Add SARIF output support. by mario-campos · Pull Request #4651 · cppcheck-opensource/cppcheck

Currently, for XML output, the XML generation is tightly-coupled with the `ErrorMessage` class, which makes it harder to implement other formats (e.g. SARIF) that may need to see all of the errors/findings at once.

Furthermore, implementing the serialization in the `ErrorMessage` class as individual methods (e.g. `toXML`) does not scale very well when using multiple formats. This approach uses the `AnalysisReport` abstract class to sub-class the different serialization formats.

This treats the CLI output as just another format (default) for the findings/report.

This should look and feel like the rest of the CppCheck code.

This is a good start, but it still needs some work. In particular, I need to fix the startLine/endLine/startColumn/endColumn part. Right now, I am using placeholder values ("1") instead of the real line/column numbers.

This matches the other AnalysisReport classes, and it's what clang-tidy recommends.

SARIF's precision property maps to Cppcheck's certainty, which is essentially the confidence level.

…lue.

We will only pass std::string by value if it can be std::move()d. Otherwise, it will get passed as a constant reference.