From bcb5e652ef9c1edce20056c0759a4529b532e080 Mon Sep 17 00:00:00 2001
From: "David A. Wheeler" <dwheeler@dwheeler.com>
Date: Sun, 30 May 2021 18:46:50 -0400
Subject: [PATCH] Document SARIF defails in man page

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---
 flawfinder.1 | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/flawfinder.1 b/flawfinder.1
index 07acc1e..d8f4c31 100644
--- a/flawfinder.1
+++ b/flawfinder.1
@@ -52,6 +52,7 @@ flawfinder \- lexically find potential security flaws ("hits") in source code
 .RB [ \-\-dataonly | \-D ]
 .RB [ \-\-html | \-H ]
 .RB [ \-\-immediate | -i ]
+.RB [ \-\-sarif ]
 .RB [ \-\-singleline | \-S ]
 .RB [ \-\-omittime ]
 .RB [ \-\-quiet | \-Q ]
@@ -300,7 +301,8 @@ integrated development environments; see the examples for
 more information.
 .PP
 Flawfinder includes many other options, including ones to
-create HTML versions of the output (useful for prettier displays).
+create HTML versions of the output (useful for prettier displays) and
+Static Analysis Results Interchange Format (SARIF) output.
 The next section describes those options in more detail.
 
 .SH OPTIONS
@@ -534,6 +536,35 @@ Format the output as HTML instead of as simple text.
 .BI -i
 Immediately display hits (don't just wait until the end).
 
+
+.TP
+.BI \-\-sarif
+Produce output in the OASIS
+Static Analysis Results Interchange Format (SARIF) format (a JSON-based format).
+The goals of the SARIF format, as explained in
+version 2.1.0 (27 March 2020) of its specification, include being able to
+"comprehensively capture the range of data produced by commonly
+used static analysis tools."
+SARIF output identifies the tool name as "Flawfinder".
+The flawfinder levels 0 through 5 are mapped to SARIF rank (by dividing by 5),
+SARIF level, and the default viewer action as follows:
+
+Flawfinder 0: SARIF rank 0.0, SARIF level notei, Does not display by default
+
+Flawfinder 1: SARIF rank 0.2, SARIF level note,Does not display by default
+
+Flawfinder 2: SARIF rank 0.4, SARIF level note, Does not display by default
+
+Flawfinder 3: SARIF rank 0.6, SARIF level warning, Displays by default, does not break build / other processes
+
+Flawfinder 4: SARIF rank 0.8, SARIF level error,Displays by default, breaks build/ other processes
+
+Flawfinder 5: SARIF rank 1.0, SAIRF level error, Displays by default, breaks build/ other processes
+
+A big thanks to Yong Yan implementing SARIF output generation for flawfinder!
+For more about the SARIF format, see:
+https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif
+
 .TP
 .BI "\-\-singleline"
 .TP