OASIS Static Analysis Results Interchange Format (SARIF) TC

I think it would be helpful for interoperability of SARIF producers and
consumers to have a public, redistributable repository of example sarif
files.

I've had a go at creating one here:
https://github.com/davidmalcolm/sarif-examples

It has examples of
* malformed JSON
* invalid SARIF 2.1
* valid SARIF 2.1
* valid SARIF 2.2-experimental (aka prerelease)
from various producers/organizations, organized in a subdirectory
structure.

There are some notes and TODOs in the README.rst there. In particular:

* what licensing should be allowed? (I'd like to ensure that the entire
repo is redistributable)

* it would be good to add examples of valid/invalid sarif to the repo
whenever we resolve an issue in the spec

* should we allow some form of inline comments in the .sarif files?
(which could be stripped out by a preprocessor) Right now I'm putting
commentary about the examples (re licensing, provenance, intent/aspects
of interest) in README.rst files in the same directory. But the spec
has #-to-end-of-line comments in examples, and in GCC's test suite I'm
using C and C++ style comments (for directives to the test suite).

I've filed https://github.com/oasis-tcs/sarif-spec/issues/677 to track
the overall idea; maybe we could discuss it at next week's TC meeting?

Thoughts?
Dave

Original Message:
Sent: 3/1/2025 10:17:00 AM
From: David Malcolm
Subject: Public repository of SARIF examples

I think it would be helpful for interoperability of SARIF producers and
consumers to have a public, redistributable repository of example sarif
files.

I've had a go at creating one here:
https://github.com/davidmalcolm/sarif-examples

It has examples of
* malformed JSON
* invalid SARIF 2.1
* valid SARIF 2.1
* valid SARIF 2.2-experimental (aka prerelease)
from various producers/organizations, organized in a subdirectory
structure.

There are some notes and TODOs in the README.rst there. In particular:

* what licensing should be allowed? (I'd like to ensure that the entire
repo is redistributable)

* it would be good to add examples of valid/invalid sarif to the repo
whenever we resolve an issue in the spec

* should we allow some form of inline comments in the .sarif files?
(which could be stripped out by a preprocessor) Right now I'm putting
commentary about the examples (re licensing, provenance, intent/aspects
of interest) in README.rst files in the same directory. But the spec
has #-to-end-of-line comments in examples, and in GCC's test suite I'm
using C and C++ style comments (for directives to the test suite).

I've filed https://github.com/oasis-tcs/sarif-spec/issues/677 to track
the overall idea; maybe we could discuss it at next week's TC meeting?

Thoughts?
Dave