analysis tool: A tool that produces observations about a set of programming artifacts, for example by detecting issues or calculating metrics.
artifact: Anything produced by the act of programming, such as a source file, an object file, or a web page.
binding: An association between two sets of entities. In this context, the association between the entities defined by the SARIF object model and their representation in a programming language.
code flow: A set of one or more thread flows which together specify a pattern of code execution relevant to detecting a result.
custom taxonomy: A taxonomy defined by an analysis tool.
driver: That component of an analysis tool which contains the tool's primary executable.
dynamic analysis tool: An analysis tool that observes the execution of a program.
embedded link: A hyperlink that occurs in a plain text message or a Markdown message.
engineering system: A software development environment within which analysis tools execute. It typically includes a build system, a source control system, a result management system, a bug tracking system, a test execution system, and so on.
enrichment: The process of adding additional, optional data to an existing SARIF log file.
extension: A component of an analysis tool other than the driver. Extensions are typically authored separately from and discovered dynamically by the driver. They often contain additional analysis rules.
external property file: A file separate from a SARIF log file, typically used to store large data sets (such as taxonomies) needed by multiple log files.
first-class property: A property defined by the SARIF specification, as opposed to one that occurs in a property bag.
fit for purpose: Describes a SARIF log file that contains the information necessary to allow the file to be used for a particular purpose.
hierarchical string: A string in which the forward slash character '/'
is significant and defines a logical hierarchy on the values of the string.
issue: A condition in a program that might detract from its quality.
logical location: A location specified by name, without reference to a particular artifact, for example, by means of a class name and a method name.
notification: A message from an analysis tool that provides information about the tool's configuration or execution.
notification metadata: Information that describes
a notification produced by
an analysis tool.
SARIF uses the same object (reportingDescriptor) to describe both notification metadata and
rule metadata.
object model: A set of classes and associations among them that describes a problem domain. In this context, the set of classes that describe the contents of a SARIF log file.
physical location: A location specified by reference to a particular artifact, for example, by means of a file name and a line number.
post-processor: A program that takes a SARIF file, modifies it, and produces a new SARIF file with the modifications.
primary executable: That file belonging to an analysis tool in which execution begins, for example, a binary file containing the program entry point.
property bag: A SARIF property named properties that can contain any property
with any value.
result: An observation about an artifact, often but not always an issue.
related location: A place in the code other than the result location that helps a user understand a result.
result location: A place in the code where an analysis tool detects a result.
result management system: A system that consumes results produced by analysis tools and typically performs functions such as filing bugs and producing reports that provide a view of system quality over time.
result matching: The process of identifying results that have appeared, disappeared, or changed between one tool run and another.
rule: A criterion for correctness verified by an analysis tool.
rule metadata: Information that describes a rule supported by
an analysis tool.
SARIF uses the same object (reportingDescriptor) to describe both rule metadata and
notification metadata.
standard taxonomy: A taxonomy defined publicly, without reference to any particular analysis tool.
static analysis tool: An analysis tool that examines programming artifacts without executing the program.
taxon (pl. taxa): An individual category within a taxonomy.
taxonomy: A system that classifies results into a set of categories.
thread flow: A temporally ordered set of code locations specifying a possible execution path through the code, which occur within a single thread of execution, such as an operating system thread or a fiber.
tool component: A component of an analysis tool, either its driver or an extension, consisting of one or more files.
tool configuration notification: A notification that provides information about how the tool was configured, for example, what options were selected or which rules were enabled and disabled.
tool execution notification: A notification that provides information about runtime conditions encountered during the tool's execution, such as the analysis start and end times, or an exception encountered during the evaluation of a rule.