OASIS Static Analysis Results Interchange Format (SARIF) TC

Ping on this. Do we really need the namespacing, given my argument below?   From: Larry Golding (Comcast) <larrygolding@comcast.net> Sent: Wednesday, April 18, 2018 12:19 PM To: Michael Fanning <Michael.Fanning@microsoft.com>; 'James A. Kupsch' <kupsch@cs.wisc.edu>; 'sarif@lists.oasis-open.org' <sarif@lists.oasis-open.org> Subject: run.stableId   As I understand it, the goal is to bucket together runs of the same type, so that a result management system can:   Open a SARIF log file, Find run.stableId , Find the most recent run of the same type , and Copy run.id from the earlier run into run.baselineId of the current run.   That doesn’t require namespaced tags. It works whether run.stableId contains "Nightly security tools run/x64 release optimized" or whether it contains "Nightly security tools run x64 release optimized" .   The only reason you’d need namespacing is if there’s some other scenario that needs to bucket together every "Nightly security tools run" , regardless of the build configuration.   Larry

I think we should add it, for precisely the reason you cite, bucketing at the stable id level. You might do this in order to organize all tool breaks for both the x86 and amd64 instances of a tool run.   Nightly security tools run for Contoso service X86 : 0 breaks Amd64: 10 active issues   From: Larry Golding (Comcast) <larrygolding@comcast.net> Sent: Friday, April 20, 2018 11:17 AM To: Michael Fanning <Michael.Fanning@microsoft.com>; 'James A. Kupsch' <kupsch@cs.wisc.edu>; sarif@lists.oasis-open.org Subject: RE: run.stableId   Ping on this. Do we really need the namespacing, given my argument below?   From: Larry Golding (Comcast) < larrygolding@comcast.net > Sent: Wednesday, April 18, 2018 12:19 PM To: Michael Fanning < Michael.Fanning@microsoft.com >; 'James A. Kupsch' < kupsch@cs.wisc.edu >; 'sarif@lists.oasis-open.org' < sarif@lists.oasis-open.org > Subject: run.stableId   As I understand it, the goal is to bucket together runs of the same type, so that a result management system can:   Open a SARIF log file, Find run.stableId , Find the most recent run of the same type , and Copy run.id from the earlier run into run.baselineId of the current run.   That doesn’t require namespaced tags. It works whether run.stableId contains "Nightly security tools run/x64 release optimized" or whether it contains "Nightly security tools run x64 release optimized" .   The only reason you’d need namespacing is if there’s some other scenario that needs to bucket together every "Nightly security tools run" , regardless of the build configuration.   Larry

Sounds good.   I think we should allow multiple levels, so either of these is ok – it’s up to the engineering system to decide the appropriate level of bucketing:   Nightly security run/x86 debug Nightly security run/x86/debug   Larry   From: Michael Fanning <Michael.Fanning@microsoft.com> Sent: Tuesday, April 24, 2018 12:51 PM To: Larry Golding (Comcast) <larrygolding@comcast.net>; 'James A. Kupsch' <kupsch@cs.wisc.edu>; sarif@lists.oasis-open.org Subject: RE: run.stableId   I think we should add it, for precisely the reason you cite, bucketing at the stable id level. You might do this in order to organize all tool breaks for both the x86 and amd64 instances of a tool run.   Nightly security tools run for Contoso service X86 : 0 breaks Amd64: 10 active issues   From: Larry Golding (Comcast) < larrygolding@comcast.net > Sent: Friday, April 20, 2018 11:17 AM To: Michael Fanning < Michael.Fanning@microsoft.com >; 'James A. Kupsch' < kupsch@cs.wisc.edu >; sarif@lists.oasis-open.org Subject: RE: run.stableId   Ping on this. Do we really need the namespacing, given my argument below?   From: Larry Golding (Comcast) < larrygolding@comcast.net > Sent: Wednesday, April 18, 2018 12:19 PM To: Michael Fanning < Michael.Fanning@microsoft.com >; 'James A. Kupsch' < kupsch@cs.wisc.edu >; 'sarif@lists.oasis-open.org' < sarif@lists.oasis-open.org > Subject: run.stableId   As I understand it, the goal is to bucket together runs of the same type, so that a result management system can:   Open a SARIF log file, Find run.stableId , Find the most recent run of the same type , and Copy run.id from the earlier run into run.baselineId of the current run.   That doesn’t require namespaced tags. It works whether run.stableId contains "Nightly security tools run/x64 release optimized" or whether it contains "Nightly security tools run x64 release optimized" .   The only reason you’d need namespacing is if there’s some other scenario that needs to bucket together every "Nightly security tools run" , regardless of the build configuration.   Larry

This seems consistent with other uses of ‘namespaced’ tags.   Michael From: Larry Golding (Comcast) <larrygolding@comcast.net> Sent: Tuesday, April 24, 2018 1:24 PM To: Michael Fanning <Michael.Fanning@microsoft.com>; 'James A. Kupsch' <kupsch@cs.wisc.edu>; sarif@lists.oasis-open.org Subject: RE: run.stableId   Sounds good.   I think we should allow multiple levels, so either of these is ok – it’s up to the engineering system to decide the appropriate level of bucketing:   Nightly security run/x86 debug Nightly security run/x86/debug   Larry   From: Michael Fanning < Michael.Fanning@microsoft.com > Sent: Tuesday, April 24, 2018 12:51 PM To: Larry Golding (Comcast) < larrygolding@comcast.net >; 'James A. Kupsch' < kupsch@cs.wisc.edu >; sarif@lists.oasis-open.org Subject: RE: run.stableId   I think we should add it, for precisely the reason you cite, bucketing at the stable id level. You might do this in order to organize all tool breaks for both the x86 and amd64 instances of a tool run.   Nightly security tools run for Contoso service X86 : 0 breaks Amd64: 10 active issues   From: Larry Golding (Comcast) < larrygolding@comcast.net > Sent: Friday, April 20, 2018 11:17 AM To: Michael Fanning < Michael.Fanning@microsoft.com >; 'James A. Kupsch' < kupsch@cs.wisc.edu >; sarif@lists.oasis-open.org Subject: RE: run.stableId   Ping on this. Do we really need the namespacing, given my argument below?   From: Larry Golding (Comcast) < larrygolding@comcast.net > Sent: Wednesday, April 18, 2018 12:19 PM To: Michael Fanning < Michael.Fanning@microsoft.com >; 'James A. Kupsch' < kupsch@cs.wisc.edu >; 'sarif@lists.oasis-open.org' < sarif@lists.oasis-open.org > Subject: run.stableId   As I understand it, the goal is to bucket together runs of the same type, so that a result management system can:   Open a SARIF log file, Find run.stableId , Find the most recent run of the same type , and Copy run.id from the earlier run into run.baselineId of the current run.   That doesn’t require namespaced tags. It works whether run.stableId contains "Nightly security tools run/x64 release optimized" or whether it contains "Nightly security tools run x64 release optimized" .   The only reason you’d need namespacing is if there’s some other scenario that needs to bucket together every "Nightly security tools run" , regardless of the build configuration.   Larry