Subject: RE: [sarif] Change bars for Issue #158 (result.correlationId)
Sorry for not bringing these up earlier, but I have a couple of comments:
1) Regarding result.fingerprints property: the spec says that “A direct SARIF producer SHOULD NOT populate this property.” In that case, what should we do with our instance ids which are actually generated by the analyzer? I thought that this property is what we would use for them. On the other hand, the spec also says: “EXAMPLE: In this example, the producer has calculated a fingerprint using version 2 of a fingerprinting method it refers to as "contextRegionHash"”, implying that the producer does calculate the fingerprint.
2) Regarding result.ruleId property: majority of Fortify results are produced with the help of more than one rule, so this really should be an array.
Normally I incorporate amendments adopted by the TC into the provisional draft without asking for further review. In the case of Issue #158 (Introduce result.correlationId and clarify purpose of result.fingerprints array), the changes were substantive enough that I wanted to show them to you explicitly. I’ve attached a change-barred version of the provisional draft that shows the changes I made based on the TC’s feedback.
I am going to merge these changes, along with the other changes we adopted today. But if you disagree with the way I incorporated the feedback on #158, now’s your chance to tell me.