OASIS Static Analysis Results Interchange Format (SARIF) TC Meeting #24 September 26, 2018

Acting chair: David

Chat transcript from room: sarif
From 2018-09-26 16:30 UTC until 18:30 UTC (planned)

1. Call to Order and Welcome

Chair: Called the meeting to order.

2. Roll call

All participants recorded their attendance on the OASIS meeting calendar - quorum was reached.

All participants were kindly encouraged to registrate themselves to optimize the use of the shared time during the meeting in one of two ways: Either click the link with the text "Register my attendance" on the top of the event page or directly visit the per event direct "record my attendace link":
https://www.oasis-open.org/apps/org/workgroup/sarif/record_my_attendance.php?event_id=47655&confirmed=1, Thanks

Details cf. normative attendance sheet for this meeting (event_id=47655).

2.1 Participants

David Keaton      (Individual)              - Chair
Henny Sipma       (Kestrel Technology)      - Voting Member
Jim Kupsch        (SWAMP)                   - Voting Member
Laurence Golding  (Microsoft)               - Voting Member
Luke Carty        (Semmle)                  - Chair
Michael Fanning   (Microsoft)               - Voting Member
Paul Anderson     (GrammaTech, Inc.)        - Voting Member
Paul Seay         (Northrop Grumman)        - Member
Stefan Hagen      (Individual)              - Secretary
Sunny Chatterjee  (Microsoft)               - Voting Member
Vamshi Basupalli  (SWAMP)                   - Voting Member
Yekaterina O'Neil (Micro Focus)             - Voting Member

3. Review Agenda

Agenda draft published at https://www.oasis-open.org/committees/download.php/63963/agenda_20180926.html - content given below to support the reader:

Agenda for September 26, 2018
MEETING OF OASIS SARIF TECHNICAL COMMITTEE
Time 09:30-11:30 PDT / 16:30-18:30 UTC
Meeting Chat Location: http://webconf.soaphub.org/conf/room/sarif
Meeting Audio: https://meet.lync.com/microsoft/mikefan/0WBKZZD2
1. Opening Activities

1.1 Opening comments (Co-Chair Keaton)
1.2 Introduction of participants/roll call (Co-Chair Cartey)
1.3 Procedures for this meeting (Co-Chair Keaton)
1.4 Approval of agenda (Co-Chair Keaton)
1.5 Approval of previous minutes [Minutes of 2018-09-12 Meeting#23] (Co-Chair Keaton)
1.6 Review of action items and resolutions (Secretary Hagen)
1.7 Identification of SARIF TC voting members (Co-Chair Cartey)
1.7.1 Prospective members attending their first meeting
1.7.2 Members attaining voting rights at the end of this meeting
1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends
1.7.4 Members who previously lost voting rights who are attending this meeting
1.7.5 Members who have declared a leave of absence
2. Timeline Status

2.1 Note where we are on the schedule [SARIF TC Timeline] (Co-Chair Keaton)
         - Working on CSD 2, with 57 open issues, 1 less than last time
3. Future Meetings

3.1 Future meeting schedule (Co-Chair Keaton)
Scheduled teleconferences (Wednesdays at 09:30 PDT / 16:30 UTC for two hours)
October 10
October 24
Proposed teleconferences (Wednesdays at 09:30 PST / 17:30 UTC for two hours)
Note that these dates are after daylight savings time ends.
November 14
November 28
December 12
January 9
Proposed face-to-face meeting
January 23-24, location TBD
4. Document Progress (Co-Editors Golding and Fanning)

4.1 Editors' report
4.2 Approval of changes
Discuss the following items individually, then vote on them together unless someone would like to separate out an issue for individual vote.
4.2.1 Consider making file.hashes a dictionary [#243]
4.2.2 Consider removing type inconsistency with message property in exception object [#240]
4.2.3 Rename startTime/endTime to startTimeUtc and endTimeUtc [#242]
4.2.4 Rename versionControlDetails.uri to repositoryUri or projectUri [#244]
4.2.5 Objects without property bags [#238]
4.2.6 Wrap externalized files with contextual information [#235]
4.2.7 Consider making originalUriBaseIds a dictionary of file location objects [#234]
4.2.8 Why is the 'results' array required? [#232]
4.2.9 We do not have an automationGuid to match automationLogicalId [#229]
4.2.10 Suggestion: require uriBaseId to be case-insensitive [#208]
4.2.11 Changes to threadflowLocation [#202] [#194]
4.3 Discussions
4.3.1 Any other document items that need to be discussed
5. Other Business

6. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)

6.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton)
6.2 Review of Decisions Reached (Secretary Hagen)
6.3 Review of Action Items (Secretary Hagen)
7. Next Meeting

October 10, 2018 / 09:30-11:30 PDT / 16:30-18:30 UTC
8. Adjournment

Note: Issue URLs are constructed by appending the issue number (without the '#') to the base URL https://github.com/oasis-tcs/sarif-spec/issues/
Pull requests similarly refer to base URL https://github.com/oasis-tcs/sarif-spec/pull/ but to better distinguish from issues, they are encoded as PR#$number, wher $number represents the number of the pull request.

Agenda adopted unchanged as published

4. Approval of previous minutes

4.1 Approval of minutes from 2018-09-12 Meeting #23

Minutes at https://www.oasis-open.org/committees/download.php/63920/sarif-minutes-20180912-meeting-23.html

Minutes approved unchanged as published

5. Future Meetings

5.1 Future meeting schedule (Teleconferences)

David: Approved list of proposed teleconferences.

Scheduled teleconferences (Wednesdays at 09:30 PDT / 16:30 UTC for two hours)
  October 10
  October 24
Proposed teleconferences (Wednesdays at 09:30 PST / 17:30 UTC for two hours)
Note that these dates are after daylight savings time ends.
  November 14
  November 28
  December 12
  January 9
Proposed face-to-face meeting
  January 23-24, location TBD

Paul Seay: What would be your time zone preference for that meeting?

David: For the face-to-face meeting? Any time zone is great.

Paul Seay: Can you provide details of expectations of a host?

David Keaton: Will do, after this meeting.

Paul Seay: Thanks.

6. Document Progress

6.1 Editor's report

Michael and Laurence walk all through the https://github.com/oasis-tcs/sarif-spec/blob/master/EditorsReports/Editor's%20report%202018-09-26.md.

6.2 Approval of Changes

Discussed the following items individually, then vote on them together unless someone would like to separate out an issue for individual vote.

Larry: I move to accept the following changes, with the specified amendments:

===================================================================================
#243 file.hashes a dictionary

Amended:
--------
string-string dictionary, remove Hash object.

===================================================================================
#240 exception.message consistency

No changes

===================================================================================
#242 utc times

Amended:
--------
versionControlDetails.revisionTimeUtc => asOfTimeUtc
Change semantics to clarify that it's an arbitrary time, not necessarily a "commit".

===================================================================================
#244 versionControlDetails.uri => repositoryUri

No changes

===================================================================================
#238 Ubiquitous property bags

No changes

===================================================================================
#235 externalizedProperties

Amended:
--------
The version of the external file format => the version of the SARIF specification.
Remove propertySchema, propertyName
Update "The property value property" to not refer to "propertyName" which is gone.
Remove 3.11.3 properties property
Remove braces on runInstanceGuid
Define externalFile object
  fileLocation, required
    Semantics: if fileLocation.uri is a relative reference and uriBaseId is missing, it's interpreted relative to the root file location.
  instanceGuid, required
Add instanceGuid to external file schema, required.


Action: MF: New issue: should resources use the deconstructed file mechanism IN ADDITION TO existing "probing" mechanism?

===================================================================================
#234 originalUriBaseIds dictionary

No changes

===================================================================================
#232 condition for missing results[]

Amended:
Missing only if tool failed to start.
SHALL BE absent => MAY BE

===================================================================================

Seconded

David: APPROVED.

Michael: I have filed issue #252 to track the resource probing discussion

6.2.1 #243 - Consider making file.hashes a dictionary [#243]

David: Make it a string-to-string dictionary and remove the hash object.

6.2.2 #240 - Consider removing type inconsistency with message property in exception object [#240]

Nothing noted

6.2.3 #242 - Rename startTime/endTime to startTimeUtc and endTimeUtc [#242]

David:

Semantics for revisionTimeUtc is not what was intended.
Proposal: use syncTimeUtc instead.
Change sematics to explain that it is not a revision time.
Revised proposal: asOfTimeUtc

6.2.4 #244 - Rename versionControlDetails.uri to repositoryUri or projectUri [#244]

Nothing noted

6.2.5 #238 - Objects without property bags [#238]

Nothing noted

6.2.6 #235 - Wrap externalized files with contextual information [#235]

Larry:

Version of the external file format should be version of the SARIF specification.
remove propertyName
remove propertySchema

Michael:

update "property value" property due to above edits
Also remove the section on "properties" property.

Jim:

would like an instance GUID for each external file
for relative URIs, make them relative to this SARIF file

6.2.7 #234 - Consider making originalUriBaseIds a dictionary of file location objects [#234]

David: From Larry's e-mail on this topic:

The idea is to be able to specify a hierarchy of URI base ids under a common root. With the current design, you have to say this:

{
  "originalUriBaseIds": {
    "SOURCE_ROOT": "file:///C:/repos/MyProject/src/",
    "TEST_SOURCE_ROOT": "file:///C:/repos/MyProject/src/tests/",
    "BIN_ROOT": "file:///C:/repos/MyProject/bin"
  },
  ...
}

With the proposed design, you can say this:

{
  "originalUriBaseIds": {
    "PROJECT_ROOT": {
      "uri": "file:///C:/repos/MyProject/"
    },
    "SOURCE_ROOT": {
      "uri": "src/"
      "uriBaseId": "PROJECT_ROOT"
    },
    "TEST_SOURCE_ROOT": {
      "uri": " tests/",
      "uriBaseId": "SOURCE_ROOT"
    },
    "BIN_ROOT": {
      "uri": "bin/",
      "uriBaseId": "PROJECT_ROOT"
    }
  },
  ...
}

Now only one of the original uriBaseIds is non-deterministic, and a consumer that rebases 
URIs from one machine to another need only prompt the user for one location.

6.2.8 #232 - Why is the 'results' array required? [#232]

Jim: would like the results array to be optionally absent (e.g. if the run failed after initial configuration succeeded)

6.2.9 #229 - We do not have an automationGuid to match automationLogicalId [#229]

Michael: table this for discussion later

6.2.10 #208 - Suggestion: require uriBaseId to be case-insensitive [#208]

Nothing noted

7. Next meeting

October 10, 2018 / 09:30-11:30 PDT / 16:30-18:30 UTC

8. Any Other Business and Adjourn

No other business. Adjourned.