sarif: do not include comments in CodeFlows

... but stash them into `relatedLocations`, so that they do not disturb
while visualizing the results on Github.

Author: kdudka

src/json-parser.cc

@@ -492,11 +492,34 @@ static void sarifReadLocation(DefEvent *pEvt, const pt::ptree &loc)
     }
 }
 
-static void sarifReadMsg(std::string *pDst, const pt::ptree &node)
+static bool sarifReadMsg(std::string *pDst, const pt::ptree &node)
 {
     const pt::ptree *msgNode;
-    if (findChildOf(&msgNode, node, "message"))
-        *pDst = valueOf<std::string>(*msgNode, "text", "<unknown>");
+    if (!findChildOf(&msgNode, node, "message"))
+        return false;
+
+    *pDst = valueOf<std::string>(*msgNode, "text", "<unknown>");
+    return true;
+}
+
+static void sarifReadComments(Defect *pDef, const pt::ptree &relatedLocs)
+{
+    for (const auto &item : relatedLocs) {
+        const pt::ptree &loc = item.second;
+
+        DefEvent tmp;
+        sarifReadLocation(&tmp, loc);
+        if (!tmp.fileName.empty())
+            // location info available --> not a csdiff-encoded comment
+            continue;
+
+        DefEvent evt("#");
+        if (!sarifReadMsg(&evt.msg, loc))
+            continue;
+
+        evt.verbosityLevel = 1;
+        pDef->events.push_back(evt);
+    }
 }
 
 static void sarifReadCodeFlow(Defect *pDef, const pt::ptree &cf)
@@ -598,5 +621,10 @@ bool SarifTreeDecoder::readNode(
     if (findChildOf(&cf, defNode, "codeFlows"))
         sarifReadCodeFlow(def, *cf);
 
+    // read comments if available
+    const pt::ptree *relatedLocs;
+    if (findChildOf(&relatedLocs, defNode, "relatedLocations"))
+        sarifReadComments(def, *relatedLocs);
+
     return true;
 }

src/json-writer.cc

@@ -225,6 +225,17 @@ static void sarifEncodeLoc(PTree *pLoc, const Defect &def, unsigned idx)
     pLoc->put_child("physicalLocation", locPhy);
 }
 
+static void sarifEncodeComment(PTree *pDst, const Defect &def, unsigned idx)
+{
+    PTree comment;
+
+    // needed for Github to see the SARIF data as valid
+    sarifEncodeLoc(&comment, def, idx);
+
+    sarifEncodeMsg(&comment, def.events[idx].msg);
+    appendNode(pDst, comment);
+}
+
 static void sarifEncodeEvt(PTree *pDst, const Defect &def, unsigned idx)
 {
     const DefEvent &evt = def.events[idx];
@@ -275,9 +286,13 @@ void SarifTreeEncoder::appendDef(const Defect &def)
     sarifEncodeMsg(&result, keyEvt.msg);
 
     // other events
-    PTree flowLocs;
-    for (unsigned i = 0; i < def.events.size(); ++i)
-        sarifEncodeEvt(&flowLocs, def, i);
+    PTree flowLocs, relatedLocs;
+    for (unsigned i = 0; i < def.events.size(); ++i) {
+        if (def.events[i].event == "#")
+            sarifEncodeComment(&relatedLocs, def, i);
+        else
+            sarifEncodeEvt(&flowLocs, def, i);
+    }
 
     // locations
     PTree tf;
@@ -294,6 +309,10 @@ void SarifTreeEncoder::appendDef(const Defect &def)
     appendNode(&cfList, cf);
     result.put_child("codeFlows", cfList);
 
+    if (!relatedLocs.empty())
+        // our stash for comments
+        result.put_child("relatedLocations", relatedLocs);
+
     // append the `result` object to the `results` array
     appendNode(&results_, result);
 }

tests/csgrep/85-sarif-writer-args.txt

@@ -0,0 +1 @@
+--mode=sarif