When I started working on the project, I researched SARIF, but it was only supported by a few security tool vendors and looked like a total nightmare to work with.
But I am on a constant lookout to ensure that I am not reinventing the wheel, so I kept coming back to SARIF again and again, including experimental support, and read all the docs several times but kept declining the central role of the standard in what I am doing, even though it did look logical to use research by people that are way smarter than me.
Well, the last drop was when I learned that Snyk Code uses SARIF as its primary export format (even if you choose “JSON” over “SARIF,” it still uses SARIF, and that makes a lot of sense).
After finishing my work on Snyk Code automation for the project, it looks like all work around SARIF adoption is done, and it now totally makes sense to use it to replace the custom TSP generic issue format.
So I am planning another major refactoring of the project code, replacing my custom generic issue format with SARIF in all the project code internals.