feat: Add SARIF 2.1.0 report output with shared reporting layer

[Copilot]

• Understand codebase structure
• Create Core/Reporting/RuleSeverity.cs (renamed from SonarRuleSeverity)
• Create Core/Reporting/Rule.cs (renamed from RuleMetadata)
• Create Core/Reporting/RuleProvider.cs (renamed from RuleMetadataProvider, Create() returns tuple to eliminate duplicate error code keys, default MAJOR severity)
• Update all SonarRuleSeverity references to RuleSeverity
• Update SonarReporter.GetRuleDefinition() to use RuleProvider
• Create Core/SarifReporting/ with individual files per DTO, ISarifReporter.cs, SarifReporter.cs
• Wire SARIF into CLI (--sarif-report-file option, ValidatorRunnerOptions, Program.cs, ValidatorRunner.cs, ServiceCollectionExtensions.cs)
• Write SarifReporterTests (unit tests + snapshot tests, 16 new tests)
• Update README: --sarif-report-file section with SARIF intro, benefits, viewers with correct extension links
• Remove <remarks> from RuleSeverity; keep per-value <summary> with SARIF mapping
• Split SarifModels.cs into separate files
• Update rule names: "SLNX file not found", "Invalid solution file extension", "SLNX file is not a text file"
• Fix: Visual Studio requires SARIF Viewer extension (not built-in); corrected link and wording
• All 88 tests passing

Original prompt

Goal

Add SARIF (Static Analysis Results Interchange Format) report output support to slnx-validator, following "Option A" — extracting shared rule metadata and severity into a common reporting layer so there is zero duplication between the SonarQube and SARIF reporters.

Architecture changes

1. Extract shared reporting layer

Rename SonarRuleSeverity → RuleSeverity (the enum is already used as the universal severity across the entire app — in ValidatorRunnerOptions, SeverityOverridesParser, ValidationReporter, ValidatorRunner.IsFailingError() — so the rename is justified).

Create a new shared namespace/folder Core/Reporting/ with:

• RuleSeverity.cs — the renamed enum (values: BLOCKER, CRITICAL, MAJOR, MINOR, INFO)
• RuleMetadata.cs — a record holding the format-agnostic rule info: Id (string, e.g. "SLNX011"), Name (string), Description (string), DefaultSeverity (RuleSeverity)
• RuleMetadataProvider.cs — a static class with a Get(ValidationErrorCode) method containing the switch expression currently in SonarReporter.GetRuleDefinition(), but returning only the shared fields (no SonarQube-specific fields like CleanCodeAttribute, Type, Impacts)

Update all references from SonarRuleSeverity to RuleSeverity across the entire codebase:

• ValidatorRunnerOptions.cs
• SeverityOverridesParser.cs
• ValidationReporter.cs
• ValidatorRunner.cs
• ISonarReporter.cs
• SonarReporter.cs
• SonarRule.cs (keep a SonarQube-specific Severity property, but typed as RuleSeverity)
• All test files referencing SonarRuleSeverity

2. Update SonarReporter to use shared provider

SonarReporter.GetRuleDefinition() should use RuleMetadataProvider.Get(code) for the shared fields (Id, Name, Description, default Severity) and only add the SonarQube-specific fields itself (EngineId, CleanCodeAttribute, Type, Impacts).

The IsIgnored() helper logic is also needed by the SARIF reporter. Either extract it to a shared place, or keep it simple and let each reporter have its own trivial one-liner.

3. Add SARIF reporter

Create a new namespace/folder Core/SarifReporting/ with:

• SarifReporter.cs — implements a new ISarifReporter interface. Uses RuleMetadataProvider for rule metadata. Maps RuleSeverity to SARIF levels:
  • BLOCKER, CRITICAL, MAJOR → "error"
  • MINOR → "warning"
  • INFO → "note"
• SARIF model DTOs — the minimal set of records needed to produce a valid SARIF 2.1.0 JSON document:
  • SarifLog with $schema ("https://json.schemastore.org/sarif-2.1.0.json"), version ("2.1.0"), runs array
  • SarifRun with tool and results
  • SarifTool with driver
  • SarifToolComponent (driver) with name ("slnx-validator"), informationUri, rules array
  • SarifReportingDescriptor (rule) with id, shortDescription, fullDescription, defaultConfiguration (with level)
  • SarifResult with ruleId, level, message, locations
  • SarifLocation, SarifPhysicalLocation, SarifArtifactLocation, SarifRegion
  • SarifMessage with text
• ISarifReporter.cs — interface mirroring ISonarReporter pattern:

  Task WriteReportAsync(IReadOnlyList<FileValidationResult> results, string outputPath,
      IReadOnlyDictionary<ValidationErrorCode, RuleSeverity?>? severityOverrides = null);
  Task WriteReportAsync(IReadOnlyList<FileValidationResult> results, Stream outputStream,
      IReadOnlyDictionary<ValidationErrorCode, RuleSeverity?>? severityOverrides = null);

The file-writing pattern (create directory, open stream) should follow the same pattern as SonarReporter.

4. Wire up CLI

In Program.cs, add:

var sarifReportOption = new Option<string?>("--sarif-report-file")
{
    Description = "Write a SARIF v2.1.0 report to the specified file path."
};

Add it to the root command and pass it through to ValidatorRunnerOptions.

In ValidatorRunnerOptions.cs, add string? SarifReportPath.

In ValidatorRunner.RunAsync(), add the SARIF report writing block (same pattern as the SonarQube block):

if (options.SarifReportPath is not null)
{
    await sarifReporter.WriteReportAsync(results, options.SarifReportPath, overrides);
    var size = fileSystem.GetFileSize(options.SarifReportPath);
    Console.WriteLine($"SARIF report written to: {options.SarifReportPath} ({size} bytes)");
}

In ServiceCollectionExtensions.cs, register ISarifReporter → SarifReporter.

5. Tests

Add SarifReporterTests.cs in the test project, covering at minimum:

• No errors → empty results array
• With error → correct rule and result in output
• Error with line → region with startLine
• Error without line → no region
• Same error code twice → rule listed once
• Different error codes → multiple rules
• Severity override reflected in output
• Ignored code excluded from output
• Snapshot test if the project uses Verify

6. Update README.md docum...

This pull request was created from Copilot chat.

[304NotModified]

Create a helper to dedup. Use smart default to reduce duplications.

[Copilot]

Added a private Create() helper with RuleSeverity.MAJOR as the default parameter. All 7 MAJOR entries no longer repeat code.ToCode() or the explicit severity, and only the 2 MINOR entries pass an override. (024cddb)

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• marketplace.visualstudio.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[304NotModified]

Links give 404. See open code comments

[Copilot]

Links give 404. See open code comments

Fixed in 61baa80 — the 404 link (learn.microsoft.com/.../working-with-sarif-reports) was removed. The Visual Studio entry in the viewers list now links to the Microsoft SARIF Viewer extension on the VS Marketplace, and the benefits bullet no longer has a broken link.