https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116201
Bug ID: 116201
Summary: SARIF output doesn't properly reference the CWE
taxonomy
Product: gcc
Version: unknown
Status: UNCONFIRMED
Keywords: SARIF
Severity: normal
Priority: P3
Component: other
Assignee: unassigned at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
We have:
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
std::unique_ptr<sarif_tool_component_reference>
sarif_builder::
make_tool_component_reference_object_for_cwe () const
{
auto comp_ref_obj = ::make_unique<sarif_tool_component_reference> ();
/* "name" property (SARIF v2.1.0 section 3.54.3). */
comp_ref_obj->set_string ("name", "cwe");
return comp_ref_obj;
}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
where name is lowercase "cwe" whereas in:
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
std::unique_ptr<sarif_tool_component>
sarif_builder::maybe_make_cwe_taxonomy_object () const
{
if (m_cwe_id_set.is_empty ())
return nullptr;
auto taxonomy_obj = ::make_unique<sarif_tool_component> ();
/* "name" property (SARIF v2.1.0 section 3.19.8). */
taxonomy_obj->set_string ("name", "CWE");
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
the taxonomy object has uppercase name "CWE".
We should use uppercase for both for consistency.
That said, the spec says:
> 3.54.3 name property
>
> A toolComponentReference object MAY contain a property named name whose
> value is a string equal to theComponent.name (ยง3.19.8).
>
> NOTE: This property does not participate in the lookup, but its presence
> improves the readability of the log file at the expense of increased file
> size.
and so we should be using "index" or "guid" to establish the reference
(probably by adding an "index" property to the toolComponentReference).
