Change draft for #263: Empty instance id components

I pushed a change draft for Issue #263: “Clarify distinguishing presence or non-presence of logical and instance id components”:

Documents/ChangeDrafts/Active/sarif-v2.0-issue-263-empty-id-components.docx

The motivation for this change is that in SARIF v1.0, the run object had a property automationId, a string that specified a “category” to which the run belonged, for example "Nightly CredScan run".

In SARIF v2.0, run.automationId is gone. It is replaced (more than replaced, because the new design is more powerful) with a property id whose value is a runAutomationDetails object, which in turn contains an instanceId property which is a hierarchical string. run.id.instanceId might have the value "Nightly CredScan run/2018-10-10". Note that it specifies not only the category, but the particular instance of the run within the category.

The problem is how to translate a SARIF v1.0 log file where run.automationId is "Nightly CredScan run" into the SARIF v2.0 run.id.instanceId. If you just copied run.automationId to run.id.instanceId, it would denote a run with the unique id "Nightly CredScan run", belonging to no category.

To solve this problem, we allow the trailing component of run.id.instanceId to be empty (while we’re at it, we loosen the grammar for hierarchical strings to allow any component to be empty). So if you have in hand a SARIF v1.0 run whose automationId is "Nightly CredScan run", you can translate it to a SARIF v2.0 run.id.instanceId value of "Nightly CredScan run/" (note the trailing slash). This tells us that the run belongs to the category "Nightly CredScan run", but it has no human-readable unique id within that category. (It might have a machine-readable id in run.id.instanceGuid, though).

While we’re at it, we added another example to clarify that an instanceId with no slashes does in fact specify a unique run identifier but no category.

We will move adoption of this change at TC #26 on October 24^th.

Thanks,

Larry

sarif message