I hope this isn't going to make me unpopular, but I really want to revisit this issue.
I've re-read the contents of issue #20 and conclude that the standard would be better if we allowed tools to specify a numeric value for the severity of a rule and a result.
In issue #20 it was argued that the "level" property is intended to represent severity. Fair enough, but that property conflates another concept that I consider different; roughly speaking it's the response of the checker.
The problem I'm facing is that most of the tools I work with (not just CodeSonar) specify positive results that indicate a potential problem with the code, and they mostly specify a severity that is more precise than can be expressed with level. In the current spec, if the checker yields a warning, then level can be "note", "warning" or "error". None of the other values for level appear to be useful for this category of tools. That only gives me three values, and this isn't nearly enough resolution. Given that we have already conceded that level can indicate severity, why not allow it to be specified with more precision?
I don't buy the argument that it is equally good to put this information in a property bag. As a Sarif importer, this mandates special code for each Sarif generator because it is unlikely that all tools will agree on the name of the property, and the domain of its values.
Consequently I propose that we have a "severity" property that is an integer from zero to 100 where higher values indicate higher severity. I don't feel strongly about the domain. A float from 0.0 to 1.0 would be just as good.
I hope this isn't going to make me unpopular, but I really want to revisit this issue.
I've re-read the contents of issue #20 and conclude that the standard would be better if we allowed tools to specify a numeric value for the severity of a rule and a result.
In issue #20 it was argued that the "level" property is intended to represent severity. Fair enough, but that property conflates another concept that I consider different; roughly speaking it's the response of the checker.
The problem I'm facing is that most of the tools I work with (not just CodeSonar) specify positive results that indicate a potential problem with the code, and they mostly specify a severity that is more precise than can be expressed with level. In the current spec, if the checker yields a warning, then level can be "note", "warning" or "error". None of the other values for level appear to be useful for this category of tools. That only gives me three values, and this isn't nearly enough resolution. Given that we have already conceded that level can indicate severity, why not allow it to be specified with more precision?
I don't buy the argument that it is equally good to put this information in a property bag. As a Sarif importer, this mandates special code for each Sarif generator because it is unlikely that all tools will agree on the name of the property, and the domain of its values.
Consequently I propose that we have a "severity" property that is an integer from zero to 100 where higher values indicate higher severity. I don't feel strongly about the domain. A float from 0.0 to 1.0 would be just as good.