Generate reports for forges

[aj-stein-nist]

OK, this time I think I got the right repo. This is a little but more complicated than "just supporting a new output format" (see below) but it would give an increasing edge to make it perform like (ironically) the very specific static analysis tool it is.

SARIF is a standard worth considering.

Why consider it? For services like GitHub that we use now as I write and you type, we can have link information overlay on Markdown or HTML within the repo. One open source project has some screenshots of how it would look.

Yes, I think it would require tracking lines and offsets, but that also seems more generally useful (if not currently possible, gotta read the Rust code 😅).

Thoughts?

[mre]

I'm also one of the maintainers of analysis-tools.dev and I've never heard of SARIF. 😅 But it looks great!

Only problem is that we indeed don't support racking lines and offsets. We use html5gum, and there once was a PR for adding span support (line numbers, basically), but it did not get merged. Not sure if that's still on the roadmap. @untitaker fyi.

Apart from that I'm all for it.

[aj-stein-nist]

I'm also one of the maintainers of analysis-tools.dev and I've never heard of SARIF. 😅 But it looks great!

Dude, do you even sleep? lol

Only problem is that we indeed don't support racking lines and offsets. We use html5gum, and there once was a PR for adding span support (line numbers, basically), but it did not get merged. Not sure if that's still on the roadmap. @untitaker fyi.

Wow this comes full circle: we actually switched from hyperlink to lychee due to a small diff in feature set and lychee allows me to be lazy for non-local URLs. Hi untitaker! haha

I didn't realize they're making this library core to lychee, what a small world.

Apart from that I'm all for it.

OK, this is more a long-term desire and not urgent to me, I will see what I can do. Finally a small, manageable reason to learn Rust! haha

[untitaker]

hey @aj-stein-nist, if there are features missing from hyperlink that you'd like to see feel free to open feature requests in its repo. Although the scope of hyperlink is pretty narrow at the moment and is unlikely to expand to external links just like that, I'm always happy to discuss ideas.

yeah, html5gum currently doesn't support linenumbers. I believe it would not be too hard to add. though you can probably start building linenumber support for markdown files right now and leave HTML for later. honestly I believe linenumbers in HTML may be less interesting anyway, assuming most HTML is auto-generated.

haven't heard of SARIF either. a quick glance at the spec makes me think the format may be ridiculously complex to consume, though maybe easy enough to produce. from your link it seems that github also only supports a very specific subset of SARIF. that's probably what you want to orient yourself around then, instead of the official spec? but i haven't dived too much into it.

[autoantwort]

There is a simple tutorial to generate only the required subset: https://github.com/microsoft/sarif-tutorials

At a first step line numbers for html could simply be generated by searching for the dead link in the raw file content.

[mre]

Interesting crate: https://docs.rs/serde-sarif/latest/serde_sarif/

[thomas-zahner]

Note that JUnit reports are an alternative to the SARIF format. These JUnit reports are actually supported by both GitLab and GitHub, whereas SARIF is only supported by GitHub. So we might want to do JUnit instead. Though it's also possible to convert the SARIF format into the JUnit format.

At any rate it's clear that we would like to generate reports that are easily integrated into forges. (GitHub, GitLab and ideally more) If generating both formats is viable, we should settle for the one which is more widely integrated.