[code-quality] Pylint and SARIF
Claudiu Popa
pcmanticore at gmail.com
Mon Sep 3 11:25:30 EDT 2018
Hi Paul,
Nice to meet you.
Thank you for that link, I wasn't aware of this new standard.
It would be great to support it for pylint as well, and most likely
shouldn't be too difficult to add a custom reporter in the same vein
as the JSON reporter.
You can find some examples here:
https://github.com/PyCQA/pylint/tree/master/pylint/reporters
Cheers,
Claudiu
On 3 September 2018 at 16:59, Paul Anderson <paul at grammatech.com> wrote:
> Hello everyone!
>
> This is my first post to this list, so first, let me give a quick
> introduction. I'm VP of Engineering at GrammaTech, where I am in charge of
> an advanced static analysis tool named CodeSonar. It primarily works for C
> and C++, but also for x86, x64 and ARM binaries. We cover other languages by
> integrating with other tools (mostly open source). We don't have an
> integration with Pylint yet, but that's coming as described below.
>
> I'm writing to let the community know of some work we will be doing that
> should benefit everyone. I think I know the best way forward, but I'd
> appreciate any words of wisdom and feedback on our approach.
>
> SARIF stands for Static Analysis Results Interchange Format. It is a new
> standard that originated at Microsoft, and that is now under the OASIS
> umbrella (I'm on the TC):
> https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif. The idea
> is to make it easier for tools that produce results to integrate with tools
> that consume results. Our own tool is both a producer and a consumer. That
> is, it can import results from SARIF-compatible tools and show them it is
> user interface. Our strategy to make CodeSonar be useful for other languages
> is through SARIF; we'll write converters to SARIF for the best-of-breed
> tools.
>
> Consequently, we are planning to make it so that Pylint can produce SARIF.
> There are two good ways to do this.
>
> 1. The easiest thing to do is to simply run "pylint -f json ..." and write a
> simple program to convert the output to SARIF (data from "pylint
> --list-msgs" is also needed). We're doing this first. A nice thing about
> this approach is that it doesn't require any changes to Pylint. The
> disadvantage is that it's likely to be very sensitive to the particular
> version of Pylint used. E.g., if the format of those outputs change. The
> plan is to contribute this to the sarif SDK github.
>
> 2. The better long-term approach is to change pylint to add a new output
> format so one can do "pylint -f sarif ...". This way, everyone gets it. I'm
> not expecting this to be too difficult, although I concede that I haven't
> scrutinized the pylint code enough to know for sure.
>
> I'm expecting #1 to appear within a couple of weeks, and to start work on #2
> by the end of the month. I'd appreciate any input from interested parties.
>
> Thanks,
>
> -Paul
>
> --
> Paul Anderson, VP of Engineering, GrammaTech, Inc.
> 531 Esty St., Ithaca, NY 14850
> Tel: +1 607 273-7340 x118; http://www.grammatech.com
>
> _______________________________________________
> code-quality mailing list
> code-quality at python.org
> https://mail.python.org/mailman/listinfo/code-quality
More information about the code-quality
mailing list