Add 'SARIF and Signatures' section

2025-12-16 09:13:04 +01:00 · 2023-12-06 14:09:51 -08:00
parent 68ce4ab5aa
commit 95a6aaed6a
1 changed files with 18 additions and 0 deletions
--- a/notes/README.org
+++ b/notes/README.org
@@ -296,6 +296,24 @@ Name: automationDetails, dtype: object
    And repeat [[*Run using embedded repls][Run using embedded repls]], then
    [[*Check if =automationDetails= or its value is in output][Check if =automationDetails= or its value is in output]]

+* SARIF and Signatures
+
+  ‘signature’ here is e.g., struct_graph_LGTM in ./sarif_cli/signature_single.py
+
+  The signatures are those produced by codeql in the past.  They are not meant to
+  be updated frequently; they arose and are used as follows.
+  1. The SARIF standard is quite loose, with many optional fields.
+  2. For producing CSV tabular output (and for internal table processing), the
+     sarif-cli tool needed an exact signature.  Using existing SARIF files was a
+     straightforward way to get a signature.
+  3. When a SARIF file contains extra keys, a warning is issued but processing
+     continues.
+  4. When a sarif file is missing an entry that’s in the signature, a fatal error
+     is issued.
+
+  The only time you need to update the signature is when you get fatal errors —
+  there will be a detailed message about expected vs. found fields.
+
 * Footnotes
   #+HTML: </div>