Parsing "Static Analysis Results Interchange Format (SARIF)" in MSBuild

Question

When running various analyzers against a project using MSBuild all failures will be output in "Static Analysis Results Interchange Format (SARIF)" format (see eg. https://github.com/sarif-standard/sarif-spec). For instance a build may yield the following

{
  "version": "0.1",
  "toolInfo": {
    "toolName": "Microsoft (R) Visual C# Compiler",
    "productVersion": "1.1.0",
    "fileVersion": "1.1.0"
  },
  "issues": [
    {
      "ruleId": "SA1401",
      "locations": [
        {
          "analysisTarget": [
            {
              "uri": "C:\\SomeFile.cs",
              "region": {
                "startLine": 708,
                "startColumn": 30,
                "endLine": 708,
                "endColumn": 36
              }
            }
          ]
        }
      ],
      "shortMessage": "Field must be private",
      "fullMessage": "A field within a C# class has an access modifier other than private.",
      "properties": {
        "severity": "Warning",
        "warningLevel": "1",
        "defaultSeverity": "Warning",
        "title": "Fields must be private",
        "category": "StyleCop.CSharp.MaintainabilityRules",
        "helpLink": "https:\/\/github.com\/DotNetAnalyzers\/StyleCopAnalyzers\/blob\/master\/documentation\/SA1401.md",
        "isEnabledByDefault": "True",
        "isSuppressedInSource": "True"
      }
    }
  ]
}

Now I would like to be able to parse the data above in the simplest way possible (and break the build if any non-suppressed issues are encountered). How to go about doing this?

PS. Preferably I would also like to avoid implementing my own MSBuild tasks and installing specific software (eg. PowerShell 3.0 - ConvertFrom-Json).

Answer 1

There is a SARIF SDK available to work with SARIF files. It's available as a NuGet package Sarif.Sdk, and the source code is on GitHub in the Microsoft/sarif-sdk project, with a How-To document that shows how to read a SARIF file from disk and deserialize it into a SarifLog object; then you can navigate through the SARIF object model to examine individual results.

In your case, you're interested in the isSuppressedInSource property in the result's “property bag.” The How-To document explains how you would retrieve that property:

Result result = …;

string isSuppressedInSource = result.GetProperty("isSuppressedInSource");

The SARIF spec is available online, and there's a SARIF home page with links to more information.

Finally: be aware that the SARIF format changed significantly between Visual Studio 2015 Update 2 and Update 3. The format is now at a stable 1.0.0 version.