Skip to content

feat(cli): SARIF surface for .own flow diagnostics (check --format sarif)#165

Merged
PhysShell merged 1 commit into
mainfrom
claude/ownnet-execution-surfaces-adr-8kyc0n
Jul 3, 2026
Merged

feat(cli): SARIF surface for .own flow diagnostics (check --format sarif)#165
PhysShell merged 1 commit into
mainfrom
claude/ownnet-execution-surfaces-adr-8kyc0n

Conversation

@PhysShell

Copy link
Copy Markdown
Owner

Что и зачем

Продолжение execution-surfaces ADR (§3.1). Follow-up к #164: там evidence подключилась к flow-анализу, но доходила только до human-вывода check. SARIF был лишь для C#/OwnIR-пути (ownir --format sarif над ownir.Finding), поэтому .own-диагностики попадали в GitHub code scanning без evidence.

Добавляет ownlang/diag_sarif.py: маппит каждый Diagnostic в SARIF 2.1.0 result и проецирует его evidence через те же билдеры ownlang.evidence (related_locations + упорядоченный code_flow) — тот же словарь relatedLocations/codeFlows, что и OwnIR-путь. Подключено к check --format sarif (human по умолчанию). github/msbuild остаются ownir-only (это per-finding рендереры Finding, не Diagnostic); --severity/--verbosity тоже ownir-only. Семантику анализатора не меняли.

Тип изменения

  • feat — новая возможность
  • fix — исправление бага
  • docs — документация
  • refactor / chore / test / ci — без изменения поведения

Как проверено

  • python tests/run_tests.py — зелёный (добавлен tests/test_diag_sarif.py: log-shape, evidence→relatedLocations+codeFlows, empty-evidence без ключей, no-empty-artifactLocation.uri, severity→level; свёрнут в аггрегатор)
  • ruff check . и mypy — чисто (incl. новый модуль), без новых # type: ignore
  • CLI end-to-end: check f.own --format sarif (OWN015/OWN001), exit-коды, отклонение --format github/--severity на check, --format= equals-форма, dispatch остальных команд

Связанные issue

Нет связанного issue. Follow-up к #164 (execution-surfaces ADR).

Чеклист

  • изменение покрыто тестом/селфтестом — tests/test_diag_sarif.py
  • README/docs обновлены — docs/notes/sarif-export.md (секция про .own flow-diagnostic SARIF) + usage в __main__ docstring
  • коммиты в conventional-commit стиле (feat:)

🤖 Generated with Claude Code


Generated by Claude Code

…rif)

The C# extractor path emits SARIF via ownir.build_sarif; the .own flow
diagnostics had no SARIF surface, so their structured Diagnostic.evidence
(acquire->escape / move->use / leak acquire site) reached only the human
`check` render, never GitHub code scanning. Add ownlang/diag_sarif.py: it
maps each Diagnostic to a SARIF 2.1.0 result and projects its evidence
through the shared ownlang.evidence builders (relatedLocations + ordered
codeFlows) — the same vocabulary the OwnIR path speaks.

Wire it to `check --format sarif` (human default). --format is relaxed
from ownir-only to also accept human|sarif on check; github/msbuild stay
ownir-only (they render a Finding, not a Diagnostic), and
--severity/--verbosity stay ownir-only. Adds tests/test_diag_sarif.py
(log shape, evidence->relatedLocations+codeFlows, empty-evidence carries
neither, no empty artifactLocation.uri, severity->level) folded into
run_tests.py, plus a docs/notes/sarif-export.md section.

Realizes execution-surfaces ADR §3.1. No analyzer semantics change. Gate
green: run_tests, ruff, mypy ownlang; no new type: ignore.
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@PhysShell, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 10 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 584a12da-e9af-4626-bab3-570632e0e78f

📥 Commits

Reviewing files that changed from the base of the PR and between ed21e80 and e0ece89.

📒 Files selected for processing (5)
  • docs/notes/sarif-export.md
  • ownlang/__main__.py
  • ownlang/diag_sarif.py
  • tests/run_tests.py
  • tests/test_diag_sarif.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/ownnet-execution-surfaces-adr-8kyc0n

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copy link
Copy Markdown
Owner Author

@coderabbitai review
@codex review

New surface — check --format sarif projects .own flow diagnostics into SARIF 2.1.0 for GitHub code scanning. Focus areas:

  • ownlang/diag_sarif.py: the Diagnostic → result mapping and evidence projection through the shared ownlang.evidence builders (related_locations / code_flow) — same shape as the OwnIR path; is the SARIF well-formed (no empty artifactLocation.uri, correct codeFlows/relatedLocations, level mapping)?
  • ownlang/__main__.py: the relaxed --format gate — check now accepts human|sarif; github/msbuild and --severity/--verbosity stay ownir-only. Any dispatch/rejection edge cases?
  • Purely additive — no analyzer semantics change; gate green (run_tests, ruff, mypy ownlang, no new # type: ignore).

Generated by Claude Code

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr view 165 --repo PhysShell/Own.NET --json title,body,files -q '.files[].path'
echo "---DIFF---"
gh pr diff 165 --repo PhysShell/Own.NET

Length of output: 19336


🏁 Script executed:

#!/bin/bash
set -euo pipefail
cd $(mktemp -d)
gh repo clone PhysShell/Own.NET . -- -q
git fetch origin pull/165/head:pr165 -q
git checkout pr165 -q
echo "---evidence.py---"
cat -n ownlang/evidence.py
echo "---diagnostics.py (relevant parts)---"
sed -n '1,80p' ownlang/diagnostics.py
echo "---search Evidence class---"
rg -n "class Evidence" -A 15 ownlang/diagnostics.py
echo "---search resource_kind---"
rg -n "resource_kind" ownlang/diagnostics.py

Length of output: 11660


🏁 Script executed:

#!/bin/bash
set -euo pipefail
cd $(mktemp -d)
gh repo clone PhysShell/Own.NET . -- -q
git fetch origin pull/165/head:pr165 -q
git checkout pr165 -q
sed -n '1,60p' ownlang/__main__.py
echo "---main func full---"
sed -n '360,470p' ownlang/__main__.py

Length of output: 7617


🏁 Script executed:

#!/bin/bash
set -euo pipefail
cd $(mktemp -d)
gh repo clone PhysShell/Own.NET . -- -q
git fetch origin pull/165/head:pr165 -q
git checkout pr165 -q
sed -n '80,110p' ownlang/__main__.py
rg -n "_FORMATS|_SEVERITIES|_VERBOSITY" ownlang/__main__.py

Length of output: 2103


This all checks out well — the implementation is solid. Confirmed:

  • ownlang/diag_sarif.py: _steps() correctly resolves Evidence.file is None → the diagnostic's own filename before calling the shared related_locations/code_flow builders, so the "no empty artifactLocation.uri" invariant holds (matches ownlang/evidence.py's own drop-if-empty guard as a second line of defense). level mapping correctly defers to d.severity is Severity.WARNING even when the CLI's --severity stays at its "error" default. rules[] catalogue is built from the sorted set of codes present, mirroring ownir.build_sarif. Region is only added when d.line >= 1, consistent with evidence.py's own convention.
  • ownlang/__main__.py: the gate correctly layers a general _FORMATS check first, then narrows for cmd == "check" to {human, sarif}, and rejects --severity/--verbosity presence via seen - {"--format"}. github/msbuird are properly excluded for check (accepted globally by _FORMATS but rejected in the second, command-specific check) — good defense in depth. Dispatch (cmd_check(path, fmt, severity)) and the exit-code contract (1 if errors else 0) is preserved identically between the human and sarif branches.
  • tests/test_diag_sarif.py exercises exactly the claimed cases: OWN015 escape (relatedLocations + codeFlows mirroring), OWN001 leak (acquire-site flow), an evidence-free OWN003 double-release (no keys emitted), the empty-URI invariant across both logs, and the severity→level override. The _all_uris recursive walk is a good touch for catching stray empty URIs anywhere in the nested structure, not just at the top level.

One minor observation (not a blocker): build_sarif's severity parameter is fully wired end-to-end from cmd_check, but since --severity can never be set for check (it's rejected at the gate), in practice it will always be "error" when invoked from the CLI — so the severity == "warning" branch in _result() is currently only reachable via direct calls to build_sarif (as the test does) rather than through the CLI. That's consistent with the stated design (severity is presentation-only and ownir-scoped), so it's not a defect, just worth noting for anyone wondering why the parameter exists.

Everything else — schema/version, driver/rules shape, per-result ruleId/level/message/locations, and the docs update in docs/notes/sarif-export.md — lines up with the PR objectives. No analyzer semantics were touched. Nice, clean follow-up to #164.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. You're on a roll.

Reviewed commit: e0ece89d94

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@PhysShell
PhysShell merged commit 6f633a4 into main Jul 3, 2026
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants