[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [sarif] First Draft Statement of Relationship to Similar Work
Larry,
Since SARIF is centric to the SCA space and TOIF is not, when it comes to a focused comparison restricted to the SCA space, the two distinctions âlowest common denominator/advanced toolsâ and âconvert / modifyâ capture the key differences
quite well.
The distinction of âconvert / modifyâ may seem a minute technical detail, but it is not.
TOIF is in a broader space of software assurance, where SCA tool produces but one kind of evidence. Other kinds of evidence are produced by dynamic analysis tools, vulnerability scanning tools, OVAL tools, manual testing, etc.
Within the SCA space, TOIF normalizes the output of SCA tools so that their findings can be used as evidence for software assurance. There are other kinds of evidence that are either reported by tools other than SCA, or are not produced by tools
whatsoever, so there is no tool to modify (but there is output to convert). Therefore the TOIF ecosystem involves converters.
I think that removing the second distinction âconvert/modifyâ may introduce an unwanted bias into the comparison by skipping an important aspect related to how the ecosystem of each standard is evolving.
To your point, when the âconvertâ approach is used in SARIF, it will address a common denominator between participating tools, not advanced information, would it not? When the âmodify existing toolâ or even âbuild a new toolâ approach is used
in TOIF, this leads to no contradictions to its objectives.
The good news is that both SARIF and TOIF can be working together to address both the SCA space and the larger software assurance space.
I think we have a balanced statement (see modified statement below) claiming that both SARIF and TOIF address the software assurance space, where TOIF âs normalizes and integrates output of static analysis tools and other artifacts as evidence
for software assurance, plus the original two points âadvanced / low denominatorâ and âmodify / convertâ.
A minor edit : remove the word âinputâ in the following:
"TOIF's strategy involves creating adapters from various tools to the reporting format, and as such, it is focused on integrating the diverse (in is actually âoutputâ rather than input)
What do you think ?
Best regards,
Nick
TOIF normalizes and integrates the output of static analysis tools and other artifacts as evidence for software assurance.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]