Clarify consumer responsibility when result.ruleIndex is absent

[ghost]

Clarify that when result.ruleIndex is absent, the consumer is not expected to look up the rule metadata by means of the rule's id or its GUID (although we shouldn't prevent them from doing it).

[michaelcfanning]

@eddynaka, do we have a validation rule that checks whether rules exist for results that do not have a ruleIndex? I think this is really the appropriate focus here.

[eddynaka]

Hi @michaelcfanning ,

we have the rule SARIF2012, which is 'IndexPropertiesMustBeConsistentWithArrays':
https://github.com/microsoft/sarif-sdk/blob/main/src/Sarif.Multitool.Library/Rules/SARIF1009.IndexPropertiesMustBeConsistentWithArrays.cs

which would try to verify if you have a valid index.

[michaelcfanning]

Thanks, Eddy! What's critical here is that we're clear that producers should provide this linkage between results and rules, when possible. If this is clear, we don't need to invest in providing comments/thoughts on how consumers workaround this failure.

[michaelcfanning]

@eddynaka, I don't think the rule you mentioned is what we want. The specific condition for this issue is that there is, in fact, a rule in the rules table that matches either the rule id of the rule guid (of the reporting descriptor reference) of a result, but the result doesn't have a ruleIndex pointer to it. i.e., the producer failed to properly emit ruleIndex. Does that make sense?