OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Change draft for #139 (codeFlowLocation.location optional)

I pushed a change draft for Issue #139: Don't require codeFlowLocation.location:

 

Documents/ChangeDrafts/Active/sarif-v2.0-issue-139-codeFlowLocation.location-not-required.docx

 

This item is not on the agenda for tomorrow’s meeting. I will move its adoption at the next TC meeting, #16 on May 2nd.

 

There are actually three changes here:

 

  1. The spec says that location.physicalLocation is required. But physical location information isn't always available, so we have to loosen that requirement.

 

  1. The spec says that codeFlowLocation.location is required. But that makes code flows produced by Static Driver Verifier invalid: their native output format doesn't include location information for every step. So again, we have to loosen that requirement.

 

  1. We provide guidance that if there is no location information, a codeFlowLocation SHOULD include a location object that provides only a message (for example, "External resource was locked."). Static Driver Verifier doesn't do that, but we should still recommend it.

 

Larry

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]