diff --git a/schema/metaschema/sarif-module.xml b/schema/metaschema/sarif-module.xml new file mode 100644 index 00000000..5d4ffb53 --- /dev/null +++ b/schema/metaschema/sarif-module.xml @@ -0,0 +1,430 @@ + + + + SARIF Metaschema Module + 0.1.0 + sarif + + http://csrc.nist.gov/ns/oscal/metaschema/validation/results/1.0 + + http://csrc.nist.gov/ns/oscal/metaschema/validation/results/1.0 + + SARIF Model Version + The version of the SARIF Model used for conforming instances. + + + + + + + + + Properties + A collection of named properties or property bag key values (the latter is loosely enforced) for SARIF elements. + + + + + + + Tool Component Unique Identifier + A stable, unique identifier for the tool component. + + + + Tool Component Name + The name of the tool component. + + + Tool Component Organization + The organization or company that produced the tool component. + + + Tool Component Product + A product suite to which the tool component belongs. + + + Tool Component Version + The tool component version, in whatever format the component natively provides. + + + Tool Component Semantic Version + The tool component version in the format specified by Semantic Versioning 2.0. + + + Tool Component Information URI + The absolute URI at which information about this version of the tool component can be found. + + + + + + + + Reporting Descriptor + Metadata that describes a specific report produced by the tool, as part of the analysis it provides or its runtime reporting. + + Reporting Descriptor Identifier + A stable, opaque identifier for the report. + + + Reporting Descriptor Unique Identifier + A stable, unique identifier for the reporting descriptor. + + + + Reporting Descriptor Name + A report identifier that is understandable to an end user. + + + Help URI + A URI where the primary documentation for the report can be found. + + + + + Tool + The analysis tool used. + + + driver + + + + + + Artifacts + Artifacts analyzed by the tool to yield results. + + + + + + Results + Results from the run of a tool. + + Rule Identifier + The stable, unique identifier of the rule, if any, to which this result is relevant. + + + Rule Identifier + The stable, unique identifier of the rule, if any, to which this result is relevant. + + + Result Unique Identifier + A stable, unique identifier for the result. + + + + A reference used to locate the rule descriptor relevant to this result. + rule + + + Result Kind + A value that categorizes results by evaluation state. + + + + + + + + + + + + + Severity Level + A value specifying the severity level of the result. + + + + + + + + + + + Result Message + A message that describes the result. The first sentence of the message only will be displayed when visible space is limited. + + + Scanned Artifact + Identifies the artifact that the analysis tool was instructed to scan. This need not be the same as the artifact where the result actually occurred. + analysisTarget + + + Result Location + The set of locations where the result was detected. Specify only one location unless the problem indicated by the result can only be corrected by making a change at every specified location. + + + + Occurence Count + A positive integer specifying the number of times this logically unique result was observed in this run. + + + Result Related Location + A set of locations relevant to this result. + relatedLocation + + + + Result Provenance + Information about how and when the result was detected. + provenance + + + + + The value '{ . }' is not greater than or equal to '-1'. + + + + + + Reporting Descriptor Reference + Information about how to locate a relevant reporting descriptor. + + Reporting Descriptor Identifier + The id of the descriptor. + + + Reporting Descriptor Unique Identifier + A stable, unique identifier for the reporting descriptor. + + + + Index + The index into an array of descriptors in toolComponent.ruleDescriptors, toolComponent.notificationDescriptors, or toolComponent.taxonomyDescriptors, depending on context. + + + + + At least one id, guid, or index must be provided. + + + + + Message + Encapsulates a message intended to be read by the end user. + + Message Identifier + The id of the message. + + + + Text + A plain text message string. + + + Markdown + A Markdown message string. + + + Argument + A sequence of strings to substitute into the message string. + + + + + + At least one id or text must be provided. + + + + + Artifact Location + Specifies the location of an artifact. + + + URI + A valid relative or absolute URI. + + + Description + A short description of the artifact location. + description + + + + + Location + A location within a programming artifact. + + Location Identifier + A value that distinguishes this location from all other locations within a single result object. + + + + Physical Location + A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact. + + + + Location Message + A message relevant to the location. + + + + + The id '{ . }' is not greater than or equal to '-1'. + + + + + + Physical Location + A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact. + + + Address + A physical or virtual address, or a range of addresses, in an 'addressable region' (memory or a binary file). + + + + The location of the artifact. + + + Region + Specifies a portion of the artifact. + + + Context Region + Specifies a portion of the artifact that encloses the region. Allows a viewer to display additional context around the region. + contextRegion + + + + + At least one address or artifactLocation must be provided. + + + + + Region + A region within an artifact where a result was detected. + + + Start Line + The line number of the first character in the region. + + + + Start Column + The column number of the first character in the region. + + + + End Line + The line number of the last character in the region. + + + + End Column + The column number of the character following the end of the region. + + + + Character Offset + The zero-based offset from the beginning of the artifact of the first character in the region. + + + The offset '{ . }' is not greater than or equal to '-1'. + + + + + + Character Length + The length of the region in characters. + + + + Byte Offset + The zero-based offset from the beginning of the artifact of the first byte in the region + + + The offset '{ . }' is not greater than or equal to '-1'. + + + + + + Byte Length + The length of the region in bytes. + + + + Region Message + A message relevant to the region. + + + + + At least a startLine, charOffset, or byteOffset must be provided. + + + + + Result Provenance + Contains information about how and when a result was detected. + + + First Detection Time + The Coordinated Universal Time (UTC) date and time at which the result was first detected. See \"Date/time properties\" in the SARIF spec for the required format. + + + + Last Detection Time + The Coordinated Universal Time (UTC) date and time at which the result was most recently detected. See \"Date/time properties\" in the SARIF spec for the required format. + + + + Conversion Source + An sequence of physicalLocation objects which specify the portions of an analysis tool's output that a converter transformed into the result. + conversionSource + + + + + + Run + Describes a single run of an analysis tool, and contains the reported output of that run. + + + Tool + Information about the tool or tool pipeline that generated the results in this run. A run can only contain results produced by a single tool or tool pipeline. A run can aggregate results from multiple log files, as long as context around the tool run (tool command-line arguments and the like) is identical for all aggregated files. + + + Artifact + A sequence of artifacts relevant to the run. + + + + Result + The set of results contained in an SARIF log. The results array can be omitted when a run is solely exporting rules metadata. It must be present (but may be empty) if a log file represents an actual scan. + + + + + + Static Analysis Results Interchange Format + A standard format for the output of static analysis tools. + sarif + + + + + + + +

Note, Metaschema does not support an anonymous top-level assembly without a key name in JSON and YAML, which is required for SARIF.

+ + + \ No newline at end of file