OASIS Static Analysis Results Interchange Format (SARIF) TC

  • 1.  SARIF spec and schema versioning

    Posted 09-26-2018 19:52
    After the meeting today, Michael, Larry and I discussed how producers can declare and consumers identify the changing draft of the SARIF specification used to construct a SARIF file. Right now all SARIF files identify themselves as 2.0.0 (which clearly they are not). Our proposal is the following unless there are objections: 1) The SARIF draft version will be of the form 2.0.0-beta.YYYY.MM.DD where YYYY, MM and DD are numeric values indicating the draft revision of SARIF. This is valid semantic version that is before 2.0.0. 2) Upon final specification approval the version will change to "2.0.0". 3) We do not believe that we need to support current producers that have used "2.0.0" for a version. 4) Producers SHALL use the draft version to indicate the version they produce. 5) The Provisional draft and schema will be updated to reflect this. I will leave this up to Larry. 6) The git repository will be tagged with the draft version so you can retrieve the Provisional Draft and schema after committing the Provisional draft document and JSON schema with approved changes from the TC. Let us know if you have any comments, and Michael and Larry let me know if forgot anything or got anything wrong. Jim


  • 2.  Re: [sarif] SARIF spec and schema versioning

    Posted 09-28-2018 15:43
    Jim: I've been running into the same issue myself with both exporting and importing, so thank you for proposing we bring order to this. On 9/26/2018 3:52 PM, James Kupsch wrote: After the meeting today, Michael, Larry and I discussed how producers can declare and consumers identify the changing draft of the SARIF specification used to construct a SARIF file. Right now all SARIF files identify themselves as 2.0.0 (which clearly they are not). Our proposal is the following unless there are objections: 1) The SARIF draft version will be of the form 2.0.0-beta.YYYY.MM.DD where YYYY, MM and DD are numeric values indicating the draft revision of SARIF. This is valid semantic version that is before 2.0.0. If I understand correctly, you are proposing that this is the form of the string that will show up in the "version" property of the top-level object. Is that right? Is this format then part of the standard? 2) Upon final specification approval the version will change to "2.0.0". 3) We do not believe that we need to support current producers that have used "2.0.0" for a version. 4) Producers SHALL use the draft version to indicate the version they produce. 5) The Provisional draft and schema will be updated to reflect this. I will leave this up to Larry. 6) The git repository will be tagged with the draft version so you can retrieve the Provisional Draft and schema after committing the Provisional draft document and JSON schema with approved changes from the TC. Let us know if you have any comments, and Michael and Larry let me know if forgot anything or got anything wrong. I'm coordinating some work on producers; I decided that we would all work on the same draft version, and that it would be one of the first versions that to come right after the TC had accepted the proposed changes for the externalized files as that appeared to be the most pervasive change that was pending. I was wondering if we should have a new Committee Specification Draft, and for that to be the one we work with. It would be more stable than an arbitrarily chosen date. Does that make sense? Is that what CSDs are intended for? -Paul -- Paul Anderson, VP of Engineering, GrammaTech, Inc. 531 Esty St., Ithaca, NY 14850 Tel: +1 607 273-7340 x118; http://www.grammatech.com


  • 3.  RE: [sarif] SARIF spec and schema versioning

    Posted 09-28-2018 23:52
    The only changes from what Jim proposed are: 1. I will not go through the spec after each TC meeting, changing all occurrences of "2.0.0" to "2.0.0-beta.2018.09.26" or whatever. The spec will still say that the only valid value for version is "2.0.0", but the schema will say the right number. 2. Michael, there's an additional Step 7 where you publish the new schema to schemastore.org. Thanks, Larry