michaelcfanning
commented
1 year ago The interesting question to me here is how this property s/be differentiated from the existing SARIF rank property.
One possible answer is that precision is a metric that's very focused on a specific ranking aspect: the relative accuracy/precision of the analysis itself. If we set a precedent for this kind of value, should we consider other focused metrics that might be useful inputs into a triage process? e.g., 'likelihood to occur', 'relative impact', 'visibility to users'.
Relative impact is a kind of numeric expression for the new severity value you've proposed. Are we heading towards a situation where we have property pairs? i.e., a numeric expressions from 0.0 to 100.0 coupled with a four-level, readable priority (note, warning, errror, critical).
katrinaoneil
ShiningMassXAcc
Originally filed as https://github.com/oasis-tcs/sarif-spec/issues/598, split into more focused component issues.
GitHub Advanced Security's code scanning feature recognises precision levels, currently read from the
propertiesbag of a SARIFreportingDescriptorobject, and sorts alerts by them. GitHub CodeQL populates this property in its SARIF output, and the property is recognised for other code scanning tools.Docs: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object
Using the property bag was a pragmatic measure to provide this functionality without requiring a SARIF spec change. For SARIF 2.2 I propose we make
precisionan accepted property on areportingDescriptoror aresult, with the same accepted values that GitHub consumes today:very-high,high,medium,low, or omitted entirely. SARIF producer tools can use this property to indicate the tool's own confidence in the precision of the result, or for a rule, how often the results indicated by this rule are true.cc @michaelcfanning