Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object
What part(s) of the article would you like to see updated?
| Name |
Description |
| name |
Optional. The name of the rule. Code scanning displays the name to allow results to be filtered by rule on GitHub. |
Should mention:
SARIF2012: Rule metadata should provide information that makes it easy to understand and fix the problem. Provide the 'name' property, which contains a "friendly name" that helps users see at a glance the purpose of the rule. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'. Provide the 'helpUri' property, which contains a URI where users can find detailed information about the rule. This information should include a detailed description of the invalid pattern, an explanation of why the pattern is poor practice (particularly in contexts such as security or accessibility where driving considerations might not be readily apparent), guidance for resolving the problem (including describing circumstances in which ignoring the problem altogether might be appropriate), examples of invalid and valid patterns, and special considerations (such as noting when a violation should never be ignored or suppressed, noting when a violation could cause downstream tool noise, and noting when a rule can be configured in some way to refine or alter the analysis).
Additional information
Through a couple of levels of indirection, this page links to this page:
https://sarifweb.azurewebsites.net/Validation
And when I tried to validate my sarif file (checking the GitHub ingestion rules option), the validator screamed at me.
See steps to reproduce in: #20872 (comment)
Details of a separate problem...
Each item in this page should mention length and other constraints as well...
| Name |
Description |
| name |
Optional. The name of the rule. Code scanning displays the name to allow results to be filtered by rule on GitHub. |
| shortDescription.text |
Required. A concise description of the rule. Code scanning displays the short description on GitHub next to the associated results. |
| fullDescription.text |
Required. A description of the rule. Code scanning displays the full description on GitHub next to the associated results. The max number of characters is limited to 1000. |
fullDestription.text is limited to 1000 chars, but name and shortDescription.text aren't limited?
Content changes required to close this issue
- Update the description for the
name field for the reportingDescriptor object to state that there are no restrictions on the format of the string.
- Add a note to the section on Validating your SARIF file:
- Tell people that if there is a discrepancy between the SARIF validator results and the specification, the specification is correct.
- Try uploading their SARIF file using the REST API with the
validation flag.
- When the validation flag is enabled, any validation errors are returned as the response body, with an error code immediately. This is a good method for debugging any errors that aren't detected by the SARIF validator, or cases where the validator and schema contradict each other.
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object
What part(s) of the article would you like to see updated?
Should mention:
Additional information
Through a couple of levels of indirection, this page links to this page:
https://sarifweb.azurewebsites.net/Validation
And when I tried to validate my sarif file (checking the
GitHub ingestion rulesoption), the validator screamed at me.See steps to reproduce in: #20872 (comment)
Details of a separate problem...
Each item in this page should mention length and other constraints as well...
fullDestription.textis limited to 1000 chars, butnameandshortDescription.textaren't limited?Content changes required to close this issue
namefield for thereportingDescriptorobject to state that there are no restrictions on the format of the string.validationflag.