sarifLog object run object toolComponent object reportingDescriptor object result object location object physicalLocation object logicalLocation object fix object

Supported SARIF properties

Static Analysis Results Interchange Format (SARIF) is an output file format which is available in software composition analysis (SCA) and static analysis reports in Amazon CodeCatalyst. The following example shows how to manually configure SARIF in a static analysis report:


Reports:
MySAReport:
Format: SARIFSA
IncludePaths:
    - output/sa_report.json
SuccessCriteria:
    StaticAnalysisFinding:
    Number: 25
    Severity: HIGH

CodeCatalyst supports the following SARIF properties which can be used to optimize how the analysis results will appear in your reports.

`sarifLog` object

Name	Required	Description
`$schema`	Yes	The URI of the SARIF JSON schema for version 2.1.0.
`version`	Yes	CodeCatalyst only supports SARIF version 2.1.0.
`runs[]`	Yes	A SARIF file contains an array of one or more runs, each of which represents a single run of the analysis tool.

`run` object

Name	Required	Description
`tool.driver`	Yes	A `toolComponent` object that describes the analysis tool.
`tool.name`	No	A property that indicates the name of the tool used to perform analysis.
`results[]`	Yes	The results of the analysis tool that are displayed on CodeCatalyst.

`toolComponent` object

Name	Required	Description
`name`	Yes	The name of the analysis tool.
`properties.artifactScanned`	No	A total number of artifacts analyzed by the tool.
`rules[]`	Yes	An array of `reportingDescriptor` objects that represent rules. Based on these rules, the analysis tool finds problems in the code that is analyzed.

`reportingDescriptor` object

Name	Required	Description
`id`	Yes	The unique identifier for the rule that is used to reference a finding. Maximum length: 1,024 characters
`name`	No	The display name of the rule. Maximum length: 1,024 characters
`shortDescription.text`	No	A shortened description of the rule. Maximum length: 3,000 characters
`fullDescription.text`	No	A complete description of the rule. Maximum length: 3,000 characters
`helpUri`	No	A string that can be localized to contain the absolute URI of the primary documentation for the rule. Maximum length: 3,000 characters
`properties.unscore`	No	A flag that indicates if the scan finding has been scored.
`properties.score.severity`	No	A fixed set of strings that specify the severity level of the finding. Maximum length: 1,024 characters
`properties.cvssv3_baseSeverity`	No	A qualitative severity rating of Common Vulnerability Scoring System v3.1.
`properties.cvssv3_baseScore`	No	A CVSS v3 Base Score ranging from 0.0 - 10.0.
`properties.cvssv2_severity`	No	If CVSS v3 values are not available, CodeCatalyst searches for CVSS v2 values.
`properties.cvssv2_score`	No	A CVSS v2 Base Score ranging from 0.0 - 10.0.
`properties.severity`	No	A fixed set of strings that specify the severity level of the finding. Maximum length: 1,024 characters
`defaultConfiguration.level`	No	The default severity of a rule.

`result` object

Name	Required	Description
`ruleId`	Yes	The unique identifier for the rule that is used to reference a finding. Maximum length: 1,024 characters
`ruleIndex`	Yes	The index of the associated rule in the tool component `rules[]`.
`message.text`	Yes	A message that describes the result and displays the message for each finding. Maximum length: 3,000 characters
`rank`	No	A value between 0.0 to 100.0 inclusive that represents the priority or importance of the result. This scale values 0.0 being the lowest priority and 100.0 being the highest priority.
`level`	No	The severity of the result. Maximum length: 1,024 characters
`properties.unscore`	No	A flag that indicates if the scan finding has been scored.
`properties.score.severity`	No	A fixed set of strings that specify the severity level of the finding. Maximum length: 1,024 characters
`properties.cvssv3_baseSeverity`	No	A qualitative severity rating of Common Vulnerability Scoring System v3.1.
`properties.cvssv3_baseScore`	No	A CVSS v3 Base Score ranging from 0.0 - 10.0.
`properties.cvssv2_severity`	No	If CVSS v3 values are not available, CodeCatalyst searches for CVSS v2 values.
`properties.cvssv2_score`	No	A CVSS v2 Base Score ranging from 0.0 - 10.0.
`properties.severity`	No	A fixed set of strings that specify the severity level of the finding. Maximum length: 1,024 characters
`locations[]`	Yes	The set of locations where the result was detected. Only one location should be included unless the problem can only be corrected by making a change at every specified location. CodeCatalyst uses the first value in the location array to annotate the result. Maximum number of `location` objects: 10
`relatedLocations[]`	No	A list of additional locations references in the finding. Maximum number of `location` objects: 50
`fixes[]`	No	An array of `fix` objects that represent the recommendation provided by the scanning tool. CodeCatalyst uses the first recommendation in the `fixes` array.

`location` object

Name	Required	Description
`physicalLocation`	Yes	Identifies the artifact and region.
`logicalLocations[]`	No	The set of locations described by name without reference to the artifact.

`physicalLocation` object

Name	Required	Description
`artifactLocation.uri`	Yes	The URI indicating the location of an artifact, usually a file either in the repository or generated during a build.
`fileLocation.uri`	No	The fall back URI indicating the location of the file. This is used if `artifactLocation.uri` returns empty.
`region.startLine`	Yes	The line number of the first character in the region.
`region.startColumn`	Yes	The column number of the first character in the region.
`region.endLine`	Yes	The line number of the last character in the region.
`region.endColumn`	Yes	The column number of the last character in the region.

`logicalLocation` object

Name Required Description

Name	Required	Description
`fullyQualifiedName`	No	Additional information that describes the location of the result. Maximum length: 1,024 characters

fullyQualifiedName

Additional information that describes the location of the result.

Maximum length: 1,024 characters

`fix` object

Name Required Description

Name	Required	Description
`description.text`	No	A message that displays a recommendation for each finding. Maximum length: 3,000 characters
`artifactChanges.[0].artifactLocation.uri`	No	The URI indicating the location of the artifact that needs to be updated.

description.text

A message that displays a recommendation for each finding.

Maximum length: 3,000 characters

artifactChanges.[0].artifactLocation.uri

The URI indicating the location of the artifact that needs to be updated.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Best practices for testing

Deploying with workflows