To get a trial key
fill out the form below
Team License (a basic version)
Enterprise License (extended version)
* By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
USD
EUR
GBP
RUB
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
VSCode: how to view reports of static a…

VSCode: how to view reports of static analyzers that support SARIF

Aug 09 2021

People increasingly start optimizing the process of finding code errors using static analyzers. Nowadays, we can choose from a variety of products to view analysis results. This post covers the ways how to view an analyzer report in the most stylish and feature-rich IDE among multifunctional ones – VSCode. The SARIF format and a special plugin for it allow us to perform our task. Keep reading to find out about this. Let's get going!

0850_VSCode_SARIF/image1.png

I wrote this article at the request of our reader who left a comment on the previous article about SARIF. These posts form some kind of an article series on SARIF :) So if interested to learn more where and how you can use this format (or anything else), then drop your wishes in comments.

What is SARIF?

SARIF (Static Analysis Results Interchange Format) is a JSON-based static analysis results exchange format for the output of static analysis tools. It is meant to interact with other tools: IDEs, integrated code checking analysis tools (such as SonarQube), continuous integration systems, etc.

That is, before this interchange format, static analyzers worked like this:

0850_VSCode_SARIF/image2.png

Each product has its own standard to adjust to. Agree, it's not very convenient. By introducing SARIF, we get a different picture:

0850_VSCode_SARIF/image3.png

In a perfect world, it's enough to get a report in this format. Next you can open\use it in any program\system that handles static analysis results.

How to get a SARIF report

SARIF is a unified format. You can get a SARIF report using different static analyzers and tools. In this case, we use the PVS-Studio analyzer and PlogConverter – the report format conversion utility. The PVS-Studio team develops both tools.

Checking the project

To get the SARIF report, I picked a simple and interesting example of a C# source code fragment to check:

using System;
using System.Collections.Generic;
using System.Linq;

namespace SarifTest
{
    class Program
    {
        static void Main(string[] args)
        {
            var start = Convert.ToInt64(args[0]);
            var end = Convert.ToInt64(args[1]);
            ToString(start, end);
        }

        static string ToString(long start, long end)
        {
            if (end == long.MinValue)
            {
                if (start == long.MinValue)
                    return string.Format("[long.MinValue..long.MaxValue]", end);
                else
                    return string.Format("[{0}..long.MaxValue]", start);
            }
            else if (start == long.MinValue)
            {
                return string.Format("[long.MinValue..{0})", end);
            }
            else
            {
                return string.Format("[{0}..{1})", start, end);
            }
        }

        static int Formula42(int? coefficientA, int? coefficientB)
        {
            var data = new List<int>();
            if (coefficientA != null)
                data.Add(Formula42(coefficientA.Value));
            else if (coefficientB != null)
                data.Add(Formula42(coefficientA.Value));
            return data.SingleOrDefault();
        }

        static private int Formula42(int coefficient)
        {
            return coefficient;
        }


        static int CrazyCalculations()
        {
            var value = 10;
            value = value++;
            return value;
        }
    }
}

By the way, one of the errors in this example is based on the real error from the ILSpy project.

We use the PVS-Studio analyzer for the check. Using the "PVS-Studio_Cmd.exe" console utility, we start the analysis by running the command:

"C:\Program Files (x86)\PVS-Studio\PVS-Studio_Cmd.exe" \
-t "D:\Use_SARIF_Example\BestProjectCpp.sln" \
-o "D:\Use_SARIF_Example\results.plog"

Let's consider the command line in detail. The "-t" flag is required. It allows you to specify an object to check (sln or csproj/vcxproj file). The "-o" flag is responsible for the path to the file where the analysis results are written.

I forgot to mention that the analyzer requires a license to work. If you don't have it, you can get a trial version by clicking here.

We now have an output report in the PVS-Studio analyzer format. This is an output file with the ".plog" extension. We need to convert it to the SARIF format. For this, we use the PlogConverter utility.

Converting Plog to SARIF

PlogConverter is an open-source utility designed to convert PVS-Studio analyzer reports from one format to another. It is described in more detail in the documentation.

Let's convert the analyzer report to the SARIF format.

"C:\Program Files (x86)\PVS-Studio\PlogConverter.exe" \
"D:\Use_SARIF_Example\results.plog" \
-o "D:\Use_SARIF_Example" -t sarif -n results

That's it, now we have the report. We can move on to setting up VSCode.

Basics of plugin installation in VSCode

VSCode is a lightweight, free, cross-platform code editor that provides ample customization opportunities. The editor is a kind of constructor that we build using plugins. That is, if we need to write a program in C#, we just download the appropriate plugin. You can do it like this:

  • open VSCode;
  • find Extensions on the left;
  • write what you need in the search line (in our example, it's C#);
  • select the necessary plugin from displayed ones. Choose the plugin by its rating, number of downloads and description;
  • to download, click the install button, which is either in the description window or in the plugin list window to the right of the name;
  • sometimes additional customization may be required. Each plugin has individual settings, so be sure to read the description.

It looks as follows:

0850_VSCode_SARIF/image4.png

If you don't like the plugin you downloaded, you can disable it or delete. It takes a couple of clicks to do this:

  • open Extensions;
  • in the search bar, enter the name of the plugin you want to delete;
  • click on it and find Disable and Uninstall buttons in the opening window with the description above;
  • click the button according to what you need to do.

It looks like this:

0850_VSCode_SARIF/image5.png

SARIF plugin for VSCode

Plugin installation

The plugin for working with SARIF reports can be installed in the same way as the installation of any other plugin. If you don't know how it's done, check out the section above.

As for VSCode, I recommend and use the "SARIF Viewer" plugin. Its installation does not require any additional settings.

Loading a report to the plugin

Working with the plugin is simple. To begin with, you need to load the report. There are several ways to do this. The first is to choose your SARIF file, right click and select "open with VSCode".

0850_VSCode_SARIF/image6.png

The second way is to open VSCode and open the SARIF file from it.

0850_VSCode_SARIF/image7.png

Third option. Open VSCode, find the Show All Commands bar (Ctrl + Shift + P by default). In the opening window enter sarif and select "SARIF: Show Panel"

0850_VSCode_SARIF/image8.png

In the opening window click "Open SARIF log" and select the SARIF file.

That's it. This was the most difficult part. The report is loaded, and you can start viewing warnings.

Plugin features

After you've loaded the report, you see the following:

0850_VSCode_SARIF/image9.png

Let's cover them one at a time.

The LOCATIONS menu is a list of warnings grouped by file:

0850_VSCode_SARIF/image11.png

When you click on a message, you move to a problem spot in the code.

0850_VSCode_SARIF/image12.png

Note that all trouble spots are already highlighted with a wavy line. When you hover the cursor over this line, you see a description of the problem.

0850_VSCode_SARIF/image13.png

We can also shift between warnings using a shortcut (Alt + F8).

0850_VSCode_SARIF/image14.png

Next, we have the RULES menu. We can view the same messages in it, but grouped by diagnostic rules:

0850_VSCode_SARIF/image16.png

Clicking the message also lets you jump to the code.

The LOGS tab shows opened reports.

0850_VSCode_SARIF/image17.png

Ok, we've looked at all tabs. Please also note that each rule has a description at the bottom:

0850_VSCode_SARIF/image18.png

Click on the diagnostic code ("Rule Id" content) to switch to the documentation for this warning.

0850_VSCode_SARIF/image19.png

Conclusion

As you can see, the SARIF format allows us to simply and quickly use one more ready-made tool and get the result. Pretty convenient, right?

As for the plugin, I think it's a decent option for viewing static analyzer warnings. Perhaps in the future we'll write our own plugin with blackjack, bells and whistles (as we did recently for CLion). Until then, if you need\want to view static analyzer reports via the VSCode, give this product a try.

Thanks for reading!

Popular related articles
The Last Line Effect

Date: May 31 2014

Author: Andrey Karpov

I have studied many errors caused by the use of the Copy-Paste method, and can assure you that programmers most often tend to make mistakes in the last fragment of a homogeneous code block. I have ne…
Static analysis as part of the development process in Unreal Engine

Date: Jun 27 2017

Author: Andrey Karpov

Unreal Engine continues to develop as new code is added and previously written code is changed. What is the inevitable consequence of ongoing development in a project? The emergence of new bugs in th…
PVS-Studio for Java

Date: Jan 17 2019

Author: Andrey Karpov

In the seventh version of the PVS-Studio static analyzer, we added support of the Java language. It's time for a brief story of how we've started making support of the Java language, how far we've co…
Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives

Date: Jul 31 2017

Author: Andrey Karpov

After I wrote quite a big article about the analysis of the Tizen OS code, I received a large number of questions concerning the percentage of false positives and the density of errors (how many erro…
Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities

Date: Nov 21 2018

Author: Andrey Karpov

A brief description of technologies used in the PVS-Studio tool, which let us effectively detect a large number of error patterns and potential vulnerabilities. The article describes the implementati…
The Ultimate Question of Programming, Refactoring, and Everything

Date: Apr 14 2016

Author: Andrey Karpov

Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The au…
How PVS-Studio Proved to Be More Attentive Than Three and a Half Programmers

Date: Oct 22 2018

Author: Andrey Karpov

Just like other static analyzers, PVS-Studio often produces false positives. What you are about to read is a short story where I'll tell you how PVS-Studio proved, just one more time, to be more atte…
The way static analyzers fight against false positives, and why they do it

Date: Mar 20 2017

Author: Andrey Karpov

In my previous article I wrote that I don't like the approach of evaluating the efficiency of static analyzers with the help of synthetic tests. In that article, I give the example of a code fragment…
Free PVS-Studio for those who develops open source projects

Date: Dec 22 2018

Author: Andrey Karpov

On the New 2019 year's eve, a PVS-Studio team decided to make a nice gift for all contributors of open-source projects hosted on GitHub, GitLab or Bitbucket. They are given free usage of PVS-Studio s…
PVS-Studio ROI

Date: Jan 30 2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…

Comments (0)

Next comments
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept