Add SARIF support

lib/puppet-lint.rb

@@ -161,7 +161,7 @@ def print_context(message)
   # problems - An Array of problem Hashes as returned by
   #            PuppetLint::Checks#run.
   #
-  # Returns nothing.
+  # Returns array of problem.
   def report(problems)
     json = []
     problems.each do |message|
@@ -171,7 +171,7 @@ def report(problems)
 
       next unless message[:kind] == :fixed || [message[:kind], :all].include?(configuration.error_level)
 
-      if configuration.json
+      if configuration.json || configuration.sarif
         message['context'] = get_context(message) if configuration.with_context
         json << message
       else
@@ -183,6 +183,7 @@ def report(problems)
     puts JSON.pretty_generate(json) if configuration.json
 
     $stderr.puts 'Try running `puppet parser validate <file>`' if problems.any? { |p| p[:check] == :syntax }
+    json
   end
 
   # Public: Determine if PuppetLint found any errors in the manifest.

lib/puppet-lint/bin.rb

@@ -1,3 +1,5 @@
+require 'pathname'
+require 'uri'
 require 'puppet-lint/optparser'
 
 # Internal: The logic of the puppet-lint bin script, contained in a class for
@@ -46,6 +48,18 @@ def run
 
     begin
       path = @args[0]
+      full_path = File.expand_path(path, ENV['PWD'])
+      full_base_path = if File.directory?(full_path)
+                         full_path
+                       else
+                         File.dirname(full_path)
+                       end
+
+      full_base_path_uri = if full_base_path.start_with?('/')
+                             'file://' + full_base_path
+                           else
+                             'file:///' + full_base_path
+                           end
       path = path.gsub(File::ALT_SEPARATOR, File::SEPARATOR) if File::ALT_SEPARATOR
       path = if File.directory?(path)
                Dir.glob("#{path}/**/*.pp")
@@ -57,14 +71,15 @@ def run
 
       return_val = 0
       ignore_paths = PuppetLint.configuration.ignore_paths
+      all_problems = []
 
       puts '[' if PuppetLint.configuration.json
       path.each do |f|
         next if ignore_paths.any? { |p| File.fnmatch(p, f) }
         l = PuppetLint.new
         l.file = f
         l.run
-        l.print_problems
+        all_problems << l.print_problems
         puts ',' if f != path.last && PuppetLint.configuration.json
 
         if l.errors? || (l.warnings? && PuppetLint.configuration.fail_on_warnings)
@@ -78,11 +93,45 @@ def run
       end
       puts ']' if PuppetLint.configuration.json
 
+      report_sarif(all_problems, full_base_path, full_base_path_uri) if PuppetLint.configuration.sarif
+
       return return_val
     rescue PuppetLint::NoCodeError
       puts 'puppet-lint: no file specified or specified file does not exist'
       puts "puppet-lint: try 'puppet-lint --help' for more information"
       return 1
     end
   end
+
+  # Internal: Print the reported problems in SARIF format to stdout.
+  #
+  # problems - An Array of problem Hashes as returned by
+  #            PuppetLint::Checks#run.
+  #
+  # Returns nothing.
+  def report_sarif(problems, base_path, base_path_uri)
+    sarif_file = File.read(File.join(File.dirname(File.expand_path(__FILE__)), 'report/sarif.json'))
+    sarif = JSON.parse(sarif_file)
+    sarif['runs'][0]['originalUriBaseIds']['ROOTPATH']['uri'] = base_path_uri
+    rules = sarif['runs'][0]['tool']['driver']['rules'] = []
+    results = sarif['runs'][0]['results'] = []
+    problems.each do |messages|
+      messages.each do |message|
+        relative_path = Pathname.new(message[:fullpath]).relative_path_from(base_path)
+        rules = sarif['runs'][0]['tool']['driver']['rules']
+        rule_exists = rules.any? { |r| r['id'] == message[:check] }
+        rules << { 'id' => message[:check] } unless rule_exists
+        rule_index = rules.count - 1
+        result = {
+          'ruleId' => message[:check],
+          'ruleIndex' => rule_index,
+          'message' => { 'text' => message[:message] },
+          'locations' => [{ 'physicalLocation' => { 'artifactLocation' => { 'uri' => relative_path, 'uriBaseId' => 'ROOTPATH' }, 'region' => { 'startLine' => message[:line], 'startColumn' => message[:column] } } }],
+        }
+        result['level'] = message[:KIND].downcase if %w[error warning].include?(message[:KIND].downcase)
+        results << result
+      end
+    end
+    puts JSON.pretty_generate(sarif)
+  end
 end

lib/puppet-lint/configuration.rb

@@ -150,6 +150,7 @@ def defaults
       self.with_context = false
       self.fix = false
       self.json = false
+      self.sarif = false
       self.show_ignored = false
       self.ignore_paths = ['vendor/**/*.pp']
       self.github_actions = ENV.key?('GITHUB_ACTION')

lib/puppet-lint/optparser.rb

@@ -98,6 +98,10 @@ def self.build(args = [])
         PuppetLint.configuration.json = true
       end
 
+      opts.on('--sarif', 'Log output as SARIF') do
+        PuppetLint.configuration.sarif = true
+      end
+
       opts.on('--list-checks', 'List available check names.') do
         PuppetLint.configuration.list_checks = true
       end

lib/puppet-lint/report/sarif.json

@@ -0,0 +1,60 @@
+{
+  "$schema":"https://www.schemastore.org/schemas/json/sarif-2.1.0-rtm.5.json",
+  "version":"2.1.0",
+  "runs":[
+    {
+      "tool":{
+        "driver":{
+          "name":"Puppet Lint",
+          "informationUri":"https://github.com/puppetlabs/puppet-lint",
+          "version":"0.15.0",
+          "rules":[
+            {
+              "id":"",
+              "name":"",
+              "shortDescription":{
+                "text":""
+              },
+              "fullDescription":{
+                "text":""
+              },
+              "help":{
+                "text":""
+              }
+            }
+          ]
+        }
+      },
+      "results":[
+        {
+          "ruleId":"",
+          "ruleIndex":0,
+          "level":"error",
+          "message":{
+            "text":""
+          },
+          "locations":[
+            {
+              "physicalLocation":{
+                "artifactLocation":{
+                  "uri":"file:///foo.txt",
+                  "uriBaseId":"ROOTPATH"
+                },
+                "region":{
+                  "startLine":1,
+                  "startColumn":1
+                }
+              }
+            }
+          ]
+        }
+      ],
+      "columnKind":"utf16CodeUnits",
+      "originalUriBaseIds":{
+        "ROOTPATH":{
+          "uri":"/"
+        }
+      }
+    }
+  ]
+}

spec/puppet-lint/bin_spec.rb

@@ -397,6 +397,41 @@ def initialize(args)
     end
   end
 
+  context 'when displaying results as SARIF' do
+    let(:args) do
+      [
+        '--sarif',
+        'spec/fixtures/test/manifests/warning.pp',
+      ]
+    end
+
+    its(:exitstatus) { is_expected.to eq(0) }
+
+    its(:stdout) do
+      is_expected.to match(%r{"ruleId": "parameter_order"})
+      is_expected.to match(%r{"uri": "warning.pp"})
+    end
+  end
+
+  context 'when displaying results for multiple targets as SARIF' do
+    let(:args) do
+      [
+        '--sarif',
+        'spec/fixtures/test/manifests/fail.pp',
+        'spec/fixtures/test/manifests/warning.pp',
+      ]
+    end
+
+    its(:exitstatus) { is_expected.to eq(1) }
+
+    its(:stdout) do
+      is_expected.to match(%r{"ruleId": "autoloader_layout"})
+      is_expected.to match(%r{"uri": "fail.pp"})
+      is_expected.to match(%r{"ruleId": "parameter_order"})
+      is_expected.to match(%r{"uri": "warning.pp"})
+    end
+  end
+
   context 'when hiding ignored problems' do
     let(:args) do
       [

spec/puppet-lint/configuration_spec.rb

@@ -59,6 +59,7 @@
       'fail_on_warnings' => false,
       'error_level'      => :all,
       'log_format'       => '',
+      'sarif'            => false,
       'with_context'     => false,
       'fix'              => false,
       'github_actions'   => false,