Subject: SARIF writer and SWAMP SCARF to SARIF converter


For use in the SWAMP (https://www.continuousassurance.com), we created 
an open source Perl library to produce SARIF 
(https://github.com/mirswamp/swamp-sarif-io). It provides a streaming 
interface based on the streaming library used to write a SCARF (SWAMP 
Common Assessment Result Format) formatted file.  Although it was 
written for for use by the SWAMP, it not specific to the SWAMP.

We used this library to produce a converter 
(https://github.com/mirswamp/swamp-scarf-sarif) from SCARF to SARIF. 
Currently the converter produces valid SARIF files from assessment 
results of 35 of the tools supported in the SWAMP, and contains all the 
data from SCARF and some data from other artifacts produced during 
assessments in the SWAMP.

We will soon make available SARIF files containing assessment results 
from many packages and tools combinations produced by the converter.  We 
will also continue to enhance the library with additional functionality 
to support more of SARIF starting with additional data that we can 
extract from the SWAMP artifacts and raw tool output.

Any comments or suggestion are welcome.


