SARIF and source Viewing in VS Code

SARIF and source Viewing in VS Code#

Introduction#

Lattix has the ability to output some of its reports in SARIF format (Static Analysis Results Interchange Format), and this includes the information in the Lattix project about the files participating in the Lattix analysis.

One commonly used tool for code viewing is VS Code (Visual Studio Code from Microsoft), and its SARIF Viewer extension for VS Code from Microsoft DevLabs.

Using the SARIF Viewer extension from within VS Code, it is possible to configure VS Code and Lattix to navigate directly to the source code appearing in the Lattix reports.

Creating SARIF Reports#

Currently three Lattix report types can be output to SARIF format: Impact, Violations and Violations With Lines. You can output these reports in SARIF format in Lattix Architect or on the command line.

The Impact and Violations reports are part of a standard Lattix installation. The Violations With Lines report is available in the scripts_extra directory of your Lattix installation and can be installed following the instructions here: Installing and Running Scripts.

SARIF Export in Lattix Architect#

  1. Generate the report.

  • Impact: Reports-> Impact Report…

  • Violations: Reports-> Other Reports…-> Violations

  • Violations With Lines: Reports-> Custom Reports…-> Violations with Line Numbers (only available after manual installation of the Violations With Lines script from the scripts_extra directory of your Lattix installation, see Installing and Running Scripts)

  1. Export the report

Click on the “Save Report” link within the Actions section of the report homepage. Choose “SARIF File” in the save dialog dropdown. Alternatively you can bring up the same dialog by selecting the report in the Navigator panel and going to Reports-> Export.

image0

SARIF Export on the command line#

A report can be generated and output in SARIF format in one step using LDCReport. An example command line would be:

ldcreport <ProjectFilename.ldz> -report:sarif -violations -reportFile:<ReportFilename.sarif>

Viewing the Report and Sources it References#

Within the SARIF file, each file reference will include SARIF physicalLocation objects.

"locations": [
  {
    "physicalLocation": {
      "artifactLocation": {
        "uri": "org/apache/poi/ddf/AbstractEscherOptRecord.java",
        "description": {
          "text": "Used By"
        }
      }
    }
  },
  {
    "physicalLocation": {
      "artifactLocation": {
        "uri": "org/apache/poi/ddf/EscherRecord.java",
        "description": {
          "text": "Subsystem"
        }
      }
    }
  }
]

For java, like this example, the locations generally have relative filepaths to the source files. Other module types may have full pathnames.

Below is an example of how the file, AbstractEscherOptRecord.java appears in the SARIF Viewer extension within VS Code.

image1

You can click on the file reference to source file to view it. The first time clicking, and you will need to teach VS Code where the root of this source tree is on your machine, and VS Code will open that file and remember where that source tree is located on your machine.

image2

After that, VS Code will be able to open any of the files in that source tree, directly.

Sometimes, External Viewer Configuration needed#

In with some projects, you may also need to use Lattix Architect’s External Viewer Configuration found as part of Configuring Preferences. If you have a project, like a Clang project, where the file path in the Lattix Project is the full path on the machine the project was built, you may need to add Source Directory Map entries within the External Viewer Configuration.

Contents