":"/fr/code-security","title":"Sécurité et qualité du code"},{"href":"/fr/code-security/reference","title":"Reference"},{"href":"/fr/code-security/reference/code-scanning","title":"Analyse du code"},{"href":"/fr/code-security/reference/code-scanning/sarif-files","title":"Fichiers SARIF"},{"href":"/fr/code-security/reference/code-scanning/sarif-files/sarif-support-for-code-scanning","title":"Prise en charge de SARIF"}],"documentType":"article"},"body":"# Prise en charge de SARIF pour l’analyse du code\n\nVérifiez que vos fichiers SARIF des outils tiers sont conformes aux normes GitHub.\n\n\nGitHub can parse SARIF files produced by third-party tools to display code scanning alerts in repositories. For more information, see [About SARIF files for code scanning](/en/code-security/concepts/code-scanning/sarif-files).\n\nThis article highlights key properties of SARIF files to help you upload SARIF files that meet GitHub's requirements and can be converted into useful alerts.\n\nIf you're using GitHub Actions with the CodeQL analysis workflow or using the CodeQL CLI, then the code scanning results will automatically use the supported subset of SARIF 2.1.0.\n\n## Data for preventing duplicated alerts\n\nEach time the results of a new code scan are uploaded, the results are processed and alerts are added to the repository. To prevent duplicate alerts for the same problem, code scanning uses fingerprints to match results across various runs so they only appear once in the latest run for the selected branch. This makes it possible to match alerts to the correct line of code when files are edited. The `ruleId` for a result has to be the same across analysis.\n\n### Consistent filepaths\n\nThe filepath has to be consistent across the runs to enable a computation of a stable fingerprint. If the filepaths differ for the same result, each time there is a new analysis a new alert will be created, and the old one will be closed. This will cause having multiple alerts for the same result.\n\n### Fingerprint generation\n\nGitHub uses the `partialFingerprints` property in the OASIS standard to detect when two results are logically identical. For more information, see the [partialFingerprints property](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012611) entry in the OASIS documentation.\n\nSARIF files created by the CodeQL analysis workflow, or using the CodeQL CLI include fingerprint data. If you upload a SARIF file using the `upload-sarif` action and this data is missing, GitHub attempts to populate the `partialFingerprints` field from the source files. For more information about uploading results, see [Uploading a SARIF file to GitHub](/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github).\n\nIf you upload a SARIF file without fingerprint data using the `/code-scanning/sarifs` API endpoint, the code scanning alerts will be processed and displayed, but users may see duplicate alerts. To avoid seeing duplicate alerts, you should calculate fingerprint data and populate the `partialFingerprints` property before you upload the SARIF file. You may find the script that the `upload-sarif` action uses a helpful starting point: . For more information about the API, see [REST API endpoints for code scanning](/en/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data).\n\n## Rules and results\n\nSARIF files support both rules and results. The information stored in these elements is similar but serves different purposes.\n\n* Rules are an array of `reportingDescriptor` objects that are included in the `toolComponent` object. This is where you store details of the rules that are run during analysis. Information in these objects should change infrequently, typically when you update the tool.\n* Results are stored as a series of `result` objects under `results` in the `run` object. Each `result` object contains details for one alert in the codebase. Within the `results` object, you can reference the rule that detected the alert.\n\nWhen you compare SARIF files generated by analyzing different codebases with the same tool and rules, you should see differences in the results of the analyses but not in the rules.\n\n## Source file locations\n\nSpecifying source file locations and lines of code ensures code scanning alerts are displayed accurately within the file containing the identified problem, allowing for targeted issue resolution.\n\nThis precision enhances the efficiency of code review and resolution processes, streamlining development workflows by enabling developers to address issues directly in the context of their codebase.\n\nCode scanning will also display alerts in pull request check results when all the lines of code identified by the alert exist in the pull request diff.\n\nFor display in a pull request check, an alert must meet all the following conditions:\n\n* All the lines of code identified by the alert exist in the pull request diff, including the first line of the alert.\n* The alert must exist in the lines of code added or edited in the pull request, not lines that were deleted.\n\nThe `physicalLocation` object in a submitted SARIF file identifies the lines of code for an alert. For more information, see [`physicalLocation` object](#physicallocation-object).\n\n### Root location for source files\n\nCode scanning interprets results that are reported with relative paths as relative to the root of the repository analyzed. If a result contains an absolute URI, the URI is converted to a relative URI. The relative URI can then be matched against a file committed to the repository.\n\nYou can provide the source root for conversion from absolute to relative URIs in one of the following ways.\n\n* [`checkout_path`](https://github.com/github/codeql-action/blob/c2c0a2908e95769d01b907f9930050ecb5cf050d/analyze/action.yml#L44-L47) input to the `github/codeql-action/analyze` action\n* `checkout_uri` parameter to the SARIF upload API endpoint. For more information, see [REST API endpoints for code scanning](/en/rest/code-scanning/code-scanning#upload-an-analysis-as-sarif-data).\n* [`invocations[0].workingDirectory.uri`](https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc9244365) property in the `run` object in the SARIF file\n\nIf you provide a source root, any location of an artifact specified using an absolute URI must use the same URI scheme. If there is a mismatch between the URI scheme for the source root and one or more of the absolute URIs, the upload is rejected.\n\nFor example, a SARIF file is uploaded using a source root of `file:///github/workspace`.\n\n```shell\n# Conversion of absolute URIs to relative URIs for location artifacts\n\nfile:///github/workspace/src/main.go -> src/main.go\nfile:///tmp/go-build/tmp.go -> file:///tmp/go-build/tmp.go\n```\n\nThe file is successfully uploaded as both absolute URIs use the same URI scheme as the source root.\n\n### Symlink resolution\n\nIf the relative URI for a result is matched against a file defined using a symlink, code scanning is unable to display the result. So you need to resolve any symlinked files, and report any results in those files using the resolved URI.\n\n## File compatibility\n\n\n\nYou can check a SARIF file is compatible with code scanning by testing it against the GitHub ingestion rules. For more information, visit the [Microsoft SARIF validator](https://sarifweb.azurewebsites.net/).\n\nFor each gzip-compressed SARIF file, SARIF upload supports a maximum size of 10 MB. Any uploads over this limit will be rejected. If your SARIF file is too large because it contains too many results, you should update the configuration to focus on results for the most important rules or queries. For more information, see [SARIF results file is too large](/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-sarif-uploads/file-too-large).\n\nCode scanning supports uploading a maximum number of entries for the data objects in the following table. If any of these objects exceeds its maximum value the SARIF file is rejected. For some objects, there is also an additional limit on the number of values that will be displayed. Whenever possible the most important values are shown. To get the most out of your analysis when it includes data above the supported limits, try to optimize the analysis configuration (for example, for the CodeQL tool, identify and disable the most noisy queries). For more information, see [SARIF results exceed one or more limits](/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-sarif-uploads/results-exceed-limit).\n\n
\n\n| **SARIF data** | **Maximum values** | **Data truncation limits** |\n| -------------------------------- | :----------------: | -------------------------------------------------------------------------------- |\n| Runs per file | 20 | None |\n| Results per run | 25,000 | Only the top 5,000 results will be included, prioritized by severity. |\n| Rules per run | 25,000 | None |\n| Tool extensions per run | 100 | None |\n| Thread Flow Locations per result | 10,000 | Only the top 1,000 Thread Flow Locations will be included, using prioritization. |\n| Location per result | 1,000 | Only 100 locations will be included. |\n| Tags per rule | 20 | Only 10 tags will be included. |\n| Alert Limit | 1,000,000 | None |\n\n
\n\nFor information about other errors, see [Troubleshooting SARIF uploads](/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-sarif-uploads).\n\n## Supported properties\n\nIf you use a code analysis engine other than CodeQL, you can review the supported SARIF properties to optimize how your analysis results will appear on GitHub.\n\n> \\[!NOTE]\n> You must supply an explicit value for any property marked as \"required\". The empty string is not supported for required properties.\n\nAny valid SARIF 2.1.0 output file can be uploaded, however, code scanning will only use the following supported properties.\n\n### `sarifLog` object\n\n| Name | Required | Description |\n| --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `$schema` | | The URI of the SARIF JSON schema for version 2.1.0. For example, `https://json.schemastore.org/sarif-2.1.0.json`. |\n| `version` | | Code scanning only supports SARIF version `2.1.0`. |\n| `runs[]` | | A SARIF file contains an array of one or more runs. Each run represents a single run of an analysis tool. For more information about a `run`, see the [`run` object](#run-object). |\n\n### `run` object\n\nCode scanning uses the `run` object to filter results by tool and provide information about the source of a result. The `run` object contains the `tool.driver` tool component object, which contains information about the tool that generated the results. Each `run` can only have results for one analysis tool.\n\n| Name | Required | Description |\n| --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `tool.driver` | | A `toolComponent` object that describes the analysis tool. For more information, see the [`toolComponent` object](#toolcomponent-object). |\n| `tool.extensions[]` | | An array of `toolComponent` objects that represent any plugins or extensions used by the tool during analysis. For more information, see the [`toolComponent` object](#toolcomponent-object). |\n| `invocation.workingDirectory.uri` | | This field is used only when `checkout_uri` (SARIF upload API only) or `checkout_path` (GitHub Actions only) are not provided. The value is used to convert absolute URIs used in [`physicalLocation` objects](#physicallocation-object) to relative URIs. For more information, see [Specifying the root for source files](#root-location-for-source-files). |\n| `results[]` | | The results of the analysis tool. Code scanning displays the results on GitHub. For more information, see the [`result` object](#result-object). |\n\n### `toolComponent` object\n\n| Name | Required | Description |\n| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |\n| `name` | | The name of the analysis tool. Code scanning displays the name on GitHub to allow you to filter results by tool. |\n| `version` | | The version of the analysis tool. Code scanning uses the version number to track when results may have changed due to a tool version change rather than a change in the code being analyzed. If the SARIF file includes the `semanticVersion` field, `version` is not used by code scanning. |\n| `semanticVersion` | | The version of the analysis tool, specified by the Semantic Versioning 2.0 format. Code scanning uses the version number to track when results may have changed due to a tool version change rather than a change in the code being analyzed. If the SARIF file includes the `semanticVersion` field, `version` is not used by code scanning. For more information, see [Semantic Versioning 2.0.0](https://semver.org/) in the Semantic Versioning documentation. |\n| `rules[]` | | An array of `reportingDescriptor` objects that represent rules. The analysis tool uses rules to find problems in the code being analyzed. For more information, see the [`reportingDescriptor` object](#reportingdescriptor-object). |\n\n### `reportingDescriptor` object\n\nThis is where you store details of the rules that are run during analysis. Information in these objects should change infrequently, typically when you update the tool. For more information, see [Rules and results](#rules-and-results) above.\n\n| Name | Required | Description |\n| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `id` | | A unique identifier for the rule. The `id` is referenced from other parts of the SARIF file and may be used by code scanning to display URLs on GitHub. |\n| `name` | | The name of the rule. Code scanning displays the name to allow results to be filtered by rule on GitHub. Limited to 255 characters. |\n| `shortDescription.text` | | A concise description of the rule. Code scanning displays the short description on GitHub next to the associated results. Limited to 1024 characters. |\n| `fullDescription.text` | | A description of the rule. Code scanning displays the full description on GitHub next to the associated results. Limited to 1024 characters. |\n| `defaultConfiguration.level` | | Default severity level of the rule. Code scanning uses severity levels to help you understand how critical the result is for a given rule. By default, the `defaultConfiguration.level` is set to `warning`. However, you can override the default level for a rule by setting the `level` attribute in the `result` object associated with the result. For more information, please refer to the documentation on the [`result` object](#result-object). The valid values for `defaultConfiguration.level` are: `note`, `warning` and `error`. |\n| `help.text` | | Documentation for the rule using text format. Code scanning displays this help documentation next to the associated results. |\n| `help.markdown` | | (Recommended) Documentation for the rule using Markdown format. Code scanning displays this help documentation next to the associated results. When `help.markdown` is available, it is displayed instead of `help.text`. |\n| `properties.tags[]` | | An array of strings. Code scanning uses `tags` to allow you to filter results on GitHub. For example, it is possible to filter to all results that have the tag `security`. |\n| `properties.precision` | | (Recommended) A string that indicates how often the results indicated by this rule are true. For example, if a rule has a known high false-positive rate, the precision should be `low`. Code scanning orders results by precision on GitHub so that the results with the highest `level`, and highest `precision` are shown first. Can be one of: `very-high`, `high`, `medium`, or `low`. |\n| `properties.problem.severity` | | (Recommended) A string that indicates the level of severity of any alerts generated by a non-security query. This, with the `properties.precision` property, determines whether the results are displayed by default on GitHub so that the results with the highest `problem.severity`, and highest `precision` are shown first. Can be one of: `error`, `warning`, or `recommendation`. |\n| `properties.security-severity` | | (Recommended only for security rules) If you include a value for this field, results for the rule are treated as security results. A string representing a score that indicates the level of severity, a value that is greater than 0.0 up to 10.0, for security queries (`@tags` includes `security`). This, with the `properties.precision` property, determines whether the results are displayed by default on GitHub so that the results with the highest `security-severity`, and highest `precision` are shown first. Code scanning translates numerical scores as follows: over 9.0 is `critical`, from 7.0 to 8.9 is `high`, from 4.0 to 6.9 is `medium` and from 0.1 to 3.9 is `low`. A value of 0.0 or any other value outside the given range is regarded as having no security severity. |\n\n### `result` object\n\nEach `result` object contains details for one alert in the codebase. Within the `results` object, you can reference the rule that detected the alert. For more information, see [Rules and results](#rules-and-results) above.\n\n| Name | Required | Description |\n| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `ruleId` | | The unique identifier of the rule (`reportingDescriptor.id`). For more information, see the [`reportingDescriptor` object](#reportingdescriptor-object). Code scanning uses the rule identifier to filter results by rule on GitHub. |\n| `ruleIndex` | | The index of the associated rule (`reportingDescriptor` object) in the tool component `rules` array. For more information, see the [`run` object](#run-object). The allowed range for this property 0 to 2^63 - 1. |\n| `rule` | | A reference used to locate the rule (reporting descriptor) for this result. For more information, see the [`reportingDescriptor` object](#reportingdescriptor-object). |\n| `level` | | The severity of the result. This level overrides the default severity defined by the rule. Code scanning uses the level to filter results by severity on GitHub. |\n| `message.text` | | A message that describes the result. Code scanning displays the message text as the title of the result. Only the first sentence of the message will be displayed when visible space is limited. |\n| `locations[]` | | The set of locations where the result was detected up to a maximum of 10. Only one location should be included unless the problem can only be corrected by making a change at every specified location. **Note:** At least one location is required for code scanning to display a result. Code scanning will use this property to decide which file to annotate with the result. Only the first value of this array is used. All other values are ignored. |\n| `partialFingerprints` | | A set of strings used to track the unique identity of the result. Code scanning uses `partialFingerprints` to accurately identify which results are the same across commits and branches. Code scanning will attempt to use `partialFingerprints` if they exist. If you are uploading third-party SARIF files with the `upload-action`, the action will create `partialFingerprints` for you when they are not included in the SARIF file. For more information, see [Providing data to track code scanning alerts across runs](#data-for-preventing-duplicated-alerts). **Note:** Code scanning only uses the `primaryLocationLineHash`. |\n| `codeFlows[].threadFlows[].locations[]` | | An array of `location` objects for a `threadFlow` object, which describes the progress of a program through a thread of execution. A `codeFlow` object describes a pattern of code execution used to detect a result. If code flows are provided, code scanning will expand code flows on GitHub for the relevant result. For more information, see the [`location` object](#location-object). |\n| `relatedLocations[]` | | A set of locations relevant to this result. Code scanning will link to related locations when they are embedded in the result message. For more information, see the [`location` object](#location-object). |\n\n### `location` object\n\nA location within a programming artifact, such as a file in the repository or a file that was generated during a build.\n\n| Name | Required | Description |\n| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `location.id` | | A unique identifier that distinguishes this location from all other locations within a single result object. The allowed range for this property 0 to 2^63 - 1. |\n| `location.physicalLocation` | | Identifies the artifact and region. For more information, see the [`physicalLocation`](#physicallocation-object). |\n| `location.message.text` | | A message relevant to the location. |\n\n### `physicalLocation` object\n\n| Name | Required | Description |\n| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `artifactLocation.uri` | | A URI indicating the location of an artifact, usually a file either in the repository or generated during a build. For the best results we recommend that this is a relative path from the root of the GitHub repository being analyzed. For example, `src/main.js`. For more information about artifact URIs, see [Specifying the root for source files](#root-location-for-source-files). |\n| `region.startLine` | | The line number of the first character in the region. |\n| `region.startColumn` | | The column number of the first character in the region. |\n| `region.endLine` | | The line number of the last character in the region. |\n| `region.endColumn` | | The column number of the character following the end of the region. |\n\n### `runAutomationDetails` object\n\nThe `runAutomationDetails` object contains information that specifies the identity of a run.\n\n| Name | Required | Description |\n| ---- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `id` | | A string that identifies the category of the analysis and the run ID. Use if you want to upload multiple SARIF files for the same tool and commit, but performed on different languages or different parts of the code. |\n\nThe use of the `runAutomationDetails` object is optional.\n\nThe `id` field can include an analysis category and a run ID. We don't use the run ID part of the `id` field, but we store it.\n\nUse the category to distinguish between multiple analyses for the same tool or commit, but performed on different languages or different parts of the code. Use the run ID to identify the specific run of the analysis, such as the date the analysis was run.\n\n`id` is interpreted as `category/run-id`. If the `id` contains no forward slash (`/`), then the entire string is the `run_id` and the `category` is empty. Otherwise, `category` is everything in the string until the last forward slash, and `run_id` is everything after.\n\n| `id` | category | `run_id` |\n| ---------------------------- | ----------------- | --------------------- |\n| my-analysis/tool1/2022-01-02 | my-analysis/tool1 | 2022-01-02 |\n| my-analysis/tool1/ | my-analysis/tool1 | None |\n| my-analysis for tool1 | None | my-analysis for tool1 |\n\n* The run with an `id` of \"my-analysis/tool1/2021-02-01\" belongs to the category \"my-analysis/tool1\".\n* The run with an `id` of \"my-analysis/tool1/\" belongs to the category \"my-analysis/tool1\" but is not distinguished from other runs in that category.\n* The run whose `id` is \"my-analysis for tool1 \" has a unique identifier but cannot be inferred to belong to any category.\n\nFor more information about the `runAutomationDetails` object and the `id` field, see [runAutomationDetails object](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012479) in the OASIS documentation.\n\nNote that the rest of the supported fields are ignored.\n\n## SARIF output file examples\n\nThese example SARIF output files show supported properties and example values.\n\n### Example with minimum required properties\n\nThis SARIF output file has example values to show the minimum required properties for code scanning results to work as expected. If you remove any properties, omit values, or use an empty string, this data will not be displayed correctly or sync on GitHub.\n\n```json\n{\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [\n {\n \"tool\": {\n \"driver\": {\n \"name\": \"Tool Name\",\n \"rules\": [\n {\n \"id\": \"R01\"\n ...\n \"properties\" : {\n \"id\" : \"java/unsafe-deserialization\",\n \"kind\" : \"path-problem\",\n \"name\" : \"...\",\n \"problem.severity\" : \"error\",\n \"security-severity\" : \"9.8\",\n }\n }\n ]\n }\n },\n \"results\": [\n {\n \"ruleId\": \"R01\",\n \"message\": {\n \"text\": \"Result text. This result does not have a rule associated.\"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"fileURI\"\n },\n \"region\": {\n \"startLine\": 2,\n \"startColumn\": 7,\n \"endColumn\": 10\n }\n }\n }\n ],\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"39fa2ee980eb94b0:1\"\n }\n }\n ]\n }\n ]\n}\n```\n\n### Relative URI Guidance for SARIF Producers\n\nThis SARIF output file has example of values for the field `originalUriBaseIds`, showing the minimum required properties a SARIF producer should include when using relative URI references.\n\n> \\[!NOTE]\n> While this property is not required by GitHub for the code scanning results to be displayed correctly, it is required to produce a valid SARIF output when using relative URI references.\n\n```json\n{\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [\n {\n \"tool\": {\n \"driver\": {\n \"name\": \"Tool Name\",\n \"rules\": [\n {\n \"id\": \"R01\"\n ...\n \"properties\" : {\n \"id\" : \"java/unsafe-deserialization\",\n \"kind\" : \"path-problem\",\n \"name\" : \"...\",\n \"problem.severity\" : \"error\",\n \"security-severity\" : \"9.8\",\n }\n }\n ]\n }\n },\n \"originalUriBaseIds\": {\n \"PROJECTROOT\": {\n \"uri\": \"file:///C:/Users/Mary/code/TheProject/\",\n \"description\": {\n \"text\": \"The root directory for all project files.\"\n }\n },\n \"%SRCROOT%\": {\n \"uri\": \"src/\",\n \"uriBaseId\": \"PROJECTROOT\",\n \"description\": {\n \"text\": \"The root of the source tree.\"\n }\n }\n },\n \"results\": [\n {\n \"ruleId\": \"R01\",\n \"message\": {\n \"text\": \"Result text. This result does not have a rule associated.\"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"fileURI\",\n \"uriBaseId\": \"%SRCROOT%\"\n },\n \"region\": {\n \"startLine\": 2,\n \"startColumn\": 7,\n \"endColumn\": 10\n }\n }\n }\n ],\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"39fa2ee980eb94b0:1\"\n }\n }\n ]\n }\n ]\n}\n```\n\n### Example showing all supported SARIF properties\n\nThis SARIF output file has example values to show all supported SARIF properties for code scanning.\n\n```json\n{\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [\n {\n \"tool\": {\n \"driver\": {\n \"name\": \"Tool Name\",\n \"semanticVersion\": \"2.0.0\",\n \"rules\": [\n {\n \"id\": \"3f292041e51d22005ce48f39df3585d44ce1b0ad\",\n \"name\": \"js/unused-local-variable\",\n \"shortDescription\": {\n \"text\": \"Unused variable, import, function or class\"\n },\n \"fullDescription\": {\n \"text\": \"Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully.\"\n },\n \"defaultConfiguration\": {\n \"level\": \"note\"\n },\n \"properties\": {\n \"tags\": [\n \"maintainability\"\n ],\n \"precision\": \"very-high\"\n }\n },\n {\n \"id\": \"d5b664aefd5ca4b21b52fdc1d744d7d6ab6886d0\",\n \"name\": \"js/inconsistent-use-of-new\",\n \"shortDescription\": {\n \"text\": \"Inconsistent use of 'new'\"\n },\n \"fullDescription\": {\n \"text\": \"If a function is intended to be a constructor, it should always be invoked with 'new'. Otherwise, it should always be invoked as a normal function, that is, without 'new'.\"\n },\n \"properties\": {\n \"tags\": [\n \"reliability\",\n \"correctness\",\n \"language-features\"\n ],\n \"precision\": \"very-high\"\n }\n },\n {\n \"id\": \"R01\"\n }\n ]\n }\n },\n \"automationDetails\": {\n \"id\": \"my-category/\"\n },\n \"results\": [\n {\n \"ruleId\": \"3f292041e51d22005ce48f39df3585d44ce1b0ad\",\n \"ruleIndex\": 0,\n \"message\": {\n \"text\": \"Unused variable foo.\"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"main.js\",\n \"uriBaseId\": \"%SRCROOT%\"\n },\n \"region\": {\n \"startLine\": 2,\n \"startColumn\": 7,\n \"endColumn\": 10\n }\n }\n }\n ],\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"39fa2ee980eb94b0:1\",\n \"primaryLocationStartColumnFingerprint\": \"4\"\n }\n },\n {\n \"ruleId\": \"d5b664aefd5ca4b21b52fdc1d744d7d6ab6886d0\",\n \"ruleIndex\": 1,\n \"message\": {\n \"text\": \"Function resolvingPromise is sometimes invoked as a constructor (for example [here](1)), and sometimes as a normal function (for example [here](2)).\"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"src/promises.js\",\n \"uriBaseId\": \"%SRCROOT%\"\n },\n \"region\": {\n \"startLine\": 2\n }\n }\n }\n ],\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"5061c3315a741b7d:1\",\n \"primaryLocationStartColumnFingerprint\": \"7\"\n },\n \"relatedLocations\": [\n {\n \"id\": 1,\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"src/ParseObject.js\",\n \"uriBaseId\": \"%SRCROOT%\"\n },\n \"region\": {\n \"startLine\": 2281,\n \"startColumn\": 33,\n \"endColumn\": 55\n }\n },\n \"message\": {\n \"text\": \"here\"\n }\n },\n {\n \"id\": 2,\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"src/LiveQueryClient.js\",\n \"uriBaseId\": \"%SRCROOT%\"\n },\n \"region\": {\n \"startLine\": 166\n }\n },\n \"message\": {\n \"text\": \"here\"\n }\n }\n ]\n },\n {\n \"ruleId\": \"R01\",\n \"message\": {\n \"text\": \"Specifying both [ruleIndex](1) and [ruleId](2) might lead to inconsistencies.\"\n },\n \"level\": \"error\",\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"full.sarif\",\n \"uriBaseId\": \"%SRCROOT%\"\n },\n \"region\": {\n \"startLine\": 54,\n \"startColumn\": 10,\n \"endLine\": 55,\n \"endColumn\": 25\n }\n }\n }\n ],\n \"relatedLocations\": [\n {\n \"id\": 1,\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"full.sarif\"\n },\n \"region\": {\n \"startLine\": 81,\n \"startColumn\": 10,\n \"endColumn\": 18\n }\n },\n \"message\": {\n \"text\": \"here\"\n }\n },\n {\n \"id\": 2,\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"full.sarif\"\n },\n \"region\": {\n \"startLine\": 82,\n \"startColumn\": 10,\n \"endColumn\": 21\n }\n },\n \"message\": {\n \"text\": \"here\"\n }\n }\n ],\n \"codeFlows\": [\n {\n \"threadFlows\": [\n {\n \"locations\": [\n {\n \"location\": {\n \"physicalLocation\": {\n \"region\": {\n \"startLine\": 11,\n \"endLine\": 29,\n \"startColumn\": 10,\n \"endColumn\": 18\n },\n \"artifactLocation\": {\n \"uriBaseId\": \"%SRCROOT%\",\n \"uri\": \"full.sarif\"\n }\n },\n \"message\": {\n \"text\": \"Rule has index 0\"\n }\n }\n },\n {\n \"location\": {\n \"physicalLocation\": {\n \"region\": {\n \"endColumn\": 47,\n \"startColumn\": 12,\n \"startLine\": 12\n },\n \"artifactLocation\": {\n \"uriBaseId\": \"%SRCROOT%\",\n \"uri\": \"full.sarif\"\n }\n }\n }\n }\n ]\n }\n ]\n }\n ],\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"ABC:2\"\n }\n }\n ],\n \"columnKind\": \"utf16CodeUnits\"\n }\n ]\n}\n```"}