fix(report): preserve full finding metadata in SARIF output (#229)#230
Open
rodboev wants to merge 2 commits into
Open
fix(report): preserve full finding metadata in SARIF output (#229)#230rodboev wants to merge 2 commits into
rodboev wants to merge 2 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--format sarifcurrently drops finding metadata that--format jsonalready preserves. This makes SARIF a lossy export path for downstream tooling that needs category, pattern, confidence, finding summaries, explanations, remediation, snippets, intent, tags, and precise end-line data.Closes #229
Root cause
_build_sarif()builds each result from only the core SARIF fields and never carries the richerFindingmetadata that the JSON formatter already serializes. The current SARIF models also lack a resultpropertiesbag, so the report layer has no standard place to preserve those fields.Diff Notes
SarifResultso the report layer can preserve SkillSpector-specific finding metadata in a SARIF-compatiblepropertiesbag.endLinewired through the SARIF region and carry the named JSON fields, includingpattern,finding, andexplanation, through the SARIF result path.Scope
This change is limited to report and SARIF schema code. It does not change analyzers, JSON output, CLI behavior, transitive scanning, baseline matching, or provider and MCP behavior.
Verification
./.venv/Scripts/python.exe -m pytest tests/nodes/test_report.py tests/nodes/test_sarif_rules_and_empty_findings.py(62 passed, 1 warning)uv run ruff check src/ tests/uv run ruff format --check src/ tests/