One contributor to a result's default display state in a viewer (see #23) is its level. The spec explains how the effect level is computed in a complicated way based on result.level, rule.defaultConfiguration.level, and applied policy.

Add an Appendix that describes this algorithm (which viewers must implement, and for which there really should be an SDK API) in terms a human can understand.

@michaelcfanning FYI.

The samples in this repo all use "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json"
which does not appear to be recognized by the viewer at https://sarifweb.azurewebsites.net/

This is a tracking item that will contain a comprehensive list of the samples we want to provide, with check boxes to mark those that are finished.

• Code flows: Demonstrate codeFlows with features such as location messages and importance.
• Code flows as "event sequences" (call stack per location).
• Stacks
• Rule metadata: Demonstrate rule metadata and its linkage with results.
• Embedded text content
• Embedded binary content
• Snippets, with text, binary, and rendered properties.
• Region and context region: Including snippets in both properties.
• Region variants: line/column, charOffset/charLength, byteOffset/byteLength, combinations.
• originalUriBaseIds: including chaining, descriptions, and top-level element with no uri.
• Complex Markdown in messages.
• external property files: including dictionary-valued external properties, array-valued external properties, and array-valued properties split across multiple files.
• internalExternalProperties
• taxonomies
• translations
• Tool plug-ins: Including rule metadata lookup in plug-ins via toolComponentReference.
• Policies: Showing override of defaultConfiguration.
• suppressed results, including use of suppression status to show review progress.
• baselines: Showing all of unchanged, updated, absent, and new results.
• logicalLocations: Including run.logicalLocations, parenting, fully qualified names, and references through index in a result.
• Integer index links: Including references to related locations, codeFlow locations, and stack locations, and showing links in both Markdown and plain-text messages.
• Fixes: Using the HTML attribute quoting example.
• Redaction of sensitive properties: Exhaustive set.
• "Arguments-only" messges.
• Multiple runs in a single log file.
• Run with no results, but with toolConfigurationNotifications and toolExecutionNotifications (including exceptions), with all different failure levels.
• Non-failure results, e.g., "pass" and "informational" (exhaustive).
• Addresses
• Attachments: both file- and run-level.
• Web requests and responses.
• Decorated name.
• Version control details
• Run automation details
• Graphs: Result-level and run-level.
• Comprehensive result (including codeFlow) driven entirely by logical locations.

Probably could add this subtlety close to where we discuss the summary of issue because it's due to the related underlying concern, truncated screen real estate.

When viewing large #'s of issues in the VS error list, if you put the uniquely qualifying data, such as the scan target file name, towards the left, it is easier for users to distinguish results.

If you preface each result with 128 characters of static text, it becomes much harder.

The first sentence should provide a concise summary of the issue. This is important because it enables the reader to quickly understand the problem and because some viewers might truncate the message to one sentence in contexts where screen real estate is limited.

Per @michaelcfanning:

We should produce documentation that describes the sample files and how they should be used by consumers. This will allow viewer developers to try to exercise the test assets in a productive way without understanding all the many nuances expressed in the SARIF spec (which is only obvious to people with a deep understanding of the spec). For example:

• The "suppressions" sample should explicitly call out that this data is designed to ensure that viewers correctly exclude or include suppressed results (and don't surprise users by showing those results in a way that suggests they are active and should be addressed).
• The originalUriBaseIds sample should be helpful for viewers that are attempting to remap relative links in a SARIF log file. If a log is viewed in an environment that maps directly to the paths expressed in an original uri base id (i.e., the local enlistment matches the analysis, or the local machine was itself used for the scan), consumers should be able to successfully stitch together working links, using other information expressed in the physical location data.

I know when we double click the path in VS Code, the editor will bring us to the exact location of the error. Do we have similar feature in web view?

In my repo, I have a file named urls.md under the docs/docs2 folder and I define the location in the following way:

         "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "docs/docs2/urls.md",
                },
                "region": {
                  "startLine": 11,
                  "startColumn": 7
                }
              }
            }
          ]

When I run this in an Azure Pipeline, the path is just not clickable. However, if I replaced the uri property with some an absolute url, such as https://bing.com, it is clickable.

Four SARIF result properties interact to determine

1. Whether a viewer should display the result by default, and
2. With what "severity" a viewer should present the result.

Those properties are level, kind, baselineState, and suppressions. The default visibility also depends on the scenario. For example, in a CI scenario, only results with baselineState: "new" should be displayed by default, while in other scenarios, the "unchaged" results should also be displayed by default.

Add an Appendix providing rules for a uniform viewer experience based on these factors.

@michaelcfanning FYI

https://dotnet.microsoft.com/en-us/download/dotnet/2.1 shows that net core 2.1 is EOL and unsupported, but docs/Multitool.md says is as a prerequisite.

The sarif.multitool I have uses netcoreapp3.1 or something as a runtime..

Does this tool work with netcore 6.x or 8.x?

... similar to the one for bug filing.

@michaelcfanning FYI