feat(sarif): emit SARIF 2.1.0 + let the oracle read own-check through it#42
Conversation
Add `own-check … --format sarif`, a SARIF 2.1.0 log alongside human/github/ msbuild, and teach scripts/oracle_compare.py to ingest own-check SARIF through the SAME parse_sarif it already uses for Infer#/CodeQL — retiring the bespoke own-check text parser from the oracle's critical path (the parser-drift class of bug that silently dropped findings on the ScreenToGif run). Slice 1 — emitter (ownlang/ownir.py): build_sarif(findings, severity) builds one run whose tool.driver is Own.NET (rules catalogue = the OWN codes present, titled from diagnostics.TITLES) and one result per finding (ruleId = OWN code, C# file/line as physicalLocation, message with the [resource:] tag, kind + subscription triple in properties). Wired as a fourth --format; JSON to stdout, summary to stderr, exit code unchanged. SARIF's note level carries advisory OWN050 (a coverage skip, not a warning-tier leak) — semantics the flat surfaces cannot express. Slice 2 — oracle ingestion (scripts/oracle_compare.py): build_own sniffs SARIF vs text; _oracle_class classifies tool=="own" by OWN code so the two own input formats bucket identically. Selftest pins a hand-built own-SARIF case (23/23); tests/test_ownir.py pins the real round-trip build_sarif -> parse_sarif -> leak (88/88). ruff + mypy --strict clean. Realizes the first step of the SARIF-exporter backlog item; design + follow-ups (flip oracle.yml to feed SARIF, mine_report parser->aggregator, code-scanning upload) in docs/notes/sarif-export.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Rg8kSk1YT14x7A1vo5zgED
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds SARIF 2.1.0 output support to ChangesSARIF Export and Oracle Integration
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/notes/sarif-export.md`:
- Around line 13-14: The phrase "dropped 38 of ~36 findings" on line 13 contains
contradictory numbers where the dropped count exceeds the total findings count.
Correct this inconsistency by either reducing the number of dropped findings to
be less than or equal to the total, or by increasing the total findings count to
be greater than the dropped count, ensuring the statement becomes logically
consistent and unambiguous.
In `@scripts/oracle_compare.py`:
- Around line 148-149: The condition checking if text starts with "{" currently
treats any JSON as SARIF and returns parse_sarif with unparsed=0, which can mask
invalid input. Instead of relying solely on the opening brace, validate that the
JSON contains the required SARIF structure (such as checking for the presence of
a "runs" key) before calling parse_sarif with unparsed=0. If the JSON does not
conform to the SARIF schema, fall back to text-based parsing instead to avoid
returning zero findings for malformed input.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 80ddc037-ac58-4914-8781-1254960edf9e
📒 Files selected for processing (6)
docs/notes/oracle.mddocs/notes/sarif-export.mdownlang/__main__.pyownlang/ownir.pyscripts/oracle_compare.pytests/test_ownir.py
Addresses the two CodeRabbit review comments on #42. - oracle_compare.build_own: a leading `{` no longer blindly means SARIF. Parse and require a `runs` array before routing to parse_sarif; otherwise (a wrong file or malformed JSON) fall through to the text parser, so bad input surfaces as unparsed drift instead of a silent "0 findings, clean" — and a malformed-JSON crash is avoided too. Pinned by a new selftest case (24/24). - docs/notes/sarif-export.md: "dropped 38 of ~36 findings" was self-contradictory; the real incident is 38 lines left unparsed, so only 3 of ~36 findings reached the diff. ruff + mypy --strict clean; ownir 88/88; oracle selftest 24/24. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Rg8kSk1YT14x7A1vo5zgED
Add
own-check … --format sarif, a SARIF 2.1.0 log alongside human/github/msbuild, and teach scripts/oracle_compare.py to ingest own-check SARIF through
the SAME parse_sarif it already uses for Infer#/CodeQL — retiring the bespoke
own-check text parser from the oracle's critical path (the parser-drift class of
bug that silently dropped findings on the ScreenToGif run).
Slice 1 — emitter (ownlang/ownir.py): build_sarif(findings, severity) builds one
run whose tool.driver is Own.NET (rules catalogue = the OWN codes present, titled
from diagnostics.TITLES) and one result per finding (ruleId = OWN code, C#
file/line as physicalLocation, message with the [resource:] tag, kind +
subscription triple in properties). Wired as a fourth --format; JSON to stdout,
summary to stderr, exit code unchanged. SARIF's note level carries advisory
OWN050 (a coverage skip, not a warning-tier leak) — semantics the flat surfaces
cannot express.
Slice 2 — oracle ingestion (scripts/oracle_compare.py): build_own sniffs SARIF
vs text; _oracle_class classifies tool=="own" by OWN code so the two own input
formats bucket identically. Selftest pins a hand-built own-SARIF case (23/23);
tests/test_ownir.py pins the real round-trip build_sarif -> parse_sarif -> leak
(88/88). ruff + mypy --strict clean.
Realizes the first step of the SARIF-exporter backlog item; design + follow-ups
(flip oracle.yml to feed SARIF, mine_report parser->aggregator, code-scanning
upload) in docs/notes/sarif-export.md.
Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01Rg8kSk1YT14x7A1vo5zgED
Summary by CodeRabbit
Release Notes
New Features
ownlang(--format sarif).Documentation
Bug Fixes / Reliability
Tests