[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [EXTERNAL] Re: [sarif] Draft IANA registration for media type application/sarif+json
Thanks, Jim, that's very helpful. Here's an update. The next step (optional, but "strongly encouraged" by RFC 6838 §5.1) is to solicit "community review" by sending our draft to media-type@iana.org. After that we can submit our "Application for Media Type" using the online form at https://www.iana.org/form/media-types. I'll wait until Monday afternoon to give everybody else a chance to comment. Thanks, Larry -----Original Message----- From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of James Kupsch Sent: Friday, April 3, 2020 12:41 PM To: sarif@lists.oasis-open.org Subject: [EXTERNAL] Re: [sarif] Draft IANA registration for media type application/sarif+json Larry, Two comments on other fields and other answers below. The other field look good to me. Thanks, Jim -------- For the contact for further information field should the OASIS SARIF mailing list be included in addition (or place of)? I don't know if this is used for completing registration process or for long term contact information. For long term, an OASIS email might good to have as it might exist after you Michael retire. -------- For the Intended Usage field something be added to the free form field such as: Intended to be used by the software development community as a common interchange format for the results of static analysis tools. On 4/3/20 1:05 PM, Larry Golding (Myriad Consulting Inc) wrote: > Please take a look and give feedback. > > * I don't know what to put for "interoperability consideration". I would say "None". Based on the examples in RFC 6838, I do not think that there are any known interoperability issues, nor can I think of any. > > * I don't know what to put for "restrictions on usage". I would say "None" base on RFC 6838. > > * The list of "applications that use this media type" isn't intended > to be exhaustive, but if you want to add something (especially I > think Jim will want to add some SWAMP tools) just let me know. I think that you can just add SWAMP (Software Assurance Marketplace, https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.continuousassurance.org%2F&data=02%7C01%7Cv-lgold%40microsoft.com%7C48cfaf71b8484b5d42cd08d7d806e646%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637215396456115863&sdata=alszFkaLIXPX6bhSkOCc3m2Cue52s7JZuVepIS%2FJ9uw%3D&reserved=0) The SWAMP can produce SARIF output from all the tools in available in the SWAMP (still waiting for a bit of UI work to make it publicly available). > > * Also if I've misnamed any of the tools please let me know. > CodeHawk-C was formerly KT-Advance. > > * Let me know if you want to provide something for "Any other > information" at the bottom. > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php&data=02%7C01%7Cv-lgold%40microsoft.com%7C48cfaf71b8484b5d42cd08d7d806e646%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637215396456115863&sdata=j7lt0taDwCcA3hGwvYoZ5pZ5qxBnmxNYoe78U5J6p4g%3D&reserved=0 > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php&data=02%7C01%7Cv-lgold%40microsoft.com%7C48cfaf71b8484b5d42cd08d7d806e646%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637215396456125861&sdata=D8A5lPX5oGXyvCVx%2BRm6QxKevgxdrBKGF9KxrBwpV0E%3D&reserved=0
Type name: application Subtype name: sarif+json Required parameters: N/A Optional parameters: N/A Encoding considerations: UTF8 only Security considerations: - The use of absolute paths in analysis result location URIs might reveal sensitive information about the machine on which the scan was performed. - The use of the hostname component in analysis result location URI might reveal the network location of the machine on which the scan was performed. - The use of raw HTML in message strings expressed in Markdown might allow arbitrary code execution (for example, through javascript: links). - The use of deeply nested constructs in Markdown message strings might lead to stack overflow in some Markdown implementations. - Certain properties of the SARIF object model might reveal information about the machine on which a scan was run. (The specification allows such properties to be omitted or "redacted".) - Certain properties of the SARIF object model (such as the command line that invoked the analysis tool) can contain arbitrary commands which might damage a machine on which they are run. Interoperability considerations: N/A Published specification: Static Analysis Results Interchange Format (SARIF) Version 2.1.0. Edited by Michael C. Fanning and Laurence J. Golding. 27 March 2020. OASIS Standard. https://docs.oasisopen.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html. Latest stage: https://docs.oasisopen.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html. Applications that use this media type: The following list is not exhaustive: - CodeHawk-C - Fortify - Microsoft C#/VB compilers - Microsoft C++ compiler code analysis (PREfast) - Semmle - SWAMP (Software Assurance Marketplace) (https://continuousassurance.org) - Clients of the .NET SARIF SDK (https://github.com/microsoft/sarif-sdk) Fragment identifier considerations: N/A Additional information: Deprecated alias names for this type: N/A Magic number(s): N/A File extension(s): .sarif, .sarif.json Macintosh file type code(s): N/A Person & email address to contact for further information: Michael C. Fanning (mikefan@microsoft.com) and Laurence J. Golding (v-lgold@microsoft.com) Intended usage: LIMITED USE Restrictions on usage: N/A Author: OASIS Static Analysis Results Interchange Format (SARIF) TC (https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif) Change controller: OASIS Open (https://www.oasis-open.org/) Provisional registration? (standards tree only): No
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]