projectdiscovery · ehsandeep · Nov 30, 2022 · Nov 29, 2022 · Nov 30, 2022 · Nov 30, 2022
diff --git a/v2/go.mod b/v2/go.mod
@@ -22,7 +22,6 @@ require (
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/miekg/dns v1.1.50
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/owenrumney/go-sarif/v2 v2.1.2
 	github.com/pkg/errors v0.9.1
 	github.com/projectdiscovery/clistats v0.0.9
 	github.com/projectdiscovery/fastdialer v0.0.18-0.20221102102120-8e9343e8b0e0
@@ -75,6 +74,7 @@ require (
 	github.com/projectdiscovery/nvd v1.0.9
 	github.com/projectdiscovery/ratelimit v0.0.2
 	github.com/projectdiscovery/rdap v0.9.1-0.20221108103045-9865884d1917
+	github.com/projectdiscovery/sarif v0.0.1
 	github.com/projectdiscovery/tlsx v0.0.9
 	github.com/projectdiscovery/uncover v0.0.9
 	github.com/projectdiscovery/utils v0.0.3

diff --git a/v2/go.sum b/v2/go.sum
@@ -67,7 +67,6 @@ github.com/apex/log v1.9.0/go.mod h1:m82fZlWIuiWzWP04XCTXmnX0xRkYYbCdYn8jbJeLBEA
 github.com/apex/logs v1.0.0/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo=
 github.com/aphistic/golf v0.0.0-20180712155816-02c07f170c5a/go.mod h1:3NqKYiepwy8kCu4PNA+aP7WUV72eXWJeP9/r3/K9aLE=
 github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3stzu0Xys=
-github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
@@ -238,7 +237,6 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
@@ -475,9 +473,6 @@ github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7
 github.com/onsi/gomega v1.16.0 h1:6gjqkI8iiRHMvdccRJM8rVKjCWk6ZIm6FTm3ddIe4/c=
 github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
-github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
-github.com/owenrumney/go-sarif/v2 v2.1.2 h1:PMDK7tXShJ9zsB7bfvlpADH5NEw1dfA9xwU8Xtdj73U=
-github.com/owenrumney/go-sarif/v2 v2.1.2/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
 github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pierrec/lz4 v2.6.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
@@ -549,6 +544,8 @@ github.com/projectdiscovery/retryabledns v1.0.17/go.mod h1:Dyhq/f0sGmXueso0+Ah3L
 github.com/projectdiscovery/retryablehttp-go v1.0.2/go.mod h1:dx//aY9V247qHdsRf0vdWHTBZuBQ2vm6Dq5dagxrDYI=
 github.com/projectdiscovery/retryablehttp-go v1.0.4 h1:FtRhBhyOnbCL1aDCTml+DzktAolHIbkozUkrbvzWPpY=
 github.com/projectdiscovery/retryablehttp-go v1.0.4/go.mod h1:t4buiLTB0HtI+62iHfGDqQVTv/i+8OhAKwaX93TGsFE=
+github.com/projectdiscovery/sarif v0.0.1 h1:C2Tyj0SGOKbCLgHrx83vaE6YkzXEVrMXYRGLkKCr/us=
+github.com/projectdiscovery/sarif v0.0.1/go.mod h1:cEYlDu8amcPf6b9dSakcz2nNnJsoz4aR6peERwV+wuQ=
 github.com/projectdiscovery/sliceutil v0.0.1 h1:YoCqCMcdwz+gqNfW5hFY8UvNHoA6SfyBSNkVahatleg=
 github.com/projectdiscovery/sliceutil v0.0.1/go.mod h1:0wBmhU5uTDwMfrEZfvwH9qa5k60Q4shPVOC9E6LGsDI=
 github.com/projectdiscovery/stringsutil v0.0.0-20220208075244-7c05502ca8e9/go.mod h1:oTRc18WBv9t6BpaN9XBY+QmG28PUpsyDzRht56Qf49I=
@@ -670,8 +667,6 @@ github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+
 github.com/valyala/fasttemplate v1.2.2 h1:lxLXG0uE3Qnshl9QyaK6XJxMXlQZELvChBOCmQD0Loo=
 github.com/valyala/fasttemplate v1.2.2/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
 github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
-github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
-github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
 github.com/weppos/publicsuffix-go v0.12.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
 github.com/weppos/publicsuffix-go v0.15.1-0.20210928183822-5ee35905bd95/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
 github.com/weppos/publicsuffix-go v0.15.1-0.20220724114530-e087fba66a37 h1:oRCu5zb6sklsDvy5sOz3dFqGg5vAEYBBD2MAYhNThCQ=
@@ -712,7 +707,6 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg=
 github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521 h1:kKCF7VX/wTmdg2ZjEaqlq99Bjsoiz7vH6sFniF/vI4M=
 github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE=
 github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4 h1:17HHAgFKlLcZsDOjBOUrd5hDihb1ggf+1a5dTbkgkIY=
@@ -793,7 +787,6 @@ golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200528225125-3c3fba18258b/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
@@ -894,7 +887,6 @@ golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
@@ -932,7 +924,6 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180518175338-11a468237815/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=

diff --git a/v2/pkg/reporting/exporters/sarif/sarif.go b/v2/pkg/reporting/exporters/sarif/sarif.go
@@ -1,28 +1,23 @@
 package sarif
 
 import (
-	"crypto/sha1"
-	"encoding/hex"
+	"fmt"
 	"os"
-	"strings"
+	"path"
 	"sync"
 
-	"github.com/owenrumney/go-sarif/v2/sarif"
 	"github.com/pkg/errors"
-
-	"github.com/projectdiscovery/nuclei/v2/pkg/model/types/severity"
+	"github.com/projectdiscovery/nuclei/v2/pkg/catalog/config"
 	"github.com/projectdiscovery/nuclei/v2/pkg/output"
-	"github.com/projectdiscovery/nuclei/v2/pkg/reporting/format"
-	"github.com/projectdiscovery/nuclei/v2/pkg/utils"
+	"github.com/projectdiscovery/sarif"
 )
 
 // Exporter is an exporter for nuclei sarif output format.
 type Exporter struct {
-	sarif *sarif.Report
-	run   *sarif.Run
-	mutex *sync.Mutex
-
-	home    string
+	sarif   *sarif.Report
+	mutex   *sync.Mutex
+	rulemap map[string]*int // contains rule-id && ruleIndex
+	rules   []sarif.ReportingDescriptor
 	options *Options
 }
 
@@ -34,106 +29,168 @@ type Options struct {
 
 // New creates a new sarif exporter integration client based on options.
 func New(options *Options) (*Exporter, error) {
-	report, err := sarif.New(sarif.Version210)
-	if err != nil {
-		return nil, errors.Wrap(err, "could not create sarif exporter")
+	report := sarif.NewReport()
+	exporter := &Exporter{
+		sarif:   report,
+		mutex:   &sync.Mutex{},
+		rules:   []sarif.ReportingDescriptor{},
+		rulemap: map[string]*int{},
+		options: options,
+	}
+	return exporter, nil
+}
+
+// addToolDetails adds details of static analysis tool (i.e nuclei)
+func (exporter *Exporter) addToolDetails() {
+	driver := sarif.ToolComponent{
+		Name:         "Nuclei",
+		Organization: "ProjectDiscovery",
+		Product:      "Nuclei",
+		ShortDescription: &sarif.MultiformatMessageString{
+			Text: "Fast and Customizable Vulnerability Scanner",
+		},
+		FullDescription: &sarif.MultiformatMessageString{
+			Text: "Fast and customizable vulnerability scanner based on simple YAML based DSL",
+		},
+		FullName:        "Nuclei v" + config.Version,
+		SemanticVersion: "v" + config.Version,
+		DownloadURI:     "https://github.com/projectdiscovery/nuclei/releases",
+		Rules:           exporter.rules,
 	}
+	exporter.sarif.RegisterTool(driver)
 
-	templatePath, err := utils.GetDefaultTemplatePath()
-	if err != nil {
-		return nil, errors.Wrap(err, "could not template path")
+	reportloc := sarif.ArtifactLocation{
+		Uri: "file:///" + exporter.options.File,
+		Description: &sarif.Message{
+			Text: "Nuclei Sarif Report",
+		},
 	}
 
-	run := sarif.NewRunWithInformationURI("nuclei", "https://github.com/projectdiscovery/nuclei")
-	return &Exporter{options: options, home: templatePath, sarif: report, run: run, mutex: &sync.Mutex{}}, nil
+	invocation := sarif.Invocation{
+		CommandLine:   os.Args[0],
+		Arguments:     os.Args[1:],
+		ResponseFiles: []sarif.ArtifactLocation{reportloc},
+	}
+	exporter.sarif.RegisterToolInvocation(invocation)
+}
+
+// getSeverity in terms of sarif
+func (exporter *Exporter) getSeverity(severity string) (sarif.Level, string) {
+	switch severity {
+	case "critical":
+		return sarif.Error, "9.4"
+	case "high":
+		return sarif.Error, "8"
+	case "medium":
+		return sarif.Note, "5"
+	case "low":
+		return sarif.Note, "2"
+	case "info":
+		return sarif.None, "1"
+	}
+
+	return sarif.None, "9.5"
 }
 
 // Export exports a passed result event to sarif structure
 func (exporter *Exporter) Export(event *output.ResultEvent) error {
-	templatePath := strings.TrimPrefix(event.TemplatePath, exporter.home)
+	exporter.mutex.Lock()
+	defer exporter.mutex.Unlock()
 
-	h := sha1.New()
-	_, _ = h.Write([]byte(event.Host))
-	templateID := event.TemplateID + "-" + hex.EncodeToString(h.Sum(nil))
+	severity := event.Info.SeverityHolder.Severity.String()
+	resultHeader := fmt.Sprintf("%v (%v) found on %v", event.Info.Name, event.TemplateID, event.Host)
+	resultLevel, vulnRating := exporter.getSeverity(severity)
+
+	// Extra metdata if generated sarif is uploaded to github security page
+	ghmeta := map[string]interface{}{}
+	ghmeta["tags"] = []string{"security"}
+	ghmeta["security-severity"] = vulnRating
+
+	// rule contain details of template
+	rule := sarif.ReportingDescriptor{
+		Id:   event.TemplateID,
+		Name: event.Info.Name,
+		FullDescription: &sarif.MultiformatMessageString{
+			// Points to template URL
+			Text: event.Info.Description + "\nMore details at\n" + event.TemplateURL + "\n",
+		},
+		Properties: ghmeta,
+	}
 
-	var ruleName string
-	if !utils.IsBlank(event.Info.Name) {
-		ruleName = event.Info.Name
+	// Github Uses ShortDescription as title
+	if event.Info.Description != "" {
+		rule.ShortDescription = &sarif.MultiformatMessageString{
+			Text: resultHeader,
+		}
 	}
 
-	var templateURL string
-	if strings.HasPrefix(event.TemplatePath, exporter.home) {
-		templateURL = "https://github.com/projectdiscovery/nuclei-templates/blob/master" + templatePath
+	// If rule is added
+	ruleIndex := len(exporter.rules) - 1
+	if exporter.rulemap[rule.Id] == nil {
+		exporter.rulemap[rule.Id] = &ruleIndex
+		exporter.rules = append(exporter.rules, rule)
 	} else {
-		templateURL = "https://github.com/projectdiscovery/nuclei-templates"
+		ruleIndex = *exporter.rulemap[rule.Id]
 	}
 
-	var ruleDescription string
-	if !utils.IsBlank(event.Info.Description) {
-		ruleDescription = event.Info.Description
+	// vulnerability target/location
+	location := sarif.Location{
+		Message: &sarif.Message{
+			Text: path.Join(event.Host, event.Path),
+		},
+		PhysicalLocation: sarif.PhysicalLocation{
+			ArtifactLocation: sarif.ArtifactLocation{
+				// github only accepts file:// protocol and local & relative files only
+				// to avoid errors // is used which also translates to file according to specification
+				Uri: "/" + event.Path,
+				Description: &sarif.Message{
+					Text: path.Join(event.Host, event.Path),
+				},
+			},
+		},
 	}
 
-	exporter.mutex.Lock()
-	defer exporter.mutex.Unlock()
-
-	_ = exporter.run.AddRule(templateID).
-		WithDescription(ruleName).
-		WithHelp(sarif.NewMarkdownMultiformatMessageString(format.MarkdownDescription(event))).
-		WithHelpURI(templateURL).
-		WithFullDescription(sarif.NewMultiformatMessageString(ruleDescription))
-
-	result := sarif.NewRuleResult(templateID).
-		WithMessage(sarif.NewTextMessage(event.Host)).
-		WithLevel(getSarifSeverity(event))
-
-	exporter.run.AddResult(result)
-
-	// Also write file match metadata to file
-	if event.Type == "file" && (event.FileToIndexPosition != nil && len(event.FileToIndexPosition) > 0) {
-		for file, line := range event.FileToIndexPosition {
-			result.AddLocation(sarif.NewLocation().WithMessage(sarif.NewMessage().WithText(ruleName)).WithPhysicalLocation(
-				sarif.NewPhysicalLocation().
-					WithArtifactLocation(sarif.NewArtifactLocation().WithUri(file)).
-					WithRegion(sarif.NewRegion().WithStartColumn(1).WithStartLine(line).WithEndLine(line).WithEndColumn(32)),
-			))
-		}
-	} else {
-		result.AddLocation(sarif.NewLocation().WithMessage(sarif.NewMessage().WithText(event.Host)).WithPhysicalLocation(
-			sarif.NewPhysicalLocation().
-				WithArtifactLocation(sarif.NewArtifactLocation().WithUri("README.md")).
-				WithRegion(sarif.NewRegion().WithStartColumn(1).WithStartLine(1).WithEndLine(1).WithEndColumn(1)),
-		))
+	// vulnerability report/result
+	result := &sarif.Result{
+		RuleId:    rule.Id,
+		RuleIndex: ruleIndex,
+		Level:     resultLevel,
+		Kind:      sarif.Open,
+		Message: &sarif.Message{
+			Text: resultHeader,
+		},
+		Locations: []sarif.Location{location},
+		Rule: sarif.ReportingDescriptorReference{
+			Id: rule.Id,
+		},
 	}
+
+	exporter.sarif.RegisterResult(*result)
+
 	return nil
-}
 
-// getSarifSeverity returns the sarif severity
-func getSarifSeverity(event *output.ResultEvent) string {
-	switch event.Info.SeverityHolder.Severity {
-	case severity.Info:
-		return "note"
-	case severity.Low, severity.Medium:
-		return "warning"
-	case severity.High, severity.Critical:
-		return "error"
-	default:
-		return "note"
-	}
 }
 
-// Close closes the exporter after operation
+// Close Writes data and closes the exporter after operation
 func (exporter *Exporter) Close() error {
 	exporter.mutex.Lock()
 	defer exporter.mutex.Unlock()
 
-	exporter.sarif.AddRun(exporter.run)
-	if len(exporter.run.Results) == 0 {
-		return nil // do not write when no results
+	if len(exporter.rules) == 0 {
+		// no output if there are no results
+		return nil
 	}
-	file, err := os.Create(exporter.options.File)
+	// links results and rules/templates
+	exporter.addToolDetails()
+
+	bin, err := exporter.sarif.Export()
 	if err != nil {
-		return errors.Wrap(err, "could not create sarif output file")
+		return errors.Wrap(err, "failed to generate sarif report")
+	}
+	if err := os.WriteFile(exporter.options.File, bin, 0644); err != nil {
+		return errors.Wrap(err, "failed to create sarif file")
 	}
-	defer file.Close()
-	return exporter.sarif.Write(file)
+
+	return nil
+
 }