Expansion of SARIF module fields to more fully implement the SARIF fo…

…rmat. SARIF is still not fully implemented.

schema/metaschema/sarif-module.xml

@@ -5,25 +5,29 @@
     <schema-version>0.1.0</schema-version>
     <short-name>sarif</short-name>
     <!-- TODO: Do we want to have 1:1 overlap with SARIF? I am not sure. -->
-    <namespace>http://csrc.nist.gov/ns/oscal/metaschema/validation/results/1.0</namespace>
+    <namespace>https://json.schemastore.org/sarif/2.1.0</namespace>
     <!-- TODO: Ditto here, this is the URL for the official spec release version. -->
-    <json-base-uri>http://csrc.nist.gov/ns/oscal/metaschema/validation/results/1.0</json-base-uri>
+    <json-base-uri>https://json.schemastore.org/sarif-2.1.0.json</json-base-uri>
     <define-field name="version">
         <formal-name>SARIF Model Version</formal-name>
         <description>The version of the SARIF Model used for conforming instances.</description>
         <constraint>
-            <allowed-values target="." allow-other="no">
+            <allowed-values target="." allow-other="no"> 
                 <enum value="2.1.0"/>
             </allowed-values>
         </constraint>
     </define-field>
-    <define-assembly name="property">
+    <define-assembly name="propertyBag">
         <!-- TODO: review -->
-        <formal-name>Properties</formal-name>
-        <description>A collection of named properties or property bag key values (the latter is loosely enforced) for SARIF elements.</description>
+        <formal-name>Property Bag</formal-name>
+        <description>Key/value pairs that provide additional information about the object.</description>
         <model>
-            <any />
-        </model>
+	        <define-field name="tag" min-occurs="0" max-occurs="unbounded">
+	        	<formal-name>Tag</formal-name>
+	        	<description>A set of distinct strings that provide additional information.</description>
+	        	<group-as name="tags" in-json="ARRAY"/>
+	        </define-field>
+		</model>
     </define-assembly>
     <define-assembly name="toolComponent">
         <define-flag name="guid" as-type="uuid">
@@ -56,6 +60,9 @@
                 <description>The absolute URI at which information about this version of the tool component can be found.</description>
             </define-field>
             <assembly ref="reportingDescriptor" min-occurs="0" max-occurs="unbounded">
+            	<formal-name>Rule</formal-name>
+            	<description>An array of reportingDescriptor objects relevant to the analysis performed by the tool component.</description>
+            	<use-name>rule</use-name>
                 <group-as name="rules" in-json="ARRAY" />
             </assembly>
         </model>
@@ -96,7 +103,11 @@
         <formal-name>Artifacts</formal-name>
         <description>Artifacts analyzed by the tool to yield results.</description>
         <model>
-            <!-- TODO -->
+            <assembly ref="artifactLocation" min-occurs="0">
+            	<formal-name>Artifact Location</formal-name>
+            	<description>The location of the artifact.</description>
+            	<use-name>location</use-name>
+            </assembly>
         </model>
     </define-assembly>
     <define-assembly name="result">
@@ -154,13 +165,14 @@
                 <description>Identifies the artifact that the analysis tool was instructed to scan. This need not be the same as the artifact where the result actually occurred.</description>
                 <use-name>analysisTarget</use-name>
             </assembly>
-            <assembly ref="location" min-occurs="0">
+            <assembly ref="location" min-occurs="0" max-occurs="unbounded">
                 <formal-name>Result Location</formal-name>
                 <description>The set of locations where the result was detected. Specify only one location unless the problem indicated by the result can only be corrected by making a change at every specified location.</description>
+				<use-name>location</use-name>
                 <group-as name="locations" in-json="ARRAY" />
             </assembly>
             <define-field name="occurenceCount" as-type="positive-integer" min-occurs="0">
-                <formal-name>Occurence Count</formal-name>
+                <formal-name>Occurrence Count</formal-name>
                 <description>A positive integer specifying the number of times this logically unique result was observed in this run.</description>
             </define-field>
             <assembly ref="location" min-occurs="0">
@@ -241,6 +253,15 @@
                 <formal-name>URI</formal-name>
                 <description>A valid relative or absolute URI.</description>
             </define-field>
+            <define-field name="index" as-type="integer"  min-occurs="0" default="-1">
+				<formal-name>Index</formal-name>
+				<description>The index within the run artifacts array of the artifact object associated with the artifact location.</description>
+    		    <constraint>
+                    <expect target="." test="@id &gt;= -1">
+                        <message>The index '{ . }' is not greater than or equal to '-1'.</message>
+                    </expect>
+                </constraint>
+            </define-field>
             <assembly ref="message" min-occurs="0">
                 <formal-name>Description</formal-name>
                 <description>A short description of the artifact location.</description>
@@ -260,12 +281,10 @@
                 <formal-name>Physical Location</formal-name>
                 <description>A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact.</description>
             </assembly>
-                    <!--
             <assembly ref="logicalLocation">
                 <formal-name>Logical Location</formal-name>
                 <description>The logical locations associated with the result.</description>
             </assembly>
-            -->
             <assembly ref="message">
                 <formal-name>Location Message</formal-name>
                 <description>A message relevant to the location.</description>
@@ -306,6 +325,46 @@
             </expect>
         </constraint>
     </define-assembly>
+    <define-assembly name="logicalLocation">
+    	<formal-name>Logical Location</formal-name>
+    	<description>A logical location of a construct that produced a result.</description>
+    	<model>
+    		<define-field name="name" min-occurs="0">
+    			<formal-name>Logical Location Name</formal-name>
+    			<description>Identifies the construct in which the result occurred. For example, this property might contain the name of a class or a method.</description>
+    		</define-field>
+    		<define-field name="index" as-type="integer"  min-occurs="0" default="-1">
+				<formal-name>Index</formal-name>
+				<description>The index within the logical locations array.</description>
+    		    <constraint>
+                    <expect target="." test="@id &gt;= -1">
+                        <message>The index '{ . }' is not greater than or equal to '-1'.</message>
+                    </expect>
+                </constraint>
+            </define-field>
+            <define-field name="fullyQualifiedName">
+            	<formal-name>Fully Qualified Name</formal-name>
+            	<description>The human-readable fully qualified name of the logical location.</description>
+            </define-field>
+            <define-field name="decoratedName">
+            	<formal-name>Decorated Name</formal-name>
+            	<description>The machine-readable name for the logical location, such as a mangled function name provided by a C++ compiler that encodes calling convention, return type and other details along with the function name.</description>
+            </define-field>
+            <define-field name="parentIndex" as-type="integer"  min-occurs="0" default="-1">
+            	<formal-name>Parent Index</formal-name>
+            	<description>Identifies the index of the immediate parent of the construct in which the result was detected. For example, this property might point to a logical location that represents the namespace that holds a type.</description>
+            	<constraint>
+                    <expect target="." test="@id &gt;= -1">
+                        <message>The index '{ . }' is not greater than or equal to '-1'.</message>
+                    </expect>
+                </constraint>
+            </define-field>
+            <define-field name="kind">
+            	<formal-name>Kind</formal-name>
+            	<description>The type of construct this logical location component refers to. Should be one of 'function', 'member', 'module', 'namespace', 'parameter', 'resource', 'returnType', 'type', 'variable', 'object', 'array', 'property', 'value', 'element', 'text', 'attribute', 'comment', 'declaration', 'dtd' or 'processingInstruction', if any of those accurately describe the construct.</description>
+            </define-field>
+    	</model>
+    </define-assembly>
     <define-assembly name="region">
         <formal-name>Region</formal-name>
         <description>A region within an artifact where a result was detected.</description>
@@ -372,7 +431,7 @@
         </constraint>
     </define-assembly>
     <define-assembly name="resultProvenance">
-        <formal-name>Result Provenance</formal-name>
+        <formal-name>Result Provanance</formal-name>
         <description>Contains information about how and when a result was detected.</description>
         <model>
             <define-field name="firstDetectionTimeUtc" as-type="date-time-with-timezone" min-occurs="0">