This is my first post to this list, so first, let me give a quick introduction. I'm VP of Engineering at GrammaTech, where I am in charge of an advanced static analysis tool named CodeSonar. It primarily works for C and C++, but also for x86, x64 and ARM binaries. We cover other languages by integrating with other tools (mostly open source). We don't have an integration with Pylint yet, but that's coming as described below.
I'm writing to let the community know of some work we will be doing that should benefit everyone. I think I know the best way forward, but I'd appreciate any words of wisdom and feedback on our approach.
SARIF stands for Static Analysis Results Interchange Format. It is a new standard that originated at Microsoft, and that is now under the OASIS umbrella (I'm on the TC): https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif. The idea is to make it easier for tools that produce results to integrate with tools that consume results. Our own tool is both a producer and a consumer. That is, it can import results from SARIF-compatible tools and show them it is user interface. Our strategy to make CodeSonar be useful for other languages is through SARIF; we'll write converters to SARIF for the best-of-breed tools.
Consequently, we are planning to make it so that Pylint can produce SARIF. There are two good ways to do this.
1. The easiest thing to do is to simply run "pylint -f json ..." and write a simple program to convert the output to SARIF (data from "pylint --list-msgs" is also needed). We're doing this first. A nice thing about this approach is that it doesn't require any changes to Pylint. The disadvantage is that it's likely to be very sensitive to the particular version of Pylint used. E.g., if the format of those outputs change. The plan is to contribute this to the sarif SDK github.
2. The better long-term approach is to change pylint to add a new output format so one can do "pylint -f sarif ...". This way, everyone gets it. I'm not expecting this to be too difficult, although I concede that I haven't scrutinized the pylint code enough to know for sure.
I'm expecting #1 to appear within a couple of weeks, and to start work on #2 by the end of the month. I'd appreciate any input from interested parties.