Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Bug: SARIF report not according to specification(snippet, message) #818

Closed
#845
Closed
Bug: SARIF report not according to specification(snippet, message)#818
#845
Labels
bugSomething isn't working
@npetzall

Description

@npetzall
npetzall
opened on Dec 29, 2025

Describe the bug

The produced SARIF report has both message and snippet fields in region as string instead of object.

https://json.schemastore.org/sarif-2.1.0.json

"region": {
      "description": "A region within an artifact where a result was detected.",
      "additionalProperties": false,
      "type": "object",
      "properties": {
        "startLine": {
          "description": "The line number of the first character in the region.",
          "type": "integer",
          "minimum": 1
        },
        "startColumn": {
          "description": "The column number of the first character in the region.",
          "type": "integer",
          "minimum": 1
        },
        "endLine": {
          "description": "The line number of the last character in the region.",
          "type": "integer",
          "minimum": 1
        },
        "endColumn": {
          "description": "The column number of the character following the end of the region.",
          "type": "integer",
          "minimum": 1
        },
        "charOffset": {
          "description": "The zero-based offset from the beginning of the artifact of the first character in the region.",
          "type": "integer",
          "default": -1,
          "minimum": -1
        },
        "charLength": {
          "description": "The length of the region in characters.",
          "type": "integer",
          "minimum": 0
        },
        "byteOffset": {
          "description": "The zero-based offset from the beginning of the artifact of the first byte in the region.",
          "type": "integer",
          "default": -1,
          "minimum": -1
        },
        "byteLength": {
          "description": "The length of the region in bytes.",
          "type": "integer",
          "minimum": 0
        },
        "snippet": {
          "$ref": "#/definitions/artifactContent",
          "description": "The portion of the artifact contents within the specified region."
        },
        "message": {
          "$ref": "#/definitions/message",
          "description": "A message relevant to the region."
        },
        "sourceLanguage": {
          "description": "Specifies the source language, if any, of the portion of the artifact specified by the region object.",
          "type": "string"
        },
        "properties": {
          "$ref": "#/definitions/propertyBag",
          "description": "Key/value pairs that provide additional information about the region."
        }
      }
    }
    "artifactContent": {
      "description": "Represents the contents of an artifact.",
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "text": {
          "description": "UTF-8-encoded content from a text artifact.",
          "type": "string"
        },
        "binary": {
          "description": "MIME Base64-encoded content from a binary artifact, or from a text artifact in its original encoding.",
          "type": "string"
        },
        "rendered": {
          "$ref": "#/definitions/multiformatMessageString",
          "description": "An alternate rendered representation of the artifact (e.g., a decompiled representation of a binary region)."
        },
        "properties": {
          "$ref": "#/definitions/propertyBag",
          "description": "Key/value pairs that provide additional information about the artifact content."
        }
      }
    }
    "message": {
      "description": "Encapsulates a message intended to be read by the end user.",
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "text": {
          "description": "A plain text message string.",
          "type": "string"
        },
        "markdown": {
          "description": "A Markdown message string.",
          "type": "string"
        },
        "id": {
          "description": "The identifier for this message.",
          "type": "string"
        },
        "arguments": {
          "description": "An array of strings to substitute into the message string.",
          "type": "array",
          "minItems": 0,
          "uniqueItems": false,
          "default": [],
          "items": {
            "type": "string"
          }
        },
        "properties": {
          "$ref": "#/definitions/propertyBag",
          "description": "Key/value pairs that provide additional information about the message."
        }
      },
      "anyOf": [
        {
          "required": ["text"]
        },
        {
          "required": ["id"]
        }
      ]
    }

To reproduce

Snippet and messages has most often occurred when checking licenses.

cargo-deny version

0.18.9

What OS were you running cargo-deny on?

Linux

Additional context

If you come to the same conclusion regarding the specification.

I have a branch ready: main...npetzall:cargo-deny:sarif_snippet_message

Minimal implementation, can be expanded if needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions