Skip to content

Add SARIF output format to mix hex.audit#1203

Open
maennchen wants to merge 2 commits into
mainfrom
jm/audit-sarif
Open

Add SARIF output format to mix hex.audit#1203
maennchen wants to merge 2 commits into
mainfrom
jm/audit-sarif

Conversation

@maennchen

Copy link
Copy Markdown
Member

Add a --format sarif option that renders the audit result as a SARIF v2.1.0 document, plus an --output PATH option to write it to a file instead of stdout. This allows uploading audit findings to GitHub code scanning and other SARIF consumers; themoduledoc documents a complete GitHub Actions workflow using github/codeql-action/upload-sarif.

Retirements map to one rule per retirement reason (HEX0001 to HEX0005, with security retirements defaulting to level error) and advisories map to one rule per advisory identifier so each alert carries its own severity score, title and help link. Results are anchored to the dependency entry in mix.lock, relative to the git repository root when available, with region and context region snippets. The run includes git-derived version control provenance (with credentials stripped from
the repository URL), stable partial fingerprints, and messages that carry both resolved text and template arguments. Ignored findings are included with a suppression so they show up as closed alerts.

The exit code behaves the same as with the human format. SARIF output requires the OTP 27 json module, matching mix hex.outdated --json.

Needs #1202

Hex.Shell.warn/1 wrote to stdout via Mix.shell().info/1, so warnings
like the expired-authentication notice or the stale mix.lock version
warning polluted machine-readable stdout output such as
`mix hex.outdated --json`. Route warn/1 through Mix.shell().error/1,
which prints to stderr, keeping the yellow warning color.

Warning-colored lines that are part of a command's regular stdout
output (the retirement reason in the `mix deps.get` dependency
listing and the retirement notice in `mix hex.info`) stay on stdout
and are now printed as yellow-formatted info lines instead.
Add a --format sarif option that renders the audit result as a SARIF
v2.1.0 document, plus an --output PATH option to write it to a file
instead of stdout. This allows uploading audit findings to GitHub code
scanning and other SARIF consumers; the moduledoc documents a complete
GitHub Actions workflow using github/codeql-action/upload-sarif.

Retirements map to one rule per retirement reason (HEX0001 to HEX0005,
with security retirements defaulting to level error) and advisories map
to one rule per advisory identifier so each alert carries its own
severity score, title and help link. Results are anchored to the
dependency entry in mix.lock, relative to the git repository root when
available, with region and context region snippets. The run includes
git-derived version control provenance (with credentials stripped from
the repository URL), stable partial fingerprints, and messages that
carry both resolved text and template arguments. Ignored findings are
included with a suppression so they show up as closed alerts.

The exit code behaves the same as with the human format. SARIF output
requires the OTP 27 :json module, matching mix hex.outdated --json.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant