Fixed #14032 (SARIF: version should be the first property) (danmar#7975)

danmar · web-flow · commit 602da94d65ba · 2025-11-21T17:16:29.000+01:00
diff --git a/lib/sarifreport.cpp b/lib/sarifreport.cpp
@@ -25,6 +25,9 @@
 #include <set>
 #include <sstream>
 
+static const char sarifVersion[] = "2.1.0";
+static const char sarifSchema[] = "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json";
+
 void SarifReport::addFinding(ErrorMessage msg)
 {
     mFindings.push_back(std::move(msg));
@@ -180,11 +183,14 @@ std::string SarifReport::serialize(std::string productName) const
         version.erase(version.find(' '), std::string::npos);
 
     picojson::object doc;
-    doc["version"] = picojson::value("2.1.0");
-    doc["$schema"] = picojson::value("https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json");
+    doc["$schema"] = picojson::value(sarifSchema);
     doc["runs"] = serializeRuns(productName, version);
 
-    return picojson::value(doc).serialize(true);
+    // Insert "version" property at the start.
+    // From SARIF specification (https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/sarif-v2.1.0-errata01-os-complete.html#_Toc141790730):
+    // Although the order in which properties appear in a JSON object value is not semantically significant, the version property SHOULD appear first.
+
+    return "{\n  \"version\": \"" + std::string(sarifVersion) + "\"," + picojson::value(doc).serialize(true).substr(1);
 }
 
 std::string SarifReport::sarifSeverity(const ErrorMessage& errmsg)
diff --git a/test/testsarifreport.cpp b/test/testsarifreport.cpp
@@ -98,6 +98,10 @@ class TestSarifReport : public TestFixture
         ASSERT_EQUALS("2.1.0", root.at("version").get<std::string>());
         ASSERT(root.at("$schema").get<std::string>().find("sarif-schema-2.1.0") != std::string::npos);
 
+        // From SARIF specification (https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/sarif-v2.1.0-errata01-os-complete.html#_Toc141790730):
+        // Although the order in which properties appear in a JSON object value is not semantically significant, the version property SHOULD appear first.
+        ASSERT_EQUALS("{\n  \"version\": \"2.1.0\"", sarif.substr(0,22));
+
         const picojson::array& runs = root.at("runs").get<picojson::array>();
         ASSERT_EQUALS(1U, runs.size());
 
