{"id":2762,"library":"sarif-om","title":"SARIF Object Model","description":"The `sarif-om` library provides Python classes that implement the Static Analysis Results Interchange Format (SARIF) Version 2.1.0 object model, an OASIS Committee Specification. It allows programmatic creation and manipulation of SARIF log structures in Python. The current version is 1.0.4. Microsoft maintains the project, but an explicit release cadence is not published.","status":"active","version":"1.0.4","language":"en","source_language":"en","source_url":"https://github.com/microsoft/sarif-python-om","tags":["SARIF","security","static analysis","object model","Microsoft","JSON"],"install":[{"cmd":"pip install sarif-om","lang":"bash","label":"Install with pip"}],"dependencies":[],"imports":[{"symbol":"SarifLog","correct":"from sarif_om import SarifLog, Run, Tool, ToolComponent, Result, Location, PhysicalLocation, ArtifactLocation, Message, ReportingDescriptor"}],"quickstart":{"code":"import json\nfrom sarif_om import SarifLog, Run, Tool, ToolComponent, Result, Location, PhysicalLocation, ArtifactLocation, Message, ReportingDescriptor\n\n# Create a SARIF log object\nlog = SarifLog(version='2.1.0', runs=[])\n\n# Create a Tool component\ntool_component = ToolComponent(name='Example Tool', version='1.0.0')\n\n# Create a Tool\ntool = Tool(driver=tool_component)\n\n# Create a Run\nrun = Run(tool=tool, results=[])\n\n# Create a ReportingDescriptor (rule definition)\nrule = ReportingDescriptor(id='EX1001', name='Example Rule', short_description=Message(text='This is an example rule.'))\n\n# Add the rule to the tool's driver rules\ntool.driver.rules = [rule]\n\n# Create a Result\nresult = Result(\n    rule_id='EX1001',\n    message=Message(text='Found a potential issue.'),\n    locations=[\n        Location(\n            physical_location=PhysicalLocation(\n                artifact_location=ArtifactLocation(uri='src/main.py'),\n                region={'startLine': 10, 'startColumn': 5}\n            )\n        )\n    ]\n)\n\n# Add the result to the run\nrun.results.append(result)\n\n# Add the run to the log\nlog.runs.append(run)\n\n# Serialize the SARIF log to JSON (sarif-om does not provide a direct save method)\nsarif_json = json.dumps(log.to_dict(), indent=2)\nprint(sarif_json)","lang":"python","description":"This quickstart demonstrates how to programmatically construct a SARIF 2.1.0 log using the `sarif-om` classes. It creates a simple log with one run, one tool, one rule, and one result. Note that `sarif-om` itself only provides the object model; users must use standard Python JSON libraries (like `json`) to serialize the object model to a SARIF JSON string."},"warnings":[{"fix":"Manually handle JSON serialization/deserialization using Python's `json` module or consider `pysarif` for simplified file I/O.","message":"The `sarif-om` library provides only the object model classes. It does not include functionality to directly load existing SARIF files from disk or to serialize the in-memory object model to a file. Users must implement their own JSON parsing (e.g., using `json.load`/`json.loads`) and serialization (e.g., using `json.dump`/`json.dumps`) to work with actual SARIF files. Other libraries like `pysarif` or `sarif-tools` offer file I/O capabilities for SARIF.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Refer to the SARIF 2.1.0 specification for the object model structure and property requirements when constructing objects. Examine the source code for class definitions and available properties if specific usage patterns are unclear.","message":"Documentation for programmatic usage of `sarif-om` can be sparse, particularly for constructing complex SARIF logs from scratch. Most public examples or tutorials tend to focus on the `sarif-tools` command-line utility or `pysarif` library for interacting with SARIF files.","severity":"gotcha","affected_versions":"All versions"},{"fix":"If using `sarif-tools`, update scripts to reflect the new CSV output structure and adapt filter files to the new YAML format, potentially using the `upgrade-filter` command. This warning is specific to `sarif-tools`, not `sarif-om` itself.","message":"The related `sarif-tools` library (a separate project that *uses* `sarif-om`) introduced breaking changes in its 2.0.0 release. Specifically, CSV output columns ('Code' and 'Description' are now separate) and the `--blame-filter` argument (replaced by `--filter` with a new YAML-based format) were changed. This directly impacts users interacting with `sarif-tools` for reporting or filtering.","severity":"breaking","affected_versions":"sarif-tools >= 2.0.0"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}