Our website uses cookies to enhance your browsing experience.
Accept
to the top
>
>
>
VSCode: how to view reports of static a…

VSCode: how to view reports of static analyzers that support SARIF

Aug 09 2021

People increasingly start optimizing the process of finding code errors using static analyzers. Nowadays, we can choose from a variety of products to view analysis results. This post covers the ways how to view an analyzer report in the most stylish and feature-rich IDE among multifunctional ones – VSCode. The SARIF format and a special plugin for it allow us to perform our task. Keep reading to find out about this. Let's get going!

0850_VSCode_SARIF/image1.png

I wrote this article at the request of our reader who left a comment on the previous article about SARIF. These posts form some kind of an article series on SARIF :) So if interested to learn more where and how you can use this format (or anything else), then drop your wishes in comments.

What is SARIF?

SARIF (Static Analysis Results Interchange Format) is a JSON-based static analysis results exchange format for the output of static analysis tools. It is meant to interact with other tools: IDEs, integrated code checking analysis tools (such as SonarQube), continuous integration systems, etc.

That is, before this interchange format, static analyzers worked like this:

0850_VSCode_SARIF/image2.png

Each product has its own standard to adjust to. Agree, it's not very convenient. By introducing SARIF, we get a different picture:

0850_VSCode_SARIF/image3.png

In a perfect world, it's enough to get a report in this format. Next you can open\use it in any program\system that handles static analysis results.

How to get a SARIF report

SARIF is a unified format. You can get a SARIF report using different static analyzers and tools. In this case, we use the PVS-Studio analyzer and PlogConverter – the report format conversion utility. The PVS-Studio team develops both tools.

Checking the project

To get the SARIF report, I picked a simple and interesting example of a C# source code fragment to check:

using System;
using System.Collections.Generic;
using System.Linq;

namespace SarifTest
{
    class Program
    {
        static void Main(string[] args)
        {
            var start = Convert.ToInt64(args[0]);
            var end = Convert.ToInt64(args[1]);
            ToString(start, end);
        }

        static string ToString(long start, long end)
        {
            if (end == long.MinValue)
            {
                if (start == long.MinValue)
                    return string.Format("[long.MinValue..long.MaxValue]", end);
                else
                    return string.Format("[{0}..long.MaxValue]", start);
            }
            else if (start == long.MinValue)
            {
                return string.Format("[long.MinValue..{0})", end);
            }
            else
            {
                return string.Format("[{0}..{1})", start, end);
            }
        }

        static int Formula42(int? coefficientA, int? coefficientB)
        {
            var data = new List<int>();
            if (coefficientA != null)
                data.Add(Formula42(coefficientA.Value));
            else if (coefficientB != null)
                data.Add(Formula42(coefficientA.Value));
            return data.SingleOrDefault();
        }

        static private int Formula42(int coefficient)
        {
            return coefficient;
        }


        static int CrazyCalculations()
        {
            var value = 10;
            value = value++;
            return value;
        }
    }
}

By the way, one of the errors in this example is based on the real error from the ILSpy project.

We use the PVS-Studio analyzer for the check. Using the "PVS-Studio_Cmd.exe" console utility, we start the analysis by running the command:

"C:\Program Files (x86)\PVS-Studio\PVS-Studio_Cmd.exe" \
-t "D:\Use_SARIF_Example\BestProjectCpp.sln" \
-o "D:\Use_SARIF_Example\results.plog"

Let's consider the command line in detail. The "-t" flag is required. It allows you to specify an object to check (sln or csproj/vcxproj file). The "-o" flag is responsible for the path to the file where the analysis results are written.

I forgot to mention that the analyzer requires a license to work. If you don't have it, you can get a trial version by clicking here.

We now have an output report in the PVS-Studio analyzer format. This is an output file with the ".plog" extension. We need to convert it to the SARIF format. For this, we use the PlogConverter utility.

Converting Plog to SARIF

PlogConverter is an open-source utility designed to convert PVS-Studio analyzer reports from one format to another. It is described in more detail in the documentation.

Let's convert the analyzer report to the SARIF format.

"C:\Program Files (x86)\PVS-Studio\PlogConverter.exe" \
"D:\Use_SARIF_Example\results.plog" \
-o "D:\Use_SARIF_Example" -t sarif -n results

That's it, now we have the report. We can move on to setting up VSCode.

Basics of plugin installation in Visual Studio Code

Visual Studio Code is a lightweight, free, cross-platform code editor that provides ample customization opportunities. The editor is a kind of constructor that we build using plugins. That is, if we need to write a program in C#, we just download the appropriate plugin. You can do it like this:

  • open VSCode;
  • find Extensions on the left;
  • write what you need in the search line (in our example, it's C#);
  • select the necessary plugin from displayed ones. Choose the plugin by its rating, number of downloads and description;
  • to download, click the install button, which is either in the description window or in the plugin list window to the right of the name;
  • sometimes additional customization may be required. Each plugin has individual settings, so be sure to read the description.

It looks as follows:

0850_VSCode_SARIF/image4.png

If you don't like the plugin you downloaded, you can disable it or delete. It takes a couple of clicks to do this:

  • open Extensions;
  • in the search bar, enter the name of the plugin you want to delete;
  • click on it and find Disable and Uninstall buttons in the opening window with the description above;
  • click the button according to what you need to do.

It looks like this:

0850_VSCode_SARIF/image5.png

SARIF plugin for Visual Studio Code

Plugin installation

The plugin for working with SARIF reports can be installed in the same way as the installation of any other plugin. If you don't know how it's done, check out the section above.

As for VSCode, I recommend and use the "SARIF Viewer" plugin. Its installation does not require any additional settings.

Loading a report to the plugin

Working with the plugin is simple. To begin with, you need to load the report. There are several ways to do this. The first is to choose your SARIF file, right click and select "open with VSCode".

0850_VSCode_SARIF/image6.png

The second way is to open VSCode and open the SARIF file from it.

0850_VSCode_SARIF/image7.png

Third option. Open VSCode, find the Show All Commands bar (Ctrl + Shift + P by default). In the opening window enter sarif and select "SARIF: Show Panel"

0850_VSCode_SARIF/image8.png

In the opening window click "Open SARIF log" and select the SARIF file.

That's it. This was the most difficult part. The report is loaded, and you can start viewing warnings.

Plugin features

After you've loaded the report, you see the following:

0850_VSCode_SARIF/image9.png

Let's cover them one at a time.

The LOCATIONS menu is a list of warnings grouped by file:

0850_VSCode_SARIF/image10.png

When you click on a message, you move to a problem spot in the code.

0850_VSCode_SARIF/image11.png

Note that all trouble spots are already highlighted with a wavy line. When you hover the cursor over this line, you see a description of the problem.

0850_VSCode_SARIF/image12.png

We can also shift between warnings using a shortcut (Alt + F8).

0850_VSCode_SARIF/image13.png

Next, we have the RULES menu. We can view the same messages in it, but grouped by diagnostic rules:

0850_VSCode_SARIF/image14.png

Clicking the message also lets you jump to the code.

The LOGS tab shows opened reports.

0850_VSCode_SARIF/image15.png

Ok, we've looked at all tabs. Please also note that each rule has a description at the bottom:

0850_VSCode_SARIF/image16.png

Click on the diagnostic code ("Rule Id" content) to switch to the documentation for this warning.

0850_VSCode_SARIF/image17.png

Conclusion

As you can see, the SARIF format allows us to simply and quickly use one more ready-made tool and get the result. Pretty convenient, right?

As for the plugin, I think it's a decent option for viewing static analyzer warnings. Perhaps in the future we'll write our own plugin with blackjack, bells and whistles (as we did recently for CLion). Until then, if you need\want to view static analyzer reports via the VS Code, give this product a try.

Thanks for reading!

Popular related articles


Comments (0)

Next comments next comments
close comment form
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam