Raw chat trace used as unedited minutes from April 3, 2019

["Chris Meyer (Myriad Consulting Inc)" <v-chrmey@microsoft.com>]

DK: welcome

LC: roll call

Participants: Jim, David, Michael, Larry, Luke, Henry, Paul, Katrina

MF: Motion to approve agenda

Seconded

LG: amend agenda: add issue 353

Motion and second

Amendment approved

Motion to approve, seconded

Agenda approved

Motion to approve previous minutes

Seconded and approved

LC: no changes to membership

DK: Timeline status

DK: attempt to approve CSD2 in 2 weeks

DK: schedule next meeting for 2 weeks from today

No objections

MF: Editors' report

Missed issues added to report

Kudos to Larry for incredible output to get the spec finished

LG: #106 missing from report

MF: MS dev Harleen is keeping the SDK in sync with schema changes

MF: plan to close:

Late breaking ballots

Thanks David for managing

Approval leads to public comment period

LG: provisional draft has all changes merged

LG: for ballot issues, refer to prov. draft

LG: #314: please approve despite bogus change draft. some of it is right and we don't want to lose that

Jim: this will remove tags?

LG: no

MF: once balloting closes, we will close a lot of issues

#351

LG: no change drafts for 351 nor 352, simple property renames

MF: name shortening effort to reduce file size

No discussion

 

#353 Punch list

(MF explains the change)

No comments

 

LG: move to approve 351, 352, 353

Jim: hex prefix should not be hex

MF: should we tune for ease of consumption, or for viewers?

MF & LG: change sounds good

Paul: prefer integer

Paul: json defined int width?

Jim: no defined limitation, implementations may have limitations

MF: we need 64-bit support at minimum

LG: motion to approve 351 & 352 without change draft, 353 change to integer type

MF Seconded

No discussion

No objections. Motion approved

MF: please vote to get all ballots approved

MF: we are done with the format and ready to review

MF: any

Jim: multi-format strings. not open to add other formats

MF: schema forbids arbitrary properties outside the property bag

LG: spec is the canon

LG: implicit is that the spec is the model

MF: is it a concern that users can't add props?

Jim: All good.

MF: anything else?

Jim: description of searching for message data

Jim: (proposes text update)

LG agrees

MF: good note, I move that we adjust the string look up algorithm to locate the message data and then to retrieve the appropriate format from the located item.

MF: issue 354 created

MF: motion to approve

Seconded, approved

Jim: URI normalization needs to state we follow RFC 3986 except file scheme uris

Jim: paths with ..: at beginning, eliminate

At end or middle, eliminate everything to the left

This does not match what file systems do

MF: update 315 to not honor this part of 3986

Jim: .. ok for producers if necessary, but consumers need to handle properly

MF: can we just say it's invalid sarif?

Jim: ideally yes, but it still might happen so we should provide guidance

MF: producer is responsible for normalizing?

LG: there is the need for uri comparison, we could just not address normalization

MF: why can producer skip but consumer can handle?

LG: conversion scenario

MF: if the uncertainty exists at producer, it can exist everywhere downstream

MF: consumers doing evaluation is bad

MF: encourage producers to normalize. consumers shouldn't attempt

Jim: consumers should treat .. as an unknown

LG (summarizes)

MF: trouble parsing middle paragraph

(discussion)

MF: should not shall

LG: second para should be non-normative

MF: new issue 355

MF: move to accept

Seconded, approved

(discussion of change draft procedure)

LC: question on verbiage in rule descriptor guidance

(discussion)

LC: concern is ... (secretary missed statement)

MF: typo in sample

LC will pursue registration

MF: need attestation for oasis certification

David: adopters need to provide affirmation (formal statement on company letterhead)

David will verify

MF: does Semmle have a plan to update?

LC: yes and they will attest

Jim: ditto

Katrina: planning next release, hopefully will include this

MF: further discussion?

David: action to get attestation details

Paul: how specific does it need to be?

David: state which parts are being used

Paul: taxonomies: way to express taxa relationship with rule?

LG: the relationship is the other way around

LG: (explanation)

Paul: (description of scenario)

MF: you could define your own taxonomy to circumvent, but there will be a cost of effort

LG: we shouldn't break for this

MF: our adopters understand that we aren't finished, so we can break if necessary

MF: but we should approve in two weeks

MF: not aware of any direct producers who would be affected

MF: new issue

MF: we should close on this today/tomorrow

David: explanation of statements of use. specific to submitted version

David: is multitool updated?

MF: final tool in nuget tomorrow

MF: Chris will update web validator then

Jim: check in schema

MF: final schema to schemastore in 2 weeks

MF will provide final updated version

 

CM: Decisions reached:

- Approved 351, 352, 353

- Update data type in 353

- New issue 354 adjust string lookup procedure description

- New issue 355 refine uri normalization guidance

- New issue 356 design change for taxa-rule relationship

 

CM: Action items

- Luke: format registration

 

LG: motion to adjourn

Seconded and approved

David: adjourned