Join GitHub today
Clarify guidance for 'partialFingerprints' components #122
The Sarif spec doesn't talk much about what should be in a toolFingerprintContribution (though Appendix B hints at it).
We were talking about normalizing file urls, and realized our scanners will see files in different paths (or by URL) at runtime and we'll have to normalize them. We will likely want to write a single codebase to do this consistently.
This, in turn, means that scanners which use the file path (absolute or an attempted URL or 'repo-relative' path) in the toolFingerprintContribution may make contributions which are unusable across environments because the paths will be different and the overall fingerprints won't match. It's unlikely a path normalizer could safely normalize a path and try to find the part of a fingerprint which was an uncorrected path.
Probably the easiest way to resolve this in the spec is to say that the toolFingerprintContribution should not use the file path or hash as a factor, and could be unique only within a given normalized file url. Further, we could say that a tool associating results with one another should use the combination of the fingerprint and a normalized file name or path to associate them, which will add the "which file" component of the mapping safely, after normalization can be done.