@snovon/solast 0.2.0

package/dist/formatters/sarif.js

@@ -0,0 +1,670 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sarifLevelForFinding = sarifLevelForFinding;
+exports.getCuratedSarifRuleIds = getCuratedSarifRuleIds;
+exports.getCuratedSarifRules = getCuratedSarifRules;
+exports.formatSarif = formatSarif;
+const path = __importStar(require("path"));
+const url_1 = require("url");
+const severity_1 = require("../severity");
+const RULE_IDS = [
+    'avs-slashing-without-quorum-check',
+    'balancer-flash-loan-manipulation',
+    'balancer-pause-guard',
+    'balancer-weighted-pool-flash-loan',
+    'classic-reentrancy',
+    'access-control',
+    'integer-overflow',
+    'cross-contract-integer-overflow',
+    'integer-overflow-underflow',
+    'timestamp-manipulation',
+    'oracle-manipulation',
+    'oracle-vortex-manipulation',
+    'overpriced-asset-in-oracle',
+    'oracle-staleness',
+    'oracle/price-feed-verification',
+    'price-dependency-veth',
+    'vulnerable-price-dependency',
+    'staked-rate-as-oracle',
+    'unbounded-share-price-collateral-oracle',
+    'cross-protocol-oracle-collateral',
+    'single-spot-oracle-collateral-valuation',
+    'fallback-delegatecall-reentrancy',
+    'delegatecall-fallback-reentrancy-bypass',
+    'liquidity-poisoning',
+    'euler-debt-token-manipulation',
+    'check-effects-interactions',
+    'aave-v2-reentrancy',
+    'cross-function-reentrancy',
+    'unchecked-external-call',
+    'unchecked-external-call-unconditional-state-mutation',
+    'nft-marketplace-order-reentrancy',
+    'reentrancy-on-sell-nft',
+    'reentrancy-balance',
+    'incorrect-burn-accounting',
+    'incorrect-dividends',
+    'deflationary-token',
+    'missing-access-control',
+    'arbitrary-transfer-from',
+    'delegate-transfer-unrestricted-caller',
+    'arbitrary-call',
+    'user-controlled-arbitrary-call',
+    'arbitrary-recipient-no-access-control',
+    'nft-token-standard-access-control',
+    'lack-of-validation-userdata',
+    'lack-of-calldata-validation',
+    'lack-of-validation-pool',
+    'integer-underflow',
+    'erc777-callback-reentrancy',
+    'erc777-reentrancy',
+    'erc1155-reentrancy',
+    'permit-future-dated-deadline',
+    'check-permit-missing-chainid',
+    'incorrect-signature-verification',
+    'token-incorrect-signature-verification',
+    'steth-transfer-reentrancy',
+    'parity-multisig-delegatecall',
+    'delegatecall-init',
+    'proxy-init-race',
+    'unprotected-initializer',
+    'initialization-access-control',
+    'share-price-manipulation',
+    'vault-share-price-manipulation',
+    'vault-inflation-rounding',
+    'liquidation-gain-manipulation',
+    'liquidation-accounting-desync',
+    'yearn-vault-v2-share-price-manipulation',
+    'post-insolvency-check',
+    'bypassed-insolvency-check',
+    'incorrect-dividends-calculation',
+    'borrow-behalf-consent',
+    'beneficiary-validation',
+    'unindexed-event-address',
+    'precision-truncation',
+    'precision-loss-vulnerability',
+    'batch-transfer-overflow',
+    'misconfiguration',
+    'stablecoin-pair-spot-oracle',
+    'flashloan-price-manipulation',
+    'bridge-missing-message-nonce',
+    'finance-flashloan-price-oracle-manipul',
+    'business-logic-flaw-flashloan-price-mani',
+    'business-logic-flaw',
+    'unauthorized-transferfrom',
+    'approval-based-drain',
+    'unprotected-admin-or-fund-sink',
+    'incorrect-access-control',
+    'price-manipulation-reentrancy',
+    'price-manipulation-via-reentranc',
+    'arbitrary-address-spoofing',
+    'arbitrary-address-spoofing-attack',
+    'permissionless-claim-amm-spot-pricing',
+    'business-logic-flaw-incorrect-recipient-balance',
+    'farm-business-logic-flaw-lack-of-access',
+    'logic-flaw',
+    'reflection-token-balance-desync',
+    'simpleswap-unverified-approval',
+    'manipulation-of-funds',
+    'compoundv2-inflation-attack',
+    'donate-inflation-exchangerate-roundin',
+    'add-reentrancy-on-weth-contract',
+    'zetachain-gateway-hack-analysis',
+    'lack-of-input-validation-reentrancy',
+    'lack-of-slippage-control',
+    'lack-of-slippage-protection',
+    'missing-swap-deadline-slippage',
+    'unprotected-dex-swap',
+    'generalized-frontrunning',
+    'lack-of-access-control',
+    'delegated-authorization-bypass',
+    'signature-replay',
+    'mev-boost-timestamp',
+    'mev-merge-exploit',
+    'mev-sandwich-vulnerability',
+    'mev-slot-manipulation',
+    'merkl-unsafe-claim-callback',
+    'uncapped-reward-emission',
+    'eip1167-proxy-reentrancy',
+    'chainlink-tx-origin',
+    'chainlink-deprecated-function',
+    'unsafe-tx-origin',
+    'eip7702-delegation-reentrancy',
+    'eip7702-delegation-risk',
+    'eip7702-eoa-assumption',
+    'eip7702-auth-replay',
+    'eip7702-cross-chain-replay',
+    'eip5792-auth-replay',
+    'bad-k-value-verification',
+    'v2-error-k-value-attack',
+    'parameter-manipulation',
+    'treasury-reentrancy',
+    'reentrancy-business-logic-game',
+    'protocol-reentrancy',
+    'infinite-number-of-loans',
+    'finance-bridge-address0safetransferfrom',
+    'fi-bridges',
+    'infinite-loop',
+    'finance-flashloan-reentrancy',
+    'finance-business-logic-in-mint',
+    'flashloan-reentrancy',
+    'capital-cross-contract-reentrancy',
+    'cross-contract-reentrancy',
+    'finance-erc667-reentrancy',
+    'bridge-forged-proof',
+    'arbitrary-storage-proof-forgery',
+    'bridge-business-logic-flaw-incorrect-acc',
+    'bridge-accounting-bypass',
+    'bridge-collateral-drain',
+    'network-bridge',
+    'network-bridge-ronin',
+    'bridge-swap-metapool-attack',
+    'finance-swap-metapool-attack',
+    'transfer-double-debit-pool-recipient',
+    'fee-mechanism-exploitation',
+    'skim-token-balance',
+    'uniswap-skim-token-balance-attack',
+    'doge-flashloan',
+    'v4-hook-state-manipulation',
+    'cross-protocol-contagion',
+    'bad-debt-propagation',
+    'cache-storage-reads',
+    'division-before-multiplication',
+    'cross-chain-messaging',
+    'cross-chain-truncation',
+    'cross-chain-msg-truncation',
+    'solana-evm-bridge-truncation',
+    'cross-chain-arbitrary-call',
+    'cross-vm-reentrancy',
+    'chain-coupling-risk',
+    'sky-oft-governance-payload',
+    'sky-oft-governance-truncation',
+    'unchecked-oft-return',
+    'erc4626-totalassets-stub',
+    'erc20-unchecked-non-standard-return',
+    'erc7579-module-install-without-threshold',
+    'erc1271-stub-implementation',
+    'layerzero-v2-unverified-origin',
+    'layerzero-dvn-quorum-missing',
+    'cross-chain-message-replay',
+    'arbitrum-cross-chain-message-replay',
+    'ccip-receiver-missing-replay-guard',
+    'cross-chain-message-order-dependency',
+    'anyswap-anytoken-permit-allowance-drain',
+    'unguarded-governance-executor',
+    'analyzing-the-uniswap-v3-exploit',
+    'receipt-redemption-missing-validation',
+    'delegatecall-in-loops',
+    'unsigned-validity-window',
+    'l1-to-l2-message-reentrancy',
+    'l2-withdrawal-validation',
+    'zksync-batch-validation',
+    'zksync-simulation-drift',
+    'zk-rollup-da-gap',
+    'starkware-proof-validation-gap',
+    'unbound-zk-verifier-input',
+    'uups-uninitialized-storage',
+    'uninitialized-storage-pointer',
+    'unsafe-transient-storage',
+    'tstore-poison',
+    'tstore-race-condition',
+    'unsafe-proxy-storage',
+    'proxy-storage-slot-collision',
+    'unprotected-upgrade-function',
+    'erc6909-balance-overflow',
+    'erc6909-operator-scope',
+    'network-underflow',
+    'storage-collision-malicious-proposal',
+    'unguarded-governance-execution',
+    'governance-flash-loan',
+    'loans-malicious-proposal-price-oracle',
+    's-horizon-bridge-private-key-compromis',
+    'miscalculation-on-spendallowance',
+    'cartel-custom-approval-logic',
+    'token-transfer-logic-flaw',
+    'zero-fee',
+    'break-continue-scope',
+    'erc7683-intent-resolution',
+    'erc7683-fill-validation',
+    'cross-chain-intent-stale-resolution',
+    'cross-chain-intent-replay',
+    'unreachable-code-0.8.28',
+    'any-token-is-destroyed',
+    'flashloan-token-migrate',
+    'migration-rebalance-without-bound',
+    'my-experience-with-yearn-finance',
+    'finance-access-control-price-oracle-man',
+    'arbitrary-account-balance-transfer',
+    'token-access-control',
+    'fhe-state-leakage',
+    'fhe-encrypted-input-validation',
+    'fhe-handle-leakage',
+    'fhe-oz-pattern-misuse',
+    'dos-unbounded-loop-external-call-revert',
+    'nft-denial-of-service',
+    'liquidation-price-rounding-advantage',
+    'estuary-token-flaw',
+    'dont-let-eth-get-rekt',
+    'eip712-signature-verification',
+    'coinbase-morpho-wethloan-policy',
+    'ai-generated-randomness',
+    'bad-randomness-zero-blockhash',
+    'insecure-randomness',
+    'weak-random-mint',
+    'read-only-reentrancy',
+    'rollup-unvalidated-state-update',
+    'public-internal-function',
+    'withdraw-be-to-withdraw',
+    'v4-hook-reentrancy',
+    'phishing-attack-bybit',
+    'erc20-safe-wrapper-return-unchecked',
+    'pair-manipulation-transfer-hook',
+    'vortex-protocol-reentrancy-guard',
+    'solhint-unchecked-low-level-call',
+];
+const RULE_DESCRIPTIONS = {
+    'access-control': 'Externally callable privileged operation without recognized access control.',
+    'avs-slashing-without-quorum-check': 'AVS slashing or settlement write occurs before a visible operator quorum-threshold check.',
+    'balancer-flash-loan-manipulation': 'Balancer weighted-pool flash-loan flow mutates and distorts pool state before spot-style price or balance consumption.',
+    'balancer-pause-guard': 'Balancer V2-style pool swap, join, or exit path lacks an emergency pause, stop, or circuit-breaker guard.',
+    'balancer-weighted-pool-flash-loan': 'Balancer-style weighted pool operation co-occurs with a flash-loan entry point in the same function body, enabling atomic spot-price manipulation.',
+    'classic-reentrancy': 'State modification after an external call in the same function.',
+    'check-effects-interactions': 'Check-effects-interactions ordering violation in a Solidity function.',
+    'bypassed-insolvency-check': 'Borrow or withdrawal flow moves value before a solvency or health-factor guard.',
+    'incorrect-dividends-calculation': 'Incorrect dividends calculation due to state mutation after external transfer or stale supply values.',
+    'erc777-callback-reentrancy': 'ERC777 token callback before dependent accounting updates.',
+    'erc1155-reentrancy': 'Unguarded ERC-1155 receiver hook may allow reentrancy.',
+    'integer-overflow': 'Unchecked arithmetic that can overflow or underflow.',
+    'cross-contract-integer-overflow': 'Same-target contract or interface call return value flows into unchecked arithmetic.',
+    'timestamp-manipulation': 'Value-bearing logic depends on miner-influenceable timestamps or block numbers.',
+    'stablecoin-pair-spot-oracle': 'stablecoin-pair value logic trusts mutable AMM spot reserves or pair balances.',
+    'delegatecall-init': 'Externally reachable delegatecall can invoke unprotected initialization logic.',
+    'eip1167-proxy-reentrancy': 'Loop-based delegatecall through uninitialized or externally writable EIP-1167 proxy state.',
+    'logic-flaw': 'Business-logic path contains a narrow stale-accounting, live spot-price dependency, price-inflating sell-on-transfer, repeated msg.value reuse, or unvalidated pair/token migration sub-pattern.',
+    'simpleswap-unverified-approval': 'Approval of unverified token or to unverified spender: token or spender is caller-controlled without validation.',
+    'manipulation-of-funds': 'Public fund movement consumes a live token balance of this contract that can be inflated by direct transfer.',
+    'missing-access-control': 'Externally callable critical function without recognized access control.',
+    'incorrect-access-control': 'Externally callable spell or privileged-control mutator reaches mint/accounting authority without caller authorization.',
+    'arbitrary-call': 'Caller-controlled target and calldata reach call, delegatecall, staticcall, or interface-style execution without an access-control or allowlist boundary.',
+    'delegate-transfer-unrestricted-caller': 'Externally callable delegate-transfer path spends a caller-supplied source account without delegate authorization.',
+    'oracle-manipulation': 'Oracle price feed consumed without freshness, deviation, or exponent-scaling safeguards.',
+    'oracle-vortex-manipulation': 'External price feed consumed in a critical path without freshness check, multi-source validation, or circuit-breaker guard.',
+    'price-dependency-veth': 'Critical value-transfer function uses a single unsanitized price or rate signal to compute mint, burn, swap, redeem, or withdrawal amounts.',
+    'vulnerable-price-dependency': 'Oracle or AMM price read flows into critical value movement without freshness, deviation, TWAP, or hardcoded sanity bounds.',
+    'price-manipulation-reentrancy': 'Price-affecting oracle, reserve, TWAP, or accounting state is settled after a reentrant external call.',
+    'price-manipulation-via-reentranc': 'CarolProtocol-style reserve pricing is settled after a router reentry surface.',
+    'read-only-reentrancy': 'Read-only reentrancy risk from stale state observed during callbacks.',
+    'rollup-unvalidated-state-update': 'Rollup batch or state-root commit path writes a new root without visible prior-root linkage and verifier-success gating.',
+    'v4-hook-reentrancy': 'Uniswap V4 hook callback re-enters PoolManager or mutates modeled pool state.',
+    'v4-hook-state-manipulation': 'Uniswap V4 hook callback mutates state and reuses it in the same swap flow.',
+    'withdraw-be-to-withdraw': 'Withdrawal function debits one asset class but transfers (or delegates to) a different asset class.',
+    'overpriced-asset-in-oracle': 'Externally derived asset price, share, or exchange rate is consumed by protocol accounting without an upward bound or sanity check.',
+    'single-spot-oracle-collateral-valuation': 'Borrow or liquidation collateral valuation depends on a single unprotected spot oracle price.',
+    'fallback-delegatecall-reentrancy': 'Cross-contract reentrancy surface from a fallback or receive function that delegatecalls to an extension while the contract also exposes nonReentrant-guarded entrypoints.',
+    'delegatecall-fallback-reentrancy-bypass': 'Cross-contract reentrancy surface from a fallback or receive function that delegatecalls to an extension while the contract also exposes nonReentrant-guarded entrypoints. Bypass variation.',
+    'liquidity-poisoning': 'Curve or Uniswap V3 pool state feeds fund movement or accounting without liquidity, deviation, or freshness validation.',
+    'coinbase-morpho-wethloan-policy': 'Duplicate active-policy installation across Morpho ERC20 and WETH policy variants in isolated storage.',
+    'phishing-attack-bybit': 'Externally reachable function delegatecalls to a caller-controlled target without access control or a target allowlist.',
+    'cross-chain-intent-replay': 'Cross-chain intent handler performs settlement or dispatches relayed commands without nonce/hash consumption, allowlist restriction, or pre-consumption invalidation.',
+    'arbitrum-cross-chain-message-replay': 'Arbitrum bridge message handler executes a relayed payload without nonce or processed-message replay protection.',
+    'ccip-receiver-missing-replay-guard': 'Chainlink CCIP receiver processes an inbound message before consuming its messageId.',
+    'arbitrary-storage-proof-forgery': 'Storage proof verifier data authorizes a bridge withdrawal, claim, mint, release, or message execution without binding root, domain, account or slot, and payload to trusted local state.',
+    'fhe-encrypted-input-validation': 'Caller-supplied FHE ciphertext bytes are converted without visible provenance verification or sender binding.',
+    'fhe-handle-leakage': 'FHE encrypted handles are persisted or consumed by decryption callbacks without visible ACL grants or authorization gates.',
+    'fhe-oz-pattern-misuse': 'FHE state and operations layered onto OpenZeppelin upgradeable proxies or access-control mixins without the additional sealing, allowlisting, or initializer guards FHE requires.',
+    'eip7702-cross-chain-replay': 'EIP-7702 delegated-account authorization entries are accepted without binding chainId to block.chainid.',
+    'ai-generated-randomness': 'AI-generated Solidity code uses block.timestamp, blockhash, or predictable block fields as entropy sources in lottery, raffle, or mint-distribution flows.',
+    'bad-randomness-zero-blockhash': 'Current-block blockhash is used as randomness even though blockhash(block.number) always returns zero.',
+    'insecure-randomness': 'Predictable block or gas values influence winner selection, reward allocation, privileged branching, minting, or transfer gates.',
+    'weak-random-mint': 'Weak random mint flaw: predictable block fields are used to gate or compute a mint/transfer amount without sufficient access control.',
+    'capital-cross-contract-reentrancy': 'Function reflects its own share/capital state via a sibling-contract balance, supply, or exchange-rate read while still yielding control through a value-bearing call — the Rari Capital 2021-05-08 cross-contract reentrancy shape.',
+    'cache-storage-reads': 'Repeated state-variable storage reads in the same function can be cached in a local variable.',
+    'cross-contract-reentrancy': 'Stale storage read after an untrusted external call where a sibling function can modify the same storage slot during the callback window.',
+    'governance-flash-loan': 'Flash-loan or rapid bulk governance-token acquisition flows into same-transaction governance execution and privileged role, mint, or treasury-drain behavior.',
+    'sky-oft-governance-truncation': 'OFT/LayerZero send path encodes a narrowed fixed-width governance payload before cross-chain dispatch.',
+    'vault-inflation-rounding': 'Share minting divides by a live token balance that can be donated to inflate the exchange rate and round deposits to zero shares.',
+    'liquidation-gain-manipulation': 'Liquidation, redemption, or stability-pool accounting can be skipped, reordered after value transfer, or derived from stale snapshot state.',
+    'liquidation-accounting-desync': 'Debt mutation or position finalization occurs before cross-contract accounting reconciliation is complete in liquidation/redemption flows.',
+    'yearn-vault-v2-share-price-manipulation': 'Vault conversion arithmetic uses donation-manipulable live balance over the ERC20 totalSupply(), permitting price manipulation.',
+    'mev-merge-exploit': 'Post-Merge MEV extraction surfaces from unprotected proposer payments, unguarded swap state mutation, or block-field-gated proposer credits.',
+    'mev-sandwich-vulnerability': 'DEX swap calls missing slippage guards, carrying unbounded deadlines, or preceded by pool state reads that leak trade intent.',
+    'mev-slot-manipulation': 'Post-Merge MEV-prone block timestamp, block number, or proposer identity assumptions gate sensitive value or state paths.',
+    'merkl-unsafe-claim-callback': 'Unsafe onClaim callback in claim/distribution flow without revert isolation.',
+    'missing-swap-deadline-slippage': 'Uniswap-style DEX router swaps use literal zero minimum output, zero or bare timestamp deadlines, or unbounded deadline sentinels.',
+    'permit-future-dated-deadline': 'ERC-2612 permit implementations and call sites accept effectively unbounded future deadlines.',
+    'unprotected-dex-swap': 'DEX swap calls should use meaningful slippage and execution-time protections.',
+    'erc20-safe-wrapper-return-unchecked': 'Wrapper function (safeTransfer, safeTransferFrom, or safeApprove) swallows the underlying ERC20 boolean return value instead of asserting, assigning, or propagating it.',
+    'pair-manipulation-transfer-hook': 'Transfer hook reads AMM reserves and mutates pair-held token balances.',
+    'check-permit-missing-chainid': 'ERC-2612 permit signatures are accepted with an EIP-712 domain that omits runtime chain id binding or uses a stale chain id.',
+    'incorrect-signature-verification': 'Raw ecrecover authorization or proof flow lacks trusted signer binding or checked-and-written replay protection.',
+    'token-incorrect-signature-verification': 'Token permit, claim, or mint signature verification omits zero-address, domain, nonce, or high-s safeguards.',
+    'vortex-protocol-reentrancy-guard': 'External token/native transfer or low-level call precedes balance or ledger mutation.',
+    'unchecked-external-call-unconditional-state-mutation': 'Unchecked external call return value leading to phantom state changes.',
+    'solhint-unchecked-low-level-call': 'Unchecked low-level call result: the boolean success value must be validated.',
+    'eip712-signature-verification': 'EIP-712 typed-data signature verification missing zero-address, replay, domain, or chain-aware cache binding.',
+    'eip7702-eoa-assumption': 'Flags assumptions about EOA code length or tx.origin that are invalidated by EIP-7702 delegated execution.',
+    'zksync-simulation-drift': 'zkSync Era-specific msg.sender, nonce, or deployment address assumptions that can diverge during system-contract mediated simulation.',
+    'v2-error-k-value-attack': 'Uniswap-V2-style swap K invariant can be bypassed through mismatched fee scaling or a stale pre-reconciliation K check.',
+    'fee-mechanism-exploitation': 'ERC20 transferFrom permits self-transfer through fee or burn accounting that debits a transfer participant.',
+    'erc7579-module-install-without-threshold': 'ERC-7579 module install path mutates module state before enforcing a threshold or quorum policy.',
+    'layerzero-dvn-quorum-missing': 'LayerZero v2 receive handler consumes payload data before enforcing a DVN quorum or verifier threshold.',
+    'public-internal-function': 'Externally callable internal-intent helper mutates state without access control.',
+};
+const DEFAULT_RULE_SEVERITY = 'medium';
+function detectorHelpUri(ruleId) {
+    return 'https://snovon.com/';
+}
+function titleizeRuleId(ruleId) {
+    return ruleId
+        .split(/[\/-]+/)
+        .filter(Boolean)
+        .map(part => {
+        const lower = part.toLowerCase();
+        if (/^(ai|amm|dao|eip|erc|evm|l1|l2|nft|oft|uups|vm|zk)$/.test(lower)) {
+            return lower.toUpperCase();
+        }
+        return part.charAt(0).toUpperCase() + part.slice(1);
+    })
+        .join(' ');
+}
+const RULES = RULE_IDS.map(id => ({
+    id,
+    shortDescription: RULE_DESCRIPTIONS[id] || `Detects ${titleizeRuleId(id)} risk patterns in Solidity contracts.`,
+    helpUri: detectorHelpUri(id),
+    defaultSeverity: DEFAULT_RULE_SEVERITY,
+}));
+function normalizeUriPath(file) {
+    return file.replace(/\\/g, '/');
+}
+function isOutsideRoot(relativePath) {
+    const normalized = normalizeUriPath(relativePath);
+    return normalized === '..' || normalized.startsWith('../') || path.isAbsolute(relativePath);
+}
+function fileUri(file) {
+    return (0, url_1.pathToFileURL)(path.resolve(file)).href;
+}
+function artifactUri(file, opts = {}) {
+    if (!path.isAbsolute(file)) {
+        return { uri: normalizeUriPath(file), usesAbsoluteFileUri: false };
+    }
+    const root = opts.rootDir || opts.cwd;
+    if (root) {
+        const relative = path.relative(path.resolve(root), file);
+        if (!isOutsideRoot(relative)) {
+            return { uri: normalizeUriPath(relative), usesAbsoluteFileUri: false };
+        }
+    }
+    return { uri: fileUri(file), usesAbsoluteFileUri: true };
+}
+function compareString(a, b) {
+    return a.localeCompare(b);
+}
+function sortFindings(opts) {
+    return (a, b) => compareString(artifactUri(a.file, opts).uri, artifactUri(b.file, opts).uri)
+        || (a.line || 0) - (b.line || 0)
+        || compareString(a.ruleId, b.ruleId)
+        || compareString(a.findingId || '', b.findingId || '');
+}
+function regionFor(finding) {
+    if (!Number.isInteger(finding.line) || finding.line <= 0)
+        return undefined;
+    const region = { startLine: finding.line };
+    // ScanResult columns are parser-native 0-based (@solidity-parser
+    // loc.*.column); SARIF columns are 1-based, so convert at this boundary.
+    // The >= 0 guard keeps column-0 (line start) findings, which the previous
+    // > 0 check silently dropped.
+    if (Number.isInteger(finding.column) && finding.column !== undefined && finding.column >= 0) {
+        region.startColumn = finding.column + 1;
+    }
+    if (Number.isInteger(finding.endLine) && finding.endLine !== undefined && finding.endLine > 0) {
+        region.endLine = finding.endLine;
+    }
+    if (Number.isInteger(finding.endColumn) && finding.endColumn !== undefined && finding.endColumn >= 0) {
+        region.endColumn = finding.endColumn + 1;
+    }
+    return region;
+}
+function propertiesFor(finding) {
+    const properties = {};
+    if (finding.findingId)
+        properties.findingId = finding.findingId;
+    if (finding.contractName)
+        properties.contractName = finding.contractName;
+    if (finding.functionName)
+        properties.functionName = finding.functionName;
+    if (finding.caller)
+        properties.caller = finding.caller;
+    if (finding.delegateTarget)
+        properties.delegateTarget = finding.delegateTarget;
+    if (finding.initializerPath)
+        properties.initializerPath = finding.initializerPath;
+    if (finding.contractHash)
+        properties.contractHash = finding.contractHash;
+    if (finding.snippetHash)
+        properties.snippetHash = finding.snippetHash;
+    if (finding.provenance)
+        properties.source = finding.provenance;
+    if (finding.tier)
+        properties.tier = finding.tier;
+    return Object.keys(properties).length > 0 ? properties : undefined;
+}
+function severityForRule(ruleId, nativeSeverity, opts) {
+    return opts.severityOverrides?.[ruleId] || nativeSeverity;
+}
+function sarifLevelForFinding(finding, opts = {}) {
+    const nativeLevel = (0, severity_1.toSarifLevel)(finding.severity);
+    const overriddenSeverity = opts.severityOverrides?.[finding.ruleId];
+    let level = overriddenSeverity ? (0, severity_1.toSarifLevel)(overriddenSeverity) : nativeLevel;
+    if (opts.sarifSeverityTuning === false) {
+        return level;
+    }
+    const threshold = opts.fpThresholdPct ?? 5;
+    if (!overriddenSeverity && threshold > 0 && opts.fpRates) {
+        const fpRate = opts.fpRates[finding.ruleId];
+        if (fpRate !== undefined && fpRate > threshold) {
+            if (fpRate > 15) {
+                if (level === 'error' || level === 'warning') {
+                    level = 'note';
+                }
+            }
+            else {
+                if (level === 'error') {
+                    level = 'warning';
+                }
+            }
+        }
+    }
+    return level;
+}
+function resultFor(finding, opts, onAbsoluteFileUri) {
+    const overriddenSeverity = opts.severityOverrides?.[finding.ruleId];
+    const level = sarifLevelForFinding(finding, opts);
+    const result = {
+        ruleId: finding.ruleId,
+        level,
+        message: {
+            text: finding.message
+        }
+    };
+    const region = regionFor(finding);
+    if (region) {
+        const artifactLocation = artifactUri(finding.file, opts);
+        if (artifactLocation.usesAbsoluteFileUri)
+            onAbsoluteFileUri();
+        result.locations = [{
+                physicalLocation: {
+                    artifactLocation: {
+                        uri: artifactLocation.uri
+                    },
+                    region
+                }
+            }];
+    }
+    const properties = propertiesFor(finding);
+    if (overriddenSeverity) {
+        const resultProperties = properties || {};
+        resultProperties.originalSeverity = finding.severity;
+        result.properties = resultProperties;
+    }
+    if (properties)
+        result.properties = properties;
+    return result;
+}
+function detectorDescriptorRules() {
+    try {
+        // Loaded lazily to avoid making the formatter's module initialization
+        // instantiate the full detector registry.
+        // eslint-disable-next-line @typescript-eslint/no-var-requires
+        const { createDefaultDetectorRegistry } = require('../registry');
+        const registry = createDefaultDetectorRegistry();
+        const descriptors = [];
+        for (const detector of registry.detectorsForSarif?.() || []) {
+            if (!detector?.descriptor)
+                continue;
+            descriptors.push({ ...detector.descriptor });
+        }
+        return descriptors;
+    }
+    catch (_err) {
+        return [];
+    }
+}
+function synthesizeRuleEntry(ruleId) {
+    // Synthetic fallback for findings whose rule IDs are not in the curated
+    // RULES table. Without this, SARIF consumers (e.g. GitHub code scanning)
+    // render those findings with empty rule pages — and the table inevitably
+    // drifts behind the registry. The synthesized entry uses a generic
+    // description and a stable docs URL so consumers always have *something*
+    // to link to. The curated entry takes precedence whenever it exists.
+    return {
+        id: ruleId,
+        shortDescription: `SolAST rule '${ruleId}'.`,
+        helpUri: detectorHelpUri(ruleId),
+        defaultSeverity: DEFAULT_RULE_SEVERITY,
+    };
+}
+/**
+ * Build the rules array for the SARIF run. Curated rules are emitted first,
+ * preserving the order in which they appear in `RULES` (some downstream tests
+ * pin that order). Any rule IDs that show up in findings but are not curated
+ * are appended afterwards, sorted alphabetically for deterministic output.
+ */
+function buildRulesArray(findings) {
+    const curated = RULES.map(rule => ({
+        id: rule.id,
+        shortDescription: rule.shortDescription,
+        helpUri: rule.helpUri,
+        defaultSeverity: rule.defaultSeverity,
+    }));
+    const seenCurated = new Set(curated.map(rule => rule.id));
+    for (const rule of detectorDescriptorRules()) {
+        if (seenCurated.has(rule.id))
+            continue;
+        seenCurated.add(rule.id);
+        curated.push(rule);
+    }
+    const seen = new Set(curated.map(rule => rule.id));
+    const synthesized = [];
+    for (const finding of findings) {
+        if (!finding.ruleId || seen.has(finding.ruleId))
+            continue;
+        seen.add(finding.ruleId);
+        synthesized.push(synthesizeRuleEntry(finding.ruleId));
+    }
+    synthesized.sort((a, b) => a.id.localeCompare(b.id));
+    return [...curated, ...synthesized];
+}
+/** Exposed for tests: the set of rule IDs with hand-written SARIF metadata. */
+function getCuratedSarifRuleIds() {
+    const ids = RULES.map(rule => rule.id);
+    const seen = new Set(ids);
+    for (const rule of detectorDescriptorRules()) {
+        if (seen.has(rule.id))
+            continue;
+        seen.add(rule.id);
+        ids.push(rule.id);
+    }
+    return ids;
+}
+/** Exposed for tests: curated SARIF descriptors, before SARIF object shaping. */
+function getCuratedSarifRules() {
+    return buildRulesArray([]);
+}
+function formatSarif(findings, opts = {}) {
+    let usesAbsoluteFileUri = false;
+    const results = [...findings]
+        .sort(sortFindings(opts))
+        .map(finding => resultFor(finding, opts, () => {
+        usesAbsoluteFileUri = true;
+    }));
+    const run = {
+        tool: {
+            driver: {
+                name: 'SolAST',
+                informationUri: 'https://snovon.com/',
+                rules: buildRulesArray(findings).map(rule => ({
+                    id: rule.id,
+                    shortDescription: {
+                        text: rule.shortDescription
+                    },
+                    helpUri: rule.helpUri,
+                    ...(rule.help ? { help: { text: rule.help } } : {}),
+                    defaultConfiguration: {
+                        level: (0, severity_1.toSarifLevel)(severityForRule(rule.id, rule.defaultSeverity, opts))
+                    }
+                }))
+            }
+        },
+        results
+    };
+    if (usesAbsoluteFileUri && (opts.rootDir || opts.cwd)) {
+        run.invocations = [{
+                // SARIF 2.1.0 §3.20.14: executionSuccessful is the one REQUIRED
+                // property of an invocation object. We only format results after a
+                // completed scan, so it is always true here.
+                executionSuccessful: true,
+                workingDirectory: {
+                    uri: fileUri(opts.rootDir || opts.cwd)
+                }
+            }];
+    }
+    const sarif = {
+        $schema: 'https://json.schemastore.org/sarif-2.1.0.json',
+        version: '2.1.0',
+        runs: [run]
+    };
+    return JSON.stringify(sarif, null, 2);
+}
+//# sourceMappingURL=sarif.js.map