Re: [sarif] Interoperability testing

[David Keaton <dmk@dmk.com>]

Chet,

     I'm not sure I understand.  Most of the implementations are 
commercial, and would not be able to contribute their source code.

     However, an open repo could be used for the sample code to be 
analyzed, and for the results.  We could put it in a subdirectory of the 
repo we have now.

https://github.com/oasis-tcs/sarif-spec

     Maybe I'm misunderstanding, though.

					David

On 2018-10-16 12:34, Chet Ensign wrote:
> That's the idea. I thought that the bake-off could become the initial 
> code and then it could take on a life of its own - sort of an ongoing 
> bake-off.
>
> On Tue, Oct 16, 2018 at 12:29 PM Larry Golding (Myriad Consulting Inc) 
> <v-lgold@microsoft.com <mailto:v-lgold@microsoft.com>> wrote:
>
>     Chet, are you proposing a repo to which each bake-off participant
>     would contribute their implementation?____
>
>     __ __
>
>     *From:* sarif@lists.oasis-open.org
>     <mailto:sarif@lists.oasis-open.org> <sarif@lists.oasis-open.org
>     <mailto:sarif@lists.oasis-open.org>> *On Behalf Of *Chet Ensign
>     *Sent:* Monday, October 15, 2018 7:24 AM
>     *To:* David Keaton <dmk@dmk.com <mailto:dmk@dmk.com>>
>     *Cc:* OASIS SARIF TC Discussion List <sarif@lists.oasis-open.org
>     <mailto:sarif@lists.oasis-open.org>>
>     *Subject:* Re: [sarif] Interoperability testing____
>
>     __ __
>
>     Larry, David, would this be a good candidate for an Open Repo?
>     https://www.oasis-open.org/policies-guidelines/open-repositories
>     <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.oasis-open.org%2Fpolicies-guidelines%2Fopen-repositories&data=02%7C01%7Cv-lgold%40microsoft.com%7C2d24827d51894b1bddd708d632a9e512%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636752102648181725&sdata=4uR9EyyVs0F%2BeRPDa1ORmY%2BL5Sr3t4BBqkpAGDqGD6c%3D&reserved=0>____
>
>     __ __
>
>     You could use it to launch the bakeoff and then it could continue
>     onwards. ____
>
>     __ __
>
>     /chet____
>
>     __ __
>
>     On Fri, Oct 12, 2018 at 8:40 PM David Keaton <dmk@dmk.com
>     <mailto:dmk@dmk.com>> wrote:____
>
>             That's right. The idea is to toss different vendors' tools
>         together and see if they work. For example, one vendor's static
>         analysis tool might be paired with another vendor's
>         visualization tool
>         to see if the latter can consume the SARIF emitted by the
>         former. It
>         might also be worthwhile to try combining the SARIF output of
>         two or
>         three vendors' static analysis tools on the same code, and see
>         if the
>         resulting SARIF makes sense (either by hand or by feeding it into a
>         visualization tool).
>
>          Â Â Â Each vendor that participates gets to advertise that
>         fact, and
>         often the process helps people shake out the bugs in their
>         implementations.
>
>          Â Â Â When security protocols are involved, sometimes people
>         get points
>         for crashing someone else's code, but I don't think we need to
>         go that
>         far. :-)
>
>          Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â David
>
>         On 10/11/2018 03:52 PM, Larry Golding (Myriad Consulting Inc) wrote:
>          > Thanks David! Could you tell us more about how a bake-off
>         works? Do a set of tool vendors implement SARIF support in their
>         tools, and we evaluate the results (perhaps by examining the
>         files by hand, perhaps by opening them in the Visual Studio
>         viewer)? Is there some sort of incentive to participate ("SARIF
>         mug to the best implementation!" ð)?
>          >
>          > Larry
>          >
>          > -----Original Message-----
>          > From: sarif@lists.oasis-open.org
>         <mailto:sarif@lists.oasis-open.org> <sarif@lists.oasis-open.org
>         <mailto:sarif@lists.oasis-open.org>> On Behalf Of David Keaton
>          > Sent: Thursday, October 11, 2018 8:04 AM
>          > To: sarif@lists.oasis-open.org
>         <mailto:sarif@lists.oasis-open.org>
>          > Subject: [sarif] Interoperability testing
>          >
>          >Â Â Â Â OASIS arranged a talk about SARIF with WhiteSource
>         this morning, because they are thinking of joining the TC. I
>         attended so I could answer some questions for them. The
>         WhiteSource people had an excellent idea which I thought I would
>         pass along.
>          >
>          >Â Â Â Â After the SARIF standard is published, they suggested
>         a bake-off to demonstrate interoperability between tools
>         supporting SARIF. This sort of thing is especially common for
>         IETF standards where many vendors are expected to interoperate
>         with each other, and it would be a good fit for SARIF.
>          >
>          >Â Â Â Â There is no need to devote resources to this before
>         our document is published, but it's a good thing to keep in mind
>         going forward.
>          >
>          >Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ÂDavid
>          >
>          >
>         ---------------------------------------------------------------------
>          > To unsubscribe from this mail list, you must leave the OASIS
>         TC that generates this mail. Follow this link to all your TCs
>         in OASIS at:
>          >
>         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php&amp;data=02%7C01%7Cv-lgold%40microsoft.com%7C55b75bc14ac449974d4208d62f8abee7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636748670298135664&amp;sdata=Pv4qwByKWaL4o168Ae15oeST6%2B3%2Fr83gBy0qHbvVwnM%3D&amp;reserved=0
>         <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php&data=02%7C01%7Cv-lgold%40microsoft.com%7C2d24827d51894b1bddd708d632a9e512%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636752102648181725&sdata=ffhRLoW%2FF9zecryzjDbg3KGAoJ4pkzG%2FoCOokCH2MCE%3D&reserved=0>
>          >
>
>
>         ---------------------------------------------------------------------
>         To unsubscribe from this mail list, you must leave the OASIS TC
>         that
>         generates this mail. Follow this link to all your TCs in OASIS at:
>         https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>         <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php&data=02%7C01%7Cv-lgold%40microsoft.com%7C2d24827d51894b1bddd708d632a9e512%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636752102648181725&sdata=ffhRLoW%2FF9zecryzjDbg3KGAoJ4pkzG%2FoCOokCH2MCE%3D&reserved=0>
>         ____
>
>
>     ____
>
>     __ __
>
>     -- ____
>
>
>     /chet
>     ----------------____
>
>     Chet Ensign____
>
>     Chief Technical Community Steward
>     OASIS: Advancing open standards for the information society
>     http://www.oasis-open.org
>     <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.oasis-open.org&data=02%7C01%7Cv-lgold%40microsoft.com%7C2d24827d51894b1bddd708d632a9e512%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636752102648181725&sdata=Dq5x%2BkmWWHHvBUEOAj1%2B5iDjFeRPsNJvUtiGvVDnQPA%3D&reserved=0>
>
>     Primary: +1 973-996-2298
>     Mobile: +1 201-341-1393 ____
>
>
>
> --
>
> /chet
> ----------------
> Chet Ensign
> Chief Technical Community Steward
> OASIS: Advancing open standards for the information society
> http://www.oasis-open.org
>
> Primary: +1 973-996-2298
> Mobile: +1 201-341-1393