I pushed a change draft for Issue #139 : Don't require codeFlowLocation.location: Documents/ChangeDrafts/Active/sarif-v2.0-issue-139-codeFlowLocation.location-not-required.docx This item is not on the agenda for tomorrow’s meeting. I will move its adoption at the next TC meeting, #16 on May 2 nd . There are actually three changes here: The spec says that location.physicalLocation is required. But physical location information isn't always available, so we have to loosen that requirement. The spec says that codeFlowLocation.location is required. But that makes code flows produced by Static Driver Verifier invalid: their native output format doesn't include location information for every step. So again, we have to loosen that requirement. We provide guidance that if there is no location information, a codeFlowLocation SHOULD include a location object that provides only a message (for example, "External resource was locked."). Static Driver Verifier doesn't do that, but we should still recommend it. Larry