In order to effectively compare two equivalent tool runs expressed as SARIF, it is useful to verify whether the log files were produced by tool configuration with equivalent functional behaviors.

The tool version provides some help here. The tool invocation data also provides some assistance, in cases where things like the command-line arguments are exactly equivalent.

Tools can be parameterized by things referred to on the command-line (such as scripts that drive analysis, or plug-ins that are delay-loaded). These things can be versioned out-of-sync with the tool.

Additionally, some tools discover plug-ins at runtime, from well-known locations (that aren't explicit on a command-line).

It is difficult or impossible to specify SARIF that can accommodate the range of tool behaviors. But have we done enough on the problem of handling rule scripts/plug-ins versioning that is typical of tools such as Semmle? Fortify also has flexible rules customization/authoring. et al.