Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RULE REQUEST] Avoid absolute file URIs in artifact locations #1993

Closed
ghost opened this issue Jul 14, 2020 · 0 comments · Fixed by #1996
Closed

[RULE REQUEST] Avoid absolute file URIs in artifact locations #1993

ghost opened this issue Jul 14, 2020 · 0 comments · Fixed by #1996
Labels
area-validation enhancement

Comments

@ghost
Copy link

ghost commented Jul 14, 2020
edited by ghost
Loading

Rule metadata

  • Id: SARIF2016

  • Name: FileUrisShouldBeRelative

  • Level: note

  • Description:

    When an artifact location refers to a file on the local file system, specify a relative reference for the uri property and provide a uriBaseId property, rather than specifying an absolute URI.

    There are several advantages to this approach:

    Portability: A log file that contains relative references together with uriBaseI properties can be interpreted on a machine where the files are located at a different absolute location.

    Determinism: A log file that uses uriBaseId properties has a better chance of being “deterministic”; that is, of being identical from run to run if none of its inputs have changed, even if those runs occur on machines where the files are located at different absolute locations.

    Security: The use of uriBaseId properties avoids the persistence of absolute path names in the log file. Absolute path names can reveal information that might be sensitive.

    Semantics: Assuming the reader of the log file (an end user or another tool) has the necessary context, they can understand the meaning of the location specified by the uri property, for example, “this is a source file”.

  • User-facing strings:

    • Default: {0}: The file location '{1}' is specified with absolute URI. Prefer a relative reference together with a uriBaseId property.

Links/Additional Information

See the SARIF Specification, §3.4.4: uriBaseId property

Implementation Notes

The analyzer should examine all URI-valued properties except for those the spec requires to be absolute. The arguments in favor of relative references and uriBaseIds apply equally well to result locations, related locations, code flow locations, stack frame locations, and so on.

How to resolve

The simplest approach is for the tool to assign a uriBaseId symbol (we recommend 'SCAN_ROOT') to the directory the tool was instructed to scan, and express all file URIs relative to SCAN_ROOT.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-validation enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adding rule SARIF2016 microsoft/sarif-sdk
0 participants