Static Analysis Results Interchange Format (SARIF) support

[llaville]

Hello,

As lot of PHP projects, Twig-CS-Fixer does not allow to add more report support without to modify core of Code (see https://github.com/VincentLanglet/Twig-CS-Fixer/blob/main/src/Report/ReporterFactory.php)

With this topic, I would like to do that is possible, if at least the checkstyle format exists and if filenames are fully identified by absolute paths.

As author of :

• PHP SARIF specification implementation with https://github.com/llaville/sarif-php-sdk (stable final version 2.0)
• PHP SARIF converters (https://github.com/llaville/sarif-php-converters) still in developement, but already stable on branch 1.0

I've just finalized integration of Twig-CS-Fixer: works fine with branch main (commit 0ca89b6).

User Guide to use it is available at : https://github.com/llaville/sarif-php-converters/blob/1.0/docs/converter/twigcs-fixer.md

Official SARIF specifications are available at https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html)

[VincentLanglet]

Hi,

Since Twig-CS-Fixer is moving (slowly) from a personal tool to an open-source tool used by multiple libraries and quoted on Twig docs, I now always need to be careful about new changes, integrations and especially new dependencies. But any integration of Twig-CS-Fixer in different libraries is welcomed. Thanks for your work :)

I never heard about SARIF before, but seems like it's a known-enough standard since github has doc about it (https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) ; so I'm glad to help about the integration if needed.

Do you encounter some blockers ? If I understand correctly, it's not the case.

As lot of PHP projects, Twig-CS-Fixer does not allow to add more report support without to modify core of Code (see main/src/Report/ReporterFactory.php)

Indeed, but if needed this can be solved easily by changing in TwigCsFixerCommand

$reporterFactory = new ReporterFactory();

to

$reporterFactory = new ReporterFactory($config->getCustomReporters());

Would it be helpful ?

[llaville]

Hello,

SARIF format is unknown by our PHP community, and by my projects goals I want to enlarge adoption of this report format that I'm convinced that this is the future of output format, where checkstyle, junit and more are the past.

I understand your point of view, and integration to new dependencies is shared by lot of project leaders. I was faced of this situation in multiple cases. That is the main reason why, I've decided to create my projects.

First step : a package that implements full SARIF specifications, and allow to everyone to use it as they want, to quickly build a compatible output format, rather than build their own private JSON copy with partial spec support.

Second step: allow to user-end to have a SARIF report to their most famous libraries even if they do not support it yet, or supported it partially, without ability to customize it. And project leaders don't have to maintain it, because I'll do it for them.

About your proposal

$reporterFactory = new ReporterFactory($config->getCustomReporters());

I like it, and it will allow me to support it SARIF natively for Twig-CS-Fixer rather than using a converting process like I already did it for projects that optionally need my Console Tool.

Why I prefer this solution : this is because, even if checkstyle format is very cool, standard schema does not provide all project informations. At least those where I'm working for.

Glad to hear that you're mind free and opened !
Tell me if I can help you in anyways, I'll happy to do it.

[VincentLanglet]

Does this PR solve it #268 ?

[llaville]

Yes it did.
I've just built a basic class, but I should be able to create a full SARIF natif support for Twig-CS-Fixer. I'll keep you aware when it will be done !
Thanks to provide such cool feature :)

[llaville]

Twig-CS-Fixer is now officially supported natively with TwigCsFixerReporter with new your new custom reporter feature.

No need to convert it from a previous checkstyle report format.

I've updated my user guide at https://github.com/llaville/sarif-php-converters/blob/1.0/docs/converter/twigcs-fixer.md

[VincentLanglet]

Nice, BTW I plan to release the v3 stable version very-soon.
Do you see/need any BC break before I make the release @llaville ?

[llaville]

No, not in current state. LGTM