[code-quality] Pylint and SARIF

Paul Anderson paul at grammatech.com
Mon Sep 3 10:59:45 EDT 2018

Hello everyone!

This is my first post to this list, so first, let me give a quick 
introduction. I'm VP of Engineering at GrammaTech, where I am in charge 
of an advanced static analysis tool named CodeSonar. It primarily works 
for C and C++, but also for x86, x64 and ARM binaries. We cover other 
languages by integrating with other tools (mostly open source). We don't 
have an integration with Pylint yet, but that's coming as described below.

I'm writing to let the community know of some work we will be doing that 
should benefit everyone. I think I know the best way forward, but I'd 
appreciate any words of wisdom and feedback on our approach.

SARIF stands for Static Analysis Results Interchange Format. It is a new 
standard that originated at Microsoft, and that is now under the OASIS 
umbrella (I'm on the TC): 
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif. The 
idea is to make it easier for tools that produce results to integrate 
with tools that consume results. Our own tool is both a producer and a 
consumer. That is, it can import results from SARIF-compatible tools and 
show them it is user interface. Our strategy to make CodeSonar be useful 
for other languages is through SARIF; we'll write converters to SARIF 
for the best-of-breed tools.

Consequently, we are planning to make it so that Pylint can produce 
SARIF. There are two good ways to do this.

1. The easiest thing to do is to simply run "pylint -f json ..." and 
write a simple program to convert the output to SARIF (data from "pylint 
--list-msgs" is also needed). We're doing this first. A nice thing about 
this approach is that it doesn't require any changes to Pylint. The 
disadvantage is that it's likely to be very sensitive to the particular 
version of Pylint used. E.g., if the format of those outputs change. The 
plan is to contribute this to the sarif SDK github.

2. The better long-term approach is to change pylint to add a new output 
format so one can do "pylint -f sarif ...". This way, everyone gets it. 
I'm not expecting this to be too difficult, although I concede that I 
haven't scrutinized the pylint code enough to know for sure.

I'm expecting #1 to appear within a couple of weeks, and to start work 
on #2 by the end of the month. I'd appreciate any input from interested 



Paul Anderson, VP of Engineering, GrammaTech, Inc.
531 Esty St., Ithaca, NY 14850
Tel: +1 607 273-7340 x118; http://www.grammatech.com

More information about the code-quality mailing list