cargo-audit: Provide SARIF export of findings

[reedloden]

SARIF is an industry-standard format for the output of static analysis tools.

It would be great if cargo-audit could export finding in SARIF so that the results can be imported into existing tooling (such as GitHub).

[Shnatsel]

Certain other standards for vulnerability information interchange exist. For example CycloneDX added vulnerability data in v1.4. There are also VEX standards. Is there a particular reason to prefer SARIF over the others?

[reedloden]

@Shnatsel Apologies for the delay. SARIF is the industry standard format for static analysis tool output. It's not specific to vulnerability information. cargo-audit is at its core a static analysis tool, checking source code for vulnerabilities, which is why SARIF fits as an export format to support.

https://github.com/microsoft/sarif-tutorials/blob/main/docs/1-Introduction.md#why-sarif provides good reasons why SARIF exists, explaining why the current methods are inadequate.

Solely from a usability standpoint, GitHub solely supports SARIF for integration with GitHub Code Scanning so that any alerts show up as part of GitHub Actions and within the security dashboard. This means that with SARIF support, cargo-audit (via https://github.com/rustsec/audit-check) can submit SARIF output to GitHub via the upload-sarif action.

Once cargo-audit supports SARIF, I would be happy to submit a PR to https://github.com/rustsec/audit-check to take the SARIF output and submit it to GitHub as part of a GitHub Action workflow run.