• SARIF

SARIF support in GCC

The Static Analysis Results Interchange Format (SARIF) "is an industry standard format for the output of static analysis tools".

GCC's statement of use in the SARIF specification's issue tracker can be seen here

GCC as a SARIF producer

GCC 13 onwards can output its diagnostics in SARIF format.

User-facing documentation: -fdiagnostics-format=sarif-{stdout,stderr}

Implementation: gcc/diagnostic-format-sarif.cc

History of GCC as a SARIF producer

GCC 15 (under development)

• 2024-07-26: Added #include information (§3.34) to locations

• 2024-07-24:

  • Added escaped renderings of source for diagnostics relating to encodings (§3.3.4)

  • Added "arguments" (§3.20.2), "startTimeUtc" (§3.20.7), "endTimeUtc" (§3.20.8), and "workingDirectory" (§3.20.19) properties to invocation objects.

  • Use the location "annotations" property (§3.28.6) to encode labelled source ranges from diagnostics into the SARIF output.

  • Tweak the SARIF output for diagnostics involving UNKNOWN_LOCATION

  • Internal cleanups to implementation of SARIF output:

    • Use sarif_object subclasses throughout to help enforce schema compliance

    • Use std::unique_ptr throughout to avoid manual memory management

    • Add selftests

• 2024-06-25: Use check-jsonschema rather than the deprecated jsonschema when validating .sarif files in DejaGnu

• 2024-06-21:

  • Fixed various problems with SARIF output that could lead to validation failure

  • Check that generated .sarif files validate against the SARIF schema in GCC's DejaGnu testsuite

  • Check that generated .sarif files validate against the SARIF schema in the analyzer integration testsuite

• 2024-06-03: Added the property "artifact.roles" to GCC's SARIF output (SARIF v2.1 §3.24.6)

GCC 14

• 2023-12-06: Formatting of JSON/SARIF output

• 2023-12-01: Added per-diagnostic property bags to SARIF for debugging analyzer

• 2023-09-22: Talk at GNU Tools Cauldron 2023: Updates to Diagnostics in GCC 14

• 2023-09-14: Added support for multithreaded diagnostics in GCC (although nothing yet takes advantage of this)

• 2023-07-31: Added timing/profile information to SARIF output

GCC 13

• 2023-05-31: Blog post: Improvements to static analysis in the GCC 13 compiler

• 2023-03-15: Added SARIF support for internal compiler errors to capture crashes as SARIF notifications

• 2022-06-02: Implemented SARIF output for GCC diagnostics (including analyzer warnings)

GCC as a SARIF consumer

GCC does not yet have support for accepting SARIF as input.

History of GCC as a SARIF consumer

• 2022-06-22: Posted experimental patches for replay of serialized diagnostics (including analyzer warnings)

Bugs relating to GCC SARIF support

There is a "SARIF" keyword in GCC's bug tracker for bugs relating to GCC's SARIF support.

By keyword:

• Open bugs with "SARIF" keyword set

• All bugs with "SARIF" keyword, including resolved bugs

By text:

• Open bugs that refer to "sarif"

• All bugs that refer to "sarif", including resolved bugs