(Our amendment also says to add similar language around the logical locations array and the rules array, but if we get this one right the others will be easy.) From:
sarif@lists.oasis-open.org <
sarif@lists.oasis-open.org> On Behalf Of Larry Golding (Myriad Consulting Inc) Sent: Wednesday, January 9, 2019 4:26 PM To: OASIS SARIF TC Discussion List <
sarif@lists.oasis-open.org> Subject: [sarif] uri/fileIndex consistency This morning we approved the change draft for #298 with the amendment that we add a constraint: the file identified by fileLocation.uri/uriBaseId must be the same as the file identified by fileLocation.fileIndex (which points into the run.files array). This is surprisingly hard to express elegantly. Here’s what I have, but I’m open to rephrasing it if anyone is in the mood to put on their editor’s hat for a moment: If both uri and fileIndex are present, they SHALL both denote the same file. That is, let URI 1 be the fully resolved URI of the file specified by a fileLocation object as determined by the uriBaseId resolution procedure described in §3.4.4. Let URI 2 be the fully resolved URI of the file specified by the file object (§3.21) indicated by fileIndex , determined in the same way. Then URI 1 and URI 2 SHALL be equivalent in the sense described in §3.10.1. (§3.10.1 says that two URIs are “equivalent” if their normalized forms, as described in RFC 3986, are the same.) Thanks, Larry