I created and merged a change draft for Yekaterina’s Issue #390 , “Make certain invocation and versionControlDetails properties redactable”:
https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/Accepted/sarif-v2.0-issue-390-more-redactable-properties.docx Among the newly redactable properties are the values and names of the properties in invocation.environmentVariables . But this requires that the string-valued run.redactionToken become an array redactionTokens , because otherwise two redacted environment variable names would have the same JSON property name, which is not allowed. The good news is that we were going to have to do this anyway to accommodate Jim’s Issue #377 , “Each redaction token in an originalUriBaseIds represents a unique location,” so now we have two reasons to do it. Furthermore, this change requires that we clarify what it means to redact a URI-valued property (because the result might not be a valid URI). This too was going to be needed for #377, so the good news is, I’ve got a big head start on writing the draft for #377. Please take a look as we close down the spec today in preparation for Monday’s ballot. Thanks, Larry