Module: StillActive::SarifHelper
Overview
Renders a still_active workflow result as a SARIF 2.1.0 document. The output is suitable for upload to GitHub Code Scanning via github/codeql-action/upload-sarif.
Constant Summary collapse
- SARIF_SCHEMA =
"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json"- TOOL_NAME =
"still_active"- TOOL_URI =
"https://github.com/SeanLF/still_active"- LIBYEAR_THRESHOLD =
1.0- SCORECARD_LOW_THRESHOLD =
4.0- SECONDS_PER_YEAR =
for the human-readable "in N years"
365 * 24 * 60 * 60
Instance Method Summary collapse
-
#render(result:, ruby_info:, lockfile_path:, tool_version:) ⇒ Object
result: same hash StillActive::Workflow.call returns (gem_name => gem_data) ruby_info: optional Ruby freshness hash (or nil) lockfile_path: path to Gemfile.lock for line annotations tool_version: StillActive::VERSION at emit time.
-
#render_sbom(result:, source_uri:, tool_version:) ⇒ Object
The SBOM path emits the same rule set and document, but there is no lockfile to annotate: every finding anchors to the SBOM file itself (line 1), and ruby_info is nil (Ruby EOL / SA006 is a native-only signal).
Instance Method Details
#render(result:, ruby_info:, lockfile_path:, tool_version:) ⇒ Object
result: same hash StillActive::Workflow.call returns (gem_name => gem_data) ruby_info: optional Ruby freshness hash (or nil) lockfile_path: path to Gemfile.lock for line annotations tool_version: StillActive::VERSION at emit time
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
# File 'lib/helpers/sarif_helper.rb', line 32 def render(result:, ruby_info:, lockfile_path:, tool_version:) lockfile_content = File.read(lockfile_path) line_index = LockfileIndexer.gem_line_index(lockfile_content) ruby_line = LockfileIndexer.ruby_version_line(lockfile_content) lockfile_uri = File.basename(lockfile_path) results = build_results( report: result, ruby_info: ruby_info, line_index: line_index, ruby_line: ruby_line, lockfile_uri: lockfile_uri, ) JSON.pretty_generate(document(results: results, tool_version: tool_version, flavour: :ruby)) end |
#render_sbom(result:, source_uri:, tool_version:) ⇒ Object
The SBOM path emits the same rule set and document, but there is no lockfile
to annotate: every finding anchors to the SBOM file itself (line 1), and
ruby_info is nil (Ruby EOL / SA006 is a native-only signal). Findings are
named ecosystem/name (each gem_data carries :ecosystem and :name), so a
cross-ecosystem alert reads "npm/left-pad ..." rather than a bare gem name.
A polyglot SBOM has no single ecosystem, so the rule catalog uses the
ecosystem-neutral wording (flavour: :neutral) rather than the native "gem"
idiom, so a Go/npm/pypi repo's Code Scanning UI doesn't read as a Ruby audit.
result: SbomWorkflow assessed hash ("ecosystem/name@version" => gem_data) source_uri: the SBOM file to point findings at (basename) tool_version: StillActive::VERSION at emit time
61 62 63 64 65 66 67 68 69 70 71 |
# File 'lib/helpers/sarif_helper.rb', line 61 def render_sbom(result:, source_uri:, tool_version:) results = build_results( report: result, ruby_info: nil, line_index: {}, ruby_line: nil, lockfile_uri: source_uri, ) JSON.pretty_generate(document(results: results, tool_version: tool_version, flavour: :neutral)) end |