Subject: RE: [sarif] Adjustment to guidance on host name
Here’s what I wrote, on the assumption that you agree with this point:
If a URI base id uses the "file" protocol [RFC8089] and the specified path is network-accessible, the SARIF producer SHALL include the host name.
EXAMPLE 2: A file-based URI that references a network share.
If a URI base id uses the "file" protocol and the specified path is not network-accessible, the SARIF producer SHOULD NOT include the host name.
EXAMPLE 3: A file-based URI that references the local file system.
A SARIF post-processor MAY choose to remove the host name from such a URI, for example, for security reasons. If it does so, then to maximize interoperability with previous version of the URI specification, it SHOULD specify the URI with leading "//", as in EXAMPLE 3. See [RFC8089] for more information on this point.
TL;DR: We need to say that if a file-based URL is network-accessible, it SHALL (not SHOULD) include the host name.
In meeting TC #15 we agreed to adopt the change draft for #113 (host name guidance), with this amendment (taken from the raw chat trace):
But if the file-based URL is network-accessible, then the host name portion has to be part of the URL, or else you can’t access it:
file:///shared/projects/browser # Interpreted as directory /shared on localhost
Of course a SARIF viewer will notice that this path does not exist on localhost and will prompt the user for the correct path. But what’s the sense in creating a log file that points to a network share and then not telling the consumer where on the network to find it?
Please let me know if you disagree.