SARIF output does not report unmatched suppressions

[correctmost]

The text and XML outputs report unmatchedSuppression errors, but the SARIF output does not. This makes it harder to debug failures when using --enable=all --error-exitcode=1 --output-format=sarif together.

It seems like this behavior might be by design to accommodate GitHub: https://github.com/cppcheck-opensource/cppcheck/blob/9a00e4a1050abdd7452f9afe7d5b323aed0e789a/lib/sarifreport.cpp#L44-L46

The SARIF spec seems to allow for results without locations, but I'm not sure if that plays well with GitHub:

EXAMPLE 1: If a C++ analyzer detects that no file defines a global function main, then that result cannot be associated with a file.
-- https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Ref510013155

I tested GCC to see how it handles errors without locations and it does not seem to report them. It does signal that the execution failed in an "executionSuccessful" field, though. (You can test this with an unsupported warning for C++: g++ -Werror -Wnested-externs -fdiagnostics-add-output=sarif foo.c)

Steps to reproduce the cppcheck issue:

1. touch foo.c
2. cppcheck --enable=all --suppress=unusedFunction --output-format=sarif foo.c

Output:

Checking foo.c ...
{
  "version": "2.1.0",
  "$schema": "https:\/\/docs.oasis-open.org\/sarif\/sarif\/v2.1.0\/errata01\/os\/schemas\/sarif-schema-2.1.0.json",
  "runs": [
    {
      "results": [],
      "tool": {
        "driver": {
          "informationUri": "https:\/\/cppcheck.sourceforge.io",
          "name": "Cppcheck",
          "rules": [],
          "semanticVersion": "2.20.0"
        }
      }
    }
  ]
}

Version info

• cppcheck 2.20.0 on Arch Linux