Seeking clarification on: locationRelationships within a graph node's location #712
Description
I'm experimenting with adding graph objects (§3.39) to GCC's SARIF output.
If I'm reading the 2.1.0 spec correctly, SARIF graph objects can be defined at the run level or at the result level.
A node object within a graph (either directly, or recursively as part of children of other nodes) "SHOULD have a property named location whose value is a location object (§3.28) that specifies the location associated with the node."
If a node's location object has relationships (§3.28.7), then those locationRelationship objects (§3.34) "SHALL contain a property named target whose value is a non-negative integer which identifies theTarget (see §3.34.1) among all location objects (§3.28) in theResult by virtue of being equal to theTarget.id (§3.28.2)."
IIRC we're generalizing this in SARIF 2.2 so that a locationRelationship's target index can refer to locations in a notification.
Is it possible to have a locationRelationship in a location within node in a graph? Presumably:
- if the graph is within a
resultthentheResultmakes sense, and the indexes would refer to the result's locations. - if the graph is at the
runlevel, then there isn't a result with alocationsarray; am I right in thinking that therefore such graph node locations can't have relationships?
In my case, the graphs I'm adding are in a property bag of a threadFlowLocation object (for describing the predicted memory layout at a point in analysis). In this case, the property bag is ultimately within a result (via the codeFlow holding the threadFlowLocation), but I wonder if it's safe to add location relationships to nodes in such a graph?