Building SARIF logs manually using object literals, even with the assistance of types via @types/sarif, can present some challenges to consumers. Maintaining the necessary log state while building reporting descriptors like rules can become an exercise in object juggling.
The eslint formatter captures this quite well. It uses local variables to maintain state for properties, indices, and it utilizes these variables to "build-up" the log structure.
While this is a completely reasonable approach, having to duplicate this type of functionality in other static analysis tools seems like a heavy lift to have consumers adopt the SARIF standard.
Adding a TypeScript implementation of a builder will help consumers
- Build consistent logs
- Utilize strongly-typed constructs when building those logs
- DRYing up common SARIF log building code.
Giving consumers an API to build SARIF logs can be simply the start. This repository can also house
- A SARIF log validator using something like
ajvto perform the validation - Utilities to generate partial fingerprints in a consistent fashion
- Adding first-party types vs. third-party types in DefinitelyTyped. I realize Jeff is the author of
@types/sarif, but it would be great to publish SARIF types via this repository so they could be housed in one place. Additionally, the workflows in DefinitelyTyped can be a bit unweildy to manage (auto-publishing of types, versioning, etc). - Documentation, references, and examples of tools using both SARIF and the builder itself.\