New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify guidance for 'partialFingerprints' components #122

Closed
vScottLouvau opened this Issue Mar 12, 2018 · 1 comment

Comments

Projects
None yet
3 participants
@vScottLouvau

vScottLouvau commented Mar 12, 2018

The Sarif spec doesn't talk much about what should be in a toolFingerprintContribution (though Appendix B hints at it).

We were talking about normalizing file urls, and realized our scanners will see files in different paths (or by URL) at runtime and we'll have to normalize them. We will likely want to write a single codebase to do this consistently.

This, in turn, means that scanners which use the file path (absolute or an attempted URL or 'repo-relative' path) in the toolFingerprintContribution may make contributions which are unusable across environments because the paths will be different and the overall fingerprints won't match. It's unlikely a path normalizer could safely normalize a path and try to find the part of a fingerprint which was an uncorrected path.

Probably the easiest way to resolve this in the spec is to say that the toolFingerprintContribution should not use the file path or hash as a factor, and could be unique only within a given normalized file url. Further, we could say that a tool associating results with one another should use the combination of the fingerprint and a normalized file name or path to associate them, which will add the "which file" component of the mapping safely, after normalization can be done.

@michaelcfanning

This comment has been minimized.

Show comment
Hide comment
@michaelcfanning

michaelcfanning Mar 14, 2018

Contributor

Clarification of text addressing existing design with no proposed change to standard and therefore approved for CSD.1

Contributor

michaelcfanning commented Mar 14, 2018

Clarification of text addressing existing design with no proposed change to standard and therefore approved for CSD.1

@lgolding lgolding self-assigned this Apr 5, 2018

@michaelcfanning michaelcfanning changed the title from Clarify guidance for 'toolFingerprintContribution' components to Clarify guidance for 'partialFingerprints' components Apr 27, 2018

@lgolding lgolding closed this May 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment