SARIF reports don't comply with the specification #1974
Description
According to the SARIF specification, section 3.4.4
If this artifactLocation object describes a top-level artifact and the value of its uri property (§3.4.3) is a relative reference, the artifactLocation object SHOULD contain a property named uriBaseId whose value is a string which indirectly specifies the absolute URI with respect to which that relative reference is interpreted. If the uri property contains an absolute URI, the uriBaseId property SHALL be absent. If this artifactLocation object describes a nested artifact, uriBaseId SHALL be absent.
If a SARIF consumer requires an absolute URI (for example, to display the specified artifact to a user), then it needs to resolve uriBaseId to an absolute URI, which it can then combine with the relative reference stored in the uri property.
Currently, the uriBaseId field contains an absolute path to the source file, starting with file:, and the uri contains a relative path starting with file:, however this is not intellegible by standard SARIF consumers.
Solving the issue is very simple, as it entails either
- Removing the the
file:prefix from theurifield, and leaving it as is otherwise (so the relative path to the file without any prefix) and either:- remove the
uriBaseIdproperty, which would lead to many tools just assuming the project root to be the base folder, leading to the sarif reports also being portable (by not referencing any absolute path); after all the property is not required by the spec - put the absolute path of the project root, prepending
file:and without appending the relative path of the file
- remove the
- Putting the absolute path of the file, prepended by
file:, as theuriproperty, and omitting theuriBaseIdproperty, as required by the spec; this seems the worst solution of the bunch, as it is the hardest to port between systems, while a text replace with vim or cli tooling is totally doable in any of the cases
I will open a pr going with the second option (relative paths in uri and absolute path of the project root in uriBaseId as it seems to be the one most in line with the original intentions of the code.