Ctrl+P
SARIF Explorer is a VSCode extension that enables you to review static analysis results effectively and enjoyably. No more browsing .txt or .csv files.
.txt
.csv
Whether you are a developer or a code auditor, SARIF Explorer allows you to classify your tool's results as Bug or False Positive, add comments to the results, export the bugs you triaged, and much more (see Features below).
Bug
False Positive
Install the extension by searching for SARIF Explorer in the VSCode Extensions browser. See the Build and install section below for how to build and install from code.
Todo
error
warning
note
none
.sarifexplorer
./tests
SARIF Files
Results
In the Results tab:
ArrowDown
ArrowUp
ArrowRight
ArrowLeft
Backspace
Open multiple files by clicking the button in the top bar and selecting multiple SARIF files. You can browse the list of opened SARIF files in the SARIF Files tab, where you can also close or reload a given SARIF file.
In the detailed view of the SARIF file, you can see its full path, the number of results it found, and which rules it ran on the code even if no results were found with that rule (if the tool produces a correct SARIF file). In this view, you can also modify the Base Folder associated with the SARIF file.
Opening a file with the .sarif extension in VSCode will also trigger SARIF Explorer to open it and show its results.
.sarif
Browse all the opened results in the Results tab by opening a rule and clicking on a result. This will open the code location associated with the result.
In the detailed view of the result, you have more detailed information, including data flow data which you can browse from source to sink.
Classify a result with your mouse or with keyboard shortcuts.
Using the mouse: With a result selected, click the button to classify it as a Bug, the button to classify it as a False Positive, and the button to reset the classification to Todo. These buttons appear next to the result and in the result's detailed view.
Using the keyboard: To be more efficient, select a result and press the ArrowRight key to classify it as a Bug, the ArrowLeft key to classify it as a False Positive, and the Backspace key to reset the classification to Todo.
Filter by keywords by typing in the filter area in the top bar. The keyword search is case insensitive and matches against the result's display path, line number, message, associated SARIF file, comment, rule name, rule description, and the name of the tool that generated the result.
For more filtering options, open the filter menu by clicking the button in the top bar. Inside the filter menu, you have options to:
Example: you want to remove all results from the tests and third_party folders, and to see only results classified as Todo. You should:
tests
third_party
Exclude Paths Containing
/tests/, /third_party
Status
NOTE: Filters do not get re-applied automatically when a result is updated; you need to click the button to refresh the filters. This design was chosen to prevent the UI from jumping around when you are classifying results or adding comments.
Copy a GitHub permalink to the location associated with the result. Do this by clicking the button next to a result or in the result's detailed view.
The permalink target repository will be chosen according to your weAudit configuration. This feature requires having weAudit installed.
Create a GitHub issue with data about your results. You can create two kinds of GitHub issues:
The GitHub issues will be created in a repository according to your weAudit configuration. This feature requires having weAudit installed.
Send all results classified as Bug to weAudit by clicking the button in the top bar. Results are automatically de-duplicated (on the weAudit side); so, if you classify a new Bug and resend all Bugs again, only the new one will be added.
For obvious reasons, this feature requires having weAudit installed.
Share the .sarifexplorer file with your colleagues (e.g., on GitHub) to share your comments and classified results. The file is a prettified JSON file, which helps resolve conflicts if more than one person writes to the file in parallel.
To build and install a new vsix file run the following script:
npm install ./scripts/build_and_install.sh
The extension has two parts: the extension--the privileged part that can read files from the filesystem and execute arbitrary nodeJS--, and the Webview--the unprivileged part responsible for drawing the UI. These two parts communicate with postMessage. Their code is split into different folders, which both include a README with an explanation of their purpose.
postMessage
The SARIF explorer file format is detailed in sarif_explorer_spec.md.