Include Finding ID in CodeTF Only When Provided by the Tool

In cases where a tool does not provide a finding identifier that has the same semantics as [guid from SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/sarif-v2.1.0-errata01-os-complete.html#_Toc141790891), codemodder does more harm than good when it uses some fallback value to satisfy the required field constraint. I know this, because I'm currently working on the data model for correlating codemod changes to tool issues :-) We should make the result identifier for fixed / unfixed findings optional. If the tool provides a result ID, then codemodder shall use it. But when the tool provides no such identifier (Snyk 👀), codemodder should not make one up.
pixee · Aug 19, 2024 · 2e5d6a0 · 2e5d6a0
1 parent ce7ada1
commit 2e5d6a0
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/codetf.schema.json b/codetf.schema.json
@@ -268,22 +268,22 @@
         "properties": {
           "id": {
             "type": "string",
-            "description": "A unique identifier for the finding (e.g. 'guid' from SARIF)"
+            "description": "A unique identifier for the finding, if provided by the detection tool. Concerning logically equivalent findings across scans, this identifier has the same semantics as `guid` from SARIF."
           },
           "rule": {
             "$ref": "#/definitions/detector/rule",
             "description": "The rule that detected the issue"
           }
         },
         "additionalProperties": true,
-        "required": ["id", "rule"]
+        "required": ["rule"]
       },
       "unfixedFinding": {
         "type": "object",
         "properties": {
           "id": {
             "type": "string",
-            "description": "A unique identifier for the finding (e.g. 'guid' from SARIF)"
+            "description": "A unique identifier for the finding, if provided by the detection tool. Concerning logically equivalent findings across scans, this identifier has the same semantics as `guid` from SARIF."
           },
           "rule": {
             "$ref": "#/definitions/detector/rule",
@@ -303,7 +303,7 @@
           }
         },
         "additionalProperties": true,
-        "required": ["id", "rule", "path", "reason"]
+        "required": ["rule", "path", "reason"]
       },
       "rule": {
         "type": "object",