OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [sarif] Adjustment to guidance on host name

Here’s what I wrote, on the assumption that you agree with this point:

 

If a URI base id uses the "file" protocol [RFC8089] and the specified path is network-accessible, the SARIF producer SHALL include the host name.

EXAMPLE 2: A file-based URI that references a network share.

{

  "originalUriBaseIds": {

    "SRCROOT": "file://build-1.example.com/drops/Build-2018-04-19.01/src"

   }

   ...

If a URI base id uses the "file" protocol and the specified path is not network-accessible, the SARIF producer SHOULD NOT include the host name.

EXAMPLE 3: A file-based URI that references the local file system.

{

  "originalUriBaseIds": {

    "SRCROOT": "file:///C:/src"

   }

   ...

A SARIF post-processor MAY choose to remove the host name from such a URI, for example, for security reasons. If it does so, then to maximize interoperability with previous version of the URI specification, it SHOULD specify the URI with leading "//", as in EXAMPLE 3. See [RFC8089] for more information on this point.

 

Larry

 

From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of Larry Golding (Comcast)
Sent: Thursday, April 19, 2018 1:31 PM
To: sarif@lists.oasis-open.org
Subject: [sarif] Adjustment to guidance on host name
Importance: High

 

TL;DR: We need to say that if a file-based URL is network-accessible, it SHALL (not SHOULD) include the host name.

 

Details:

 

In meeting TC #15 we agreed to adopt the change draft for #113 (host name guidance), with this amendment (taken from the raw chat trace):

 

  1. Clarify that hostname should be included if network shared, omitted if not network shared.

 

But if the file-based URL is network-accessible, then the host name portion has to be part of the URL, or else you can’t access it:

 

file://lgolding-dev.example.com/shared/projects/browser     # OK

 

file:///shared/projects/browser                             # Interpreted as directory /shared on localhost

 

Of course a SARIF viewer will notice that this path does not exist on localhost and will prompt the user for the correct path. But what’s the sense in creating a log file that points to a network share and then not telling the consumer where on the network to find it?

 

Please let me know if you disagree.

 

Larry

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]