SARIF - GCC Wiki (original) (raw)

SARIF support in GCC

The Static Analysis Results Interchange Format (SARIF) is "an industry standard format for the output of static analysis tools" i.e. a machine-readable file format that can represent compiler diagnostics.

GCC's statement of use in the SARIF specification's issue tracker can be seen here

GCC as a SARIF producer

GCC 13 onwards can output its diagnostics in SARIF format.

GCC 15 onwards can output its diagnostics in multiple formats at once (such as text *and* SARIF).

User-facing documentation:

• -fdiagnostics-format=sarif-{stdout,stderr}
• -fdiagnostics-add-output=sarif (GCC 15 onwards)
• -fdiagnostics-set-output=sarif (GCC 15 onwards)

Implementation: gcc/diagnostic-format-sarif.cc

History of GCC as a SARIF producer

GCC 16 (under development)

• 2025-04-30: Added "serialization" param to -fdiagnostics-add-output='s "sarif" scheme (must be "json" for now).

GCC 15

• 2024-11-29: "libdiagnostics" renamed to "libgdiagnostics"
• 2024-11-18: libdiagnostics implementation pushed to trunk
• 2024-11-13: Posted v4 patch kit of libdiagnostics, a new shared library which has an API for client code to write out .sarif files.
• 2024-10-29: Added support for emitting diagnostics to multiple output sinks simultaneously, such as multiple SARIF files, potentially of different formats.
• 2024-10-23: Added buffering support to diagnostic subsystem, fixing bug in SARIF output from Fortran frontend
• 2024-10-16: SARIF output now captures backtraces in the "internal compiler error" handler
• 2024-10-04: Moved opening of .sarif output file to the start of the compile, rather than the end
• 2024-10-02: Added initial support for SARIF 2.2 output (draft spec as of 2024-08-08)
• 2024-09-09: Fixed SARIF schema URL (§3.13.3)
• 2024-08-29: Added embedded URLs in SARIF text messages (§3.11.6)
• 2024-08-15: Posted v3 patch kit of libdiagnostics, a new shared library which has an API for client code to write out .sarif files.
• 2024-08-06: Fix invocation property "executionSuccessful" (§3.20.14)
• 2024-08-01: Capture secondary locations without labels as relatedLocations (§3.27.22)
• 2024-07-26: Added #include information (§3.34) to locations
• 2024-07-24:
  • Added escaped renderings of source for diagnostics relating to encodings (§3.3.4)
  • Added "arguments" (§3.20.2), "startTimeUtc" (§3.20.7), "endTimeUtc" (§3.20.8), and "workingDirectory" (§3.20.19) properties to invocation objects.
  • Use the location "annotations" property (§3.28.6) to encode labelled source ranges from diagnostics into the SARIF output.
  • Tweak the SARIF output for diagnostics involving UNKNOWN_LOCATION
  • Internal cleanups to implementation of SARIF output:
    * Use sarif_object subclasses throughout to help enforce schema compliance
    * Use std::unique_ptr throughout to avoid manual memory management
    * Add selftests
• 2024-06-25: Use check-jsonschema rather than the deprecated jsonschema when validating .sarif files in DejaGnu
• 2024-06-21:
  • Fixed various problems with SARIF output that could lead to validation failure
  • Check that generated .sarif files validate against the SARIF schema in GCC's DejaGnu testsuite
  • Check that generated .sarif files validate against the SARIF schema in the analyzer integration testsuite
• 2024-06-03: Added the property "artifact.roles" to GCC's SARIF output (SARIF v2.1 §3.24.6)

GCC 14

• 2023-12-06: Formatting of JSON/SARIF output
• 2023-12-01: Added per-diagnostic property bags to SARIF for debugging analyzer
• 2023-09-22: Talk at GNU Tools Cauldron 2023: Updates to Diagnostics in GCC 14
• 2023-09-14: Added support for multithreaded diagnostics in GCC (although nothing yet takes advantage of this)
• 2023-07-31: Added timing/profile information to SARIF output

GCC 13

• 2023-05-31: Blog post: Improvements to static analysis in the GCC 13 compiler
• 2023-03-15: Added SARIF support for internal compiler errors to capture crashes as SARIF notifications
• 2022-06-02: Implemented SARIF output for GCC diagnostics (including analyzer warnings)

GCC as a SARIF consumer

As of GCC 15, GCC optionally provides a sarif-replay tool that accepts SARIF as input. See libgdiagnostics for more information.

History of GCC as a SARIF consumer

• 2025-02-15: Improvements to sarif-replay:
  • Display annotations as labelled ranges (§3.28.6) [PR118881]
  • Handle relatedLocations without messages (§3.27.22)
  • Don't add trailing " [error]"
  • Handle the 'fixes' property (§3.27.30)
• 2025-02-01: sarif-replay now handles "cached" logical locations §3.33.3
• 2024-12-16: Improvements to libgdiagnostics/sarif-replay handling of logical locations
• 2024-12-16: Initial handling of embedded URLS in sarif-replay
• 2024-12-16: sarif-replay can now use the "contents" attribute of an artifact when quoting source, rather than accessing the path in the filesystem, which should help when copying .sarif files around between machines.
• 2024-11-29: "libdiagnostics" renamed to "libgdiagnostics"
• 2024-11-18: libdiagnostics implementation pushed to trunk
• 2024-11-13: Posted v4 patch kit for libdiagnostics, which adds a sarif-replay command-line tool
• 2024-08-15: Posted v3 patch kit for libdiagnostics, which adds a sarif-replay command-line tool
• 2022-06-22: Posted experimental patches for replay of serialized diagnostics (including analyzer warnings)

Bugs relating to GCC SARIF support

There is a "SARIF" keyword in GCC's bug tracker for bugs relating to GCC's SARIF support.

By keyword:

• Open bugs with "SARIF" keyword set
• All bugs with "SARIF" keyword, including resolved bugs

By text:

• Open bugs that refer to "sarif"
• All bugs that refer to "sarif", including resolved bugs

Bugs relating to sarif-replay:

• Open bugs against component "sarif-replay"
• All bugs against component "sarif-replay"