test: add sarif validation

Author: sruehl

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/mozilla/tls-observatory v0.0.0-20250923143331-eef96233227e
 	github.com/onsi/ginkgo/v2 v2.27.2
 	github.com/onsi/gomega v1.38.2
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/crypto v0.43.0
 	golang.org/x/text v0.30.0

go.sum

@@ -340,6 +340,8 @@ github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWN
 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
+github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=

report/sarif/sarif_test.go

@@ -2,16 +2,79 @@ package sarif_test
 
 import (
 	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
 	"regexp"
+	"sync"
+	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	"github.com/santhosh-tekuri/jsonschema/v5"
 
 	"github.com/securego/gosec/v2"
 	"github.com/securego/gosec/v2/issue"
 	"github.com/securego/gosec/v2/report/sarif"
 )
 
+var (
+	sarifSchemaOnce   sync.Once
+	sarifSchema       *jsonschema.Schema
+	sarifSchemaErr    error
+	sarifSchemaClient = &http.Client{Timeout: 30 * time.Second}
+)
+
+func validateSarifSchema(report *sarif.Report) error {
+	GinkgoHelper()
+	sarifSchemaOnce.Do(func() {
+		resp, err := sarifSchemaClient.Get(sarif.Schema)
+		if err != nil {
+			sarifSchemaErr = fmt.Errorf("fetch sarif schema: %w", err)
+			return
+		}
+		defer resp.Body.Close()
+
+		if resp.StatusCode != http.StatusOK {
+			sarifSchemaErr = fmt.Errorf("fetch sarif schema: unexpected status %s", resp.Status)
+			return
+		}
+
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			sarifSchemaErr = fmt.Errorf("read sarif schema: %w", err)
+			return
+		}
+
+		compiler := jsonschema.NewCompiler()
+		if err := compiler.AddResource("sarif-schema.json", bytes.NewReader(body)); err != nil {
+			sarifSchemaErr = fmt.Errorf("compile sarif schema: %w", err)
+			return
+		}
+
+		sarifSchema, sarifSchemaErr = compiler.Compile("sarif-schema.json")
+	})
+
+	if sarifSchemaErr != nil {
+		return sarifSchemaErr
+	}
+
+	// Marshal the report to JSON
+	v, err := json.Marshal(report)
+	if err != nil {
+		return err
+	}
+
+	// Unmarshal into interface{} for schema validation
+	var data interface{}
+	if err := json.Unmarshal(v, &data); err != nil {
+		return err
+	}
+
+	return sarifSchema.Validate(data)
+}
+
 var _ = Describe("Sarif Formatter", func() {
 	BeforeEach(func() {
 	})
@@ -23,6 +86,9 @@ var _ = Describe("Sarif Formatter", func() {
 			result := buf.String()
 			Expect(err).ShouldNot(HaveOccurred())
 			Expect(result).To(ContainSubstring("\"results\": ["))
+			sarifReport, err := sarif.GenerateReport([]string{}, reportInfo)
+			Expect(err).ShouldNot(HaveOccurred())
+			Expect(validateSarifSchema(sarifReport)).To(Succeed())
 		})
 
 		It("sarif formatted report should contain the suppressed results", func() {
@@ -57,6 +123,9 @@ var _ = Describe("Sarif Formatter", func() {
 
 			hasSuppressions, _ := regexp.MatchString(`"suppressions": \[(\s*){`, result)
 			Expect(hasSuppressions).To(BeTrue())
+			sarifReport, err := sarif.GenerateReport([]string{}, reportInfo)
+			Expect(err).ShouldNot(HaveOccurred())
+			Expect(validateSarifSchema(sarifReport)).To(Succeed())
 		})
 		It("sarif formatted report should contain the formatted one line code snippet", func() {
 			ruleID := "G101"
@@ -84,6 +153,7 @@ var _ = Describe("Sarif Formatter", func() {
 			sarifReport, err := sarif.GenerateReport([]string{}, reportInfo)
 			Expect(err).ShouldNot(HaveOccurred())
 			Expect(sarifReport.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text).Should(Equal(expectedCode))
+			Expect(validateSarifSchema(sarifReport)).To(Succeed())
 		})
 		It("sarif formatted report should contain the formatted multiple line code snippet", func() {
 			ruleID := "G101"
@@ -111,6 +181,7 @@ var _ = Describe("Sarif Formatter", func() {
 			sarifReport, err := sarif.GenerateReport([]string{}, reportInfo)
 			Expect(err).ShouldNot(HaveOccurred())
 			Expect(sarifReport.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text).Should(Equal(expectedCode))
+			Expect(validateSarifSchema(sarifReport)).To(Succeed())
 		})
 		It("sarif formatted report should have proper rule index", func() {
 			rules := []string{"G404", "G101", "G102", "G103"}
@@ -171,6 +242,7 @@ var _ = Describe("Sarif Formatter", func() {
 				driverRuleIndexes[rule.ID] = ruleIndex
 			}
 			Expect(resultRuleIndexes).Should(Equal(driverRuleIndexes))
+			Expect(validateSarifSchema(sarifReport)).To(Succeed())
 		})
 	})
 })