LGTM Enterprise 1.25

SARIF results file

Overview

You can export alerts from LGTM in SARIF format. SARIF is designed to represent the output of a broad range of static analysis tools, and there are many features in the SARIF specification that are considered "optional". This document details the output exported by LGTM, which corresponds to the SARIF v2.1.0 specification. For more information, see Exporting alerts as SARIF.

SARIF specification and schema

This topic is intended to be read alongside the detailed SARIF specification. For more information on the specification and the SARIF schema, see Static Analysis Results Interchange Format (SARIF) Version 2.1.0.

Generated SARIF objects

This details each SARIF component that may be generated, along with any specific circumstances. We omit any properties that are never generated.

sarifLog object

JSON property name When is this generated? Notes
$schema Always Provides a link to the SARIF schema.
version Always The version of the SARIF used to generate the output.
runs Always An array containing one run object for each language included in the output.

run object

JSON property name When is this generated? Notes
tool Always
artifacts Always An array containing at least one artifact object for every file referenced in a result.
results Always
newLineSequences Optionally

Included with JavaScript results but omitted for other languages where the value is equivalent to the default.

columnKind Always
properties Always

The properties dictionary will contain two entries for:

  • semmle.sourceLanguage, which will be set to one of the language codes.

  • semmle.formatSpecifier, which identifies the format specifier passed to the command-line tools.

tool object

JSON property name When is this generated? Notes
driver Always Defines details of the tool that generated the file.

toolComponent object

JSON property name When is this generated? Notes
name Always

Set to "LGTM Enterprise".

organization Always Set to "Semmle".
version Always Set to the LGTM release version, for example, "1.24.0".
rules Always An array of reportingDescriptor objects that represent rules. This array contains all the rules that reported results in this analysis.

reportingDescriptor object (for rule)

reportingDescriptor objects may be used in multiple places in the SARIF specification. When a reportingDescriptor is included in the rules array of a toolComponent object it has the following properties.

JSON property name When is this generated? Notes
id Always Will contain the @id property specified in the query that defines the rule, which is of the format <query-pack>:<query-id>. For example, com.lgtm/javascript-queries:js/comparison-between-incompatible-types.
name Always For LGTM, will match the id value.
shortDescription Always Will contain the @name property specified in the query that defines the rule.
fullDescription Always Will contain the @description property specified in the query that defines the rule.

defaultConfiguration

Always

A reportingConfiguration object, with a level property set according to the @severity property specified in the query that defines the rule. Omitted if the @severity property was not specified.

artifact object

JSON property name When is this generated? Notes
location Always An artifactLocation object.
index Always The index of the artifact object.

artifactLocation object

JSON property name When is this generated? Notes
uri Always
index Always
uriBaseId Optionally If the file is relative to some known abstract location, such as the root source location on the analysis machine, this will be set.

result object

JSON property name When is this generated? Notes
ruleId Always See the description of the id property in the reportingDescriptor object (for rule).
ruleIndex Always
message Always A message describing the problem(s) occurring at this location. This message may be a SARIF "Message with placeholder", containing links that refer to locations in the relatedLocations property.
locations Always An array containing a single location object.
partialFingerprints Always A dictionary from named fingerprint types to the fingerprint. This will contain, at a minimum, a value for the primaryLocationLineHash, which provides a fingerprint based on the context of the primary location.
codeFlows Optionally This array may be populated with one or more codeFlow objects if the query that defines the rule for this result is of @kind path-problem.
relatedLocations Optionally This array will be populated if the query that defines the rule for this result has a message with placeholder options. Each unique location is included once.
suppressions Optionally If the result is suppressed, then this will contain a single suppression object, with the @kind property set to inSource. If this result is not suppressed, but there is at least one result that has a suppression, then this will be set to an empty array, otherwise it will not be set.

location object

JSON property name When is this generated? Notes
physicalLocation Always
id Optionally location objects that appear in the relatedLocations array of a result object may contain the id property.
message Optionally location objects may contain the message property if:
  • They appear in the relatedLocations array of a result object may contain the message property.
  • They appear in the threadFlowLocation.location property.

physicalLocation object

JSON property name When is this generated? Notes
artifactLocation Always
region Optionally If the given physicalLocation exists in a text file, such as a source code file, then the region property may be present.

region object

There are two types of region object produced by LGTM:

  • Line/column offset regions
  • Character offset and length regions 

Any region produced by LGTM may be specified in either format, and consumers should robustly handle either type.

For line/column offset regions, the following properties will be set:

JSON property name When is this generated? Notes
startLine Always
startColumn Optionally Not included if equal to the default value of 1.
endLine Optionally Not included if identical to startLine.
endColumn Always

For character offset and length regions, the following properties will be set:

JSON property name When is this generated? Notes
charOffset Optionally Provided if startLinestartColumnendLine, and endColumn are not populated
charLength Optionally Provided if startLinestartColumnendLine, and endColumn are not populated

codeFlow object

JSON property name When is this generated? Notes
threadFlows Always

threadFlow object

JSON property name When is this generated? Notes
locations Always

threadFlowLocation object

JSON property name When is this generated? Notes
location Always