OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

members message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Call for Comment: proposed Charter for Static Analysis Results Interchange Format (SARIF) TC


To OASIS Members:

A draft TC charter has been submitted to establish the OASIS Static Analysis Results Interchange Format (SARIF) TC. In accordance with the OASIS TC Process Policy section 2.2: (https://www.oasis-open.org/policies-guidelines/tc-process#formation) the proposed charter is hereby submitted for comment. The comment period shall remain open until 25 July 2017 23:59 UTC.

OASIS maintains a mailing list for the purpose of submitting comments on proposed charters. Any OASIS member may post to this list by sending email to: oasis-charter-discuss@lists.oasis-open.org. All messages will be publicly archived at: http://lists.oasis-open.org/archives/oasis-charter-discuss/. Members who wish to receive emails must join the group by selecting "join group" on the group home page: http://www.oasis-open.org/apps/org/workgroup/oasis-charter-discuss/. Employees of organizational members do not require primary representative approval to subscribe to the oasis-charter-discuss e-mail.

A telephone conference will be held among the Convener, the OASIS TC Administrator, and those proposers who wish to attend within four days of the close of the comment period. The announcement and call-in information will be noted on the OASIS Charter Discuss Group Calendar.

We encourage member comment and ask that you note the name of the proposed TC (SARIF) in the subject line of your email message.

---

CHARTER OF THE OASIS SARIF TC
-----------------------------

Section 1: TC Charter 

(1)(a) TC Name

The name of the TC shall be "Static Analysis Results Interchange Format (SARIF) TC."


(1)(b) Statement of purpose

The purpose of the TC is to define a standard output format for static analysis tools, which will be called the Static Analysis Results Interchange Format (SARIF).

A static analysis tool is a program that examines programming artifacts in order to detect problems, without executing the program. Software developers use a variety of static analysis tools to assess the quality of their programs. To form an overall picture of program quality, developers must often aggregate the results produced by all of these tools. This aggregation is more difficult if each tool produces output in a different format. A standard output format would make it feasible for developers and teams to view, understand, interact with, and manage the results produced by all the tools that they use.

The goals of the format are:

* Comprehensively capture the range of data produced by commonly used static analysis tools.

* Be a useful format for analysis tools to emit directly, and also an effective interchange format into which the output of any analysis tool can be converted.

* Be suitable for use in a variety of scenarios related to analysis result management, and be extensible for use in new scenarios.

* Reduce the cost and complexity of aggregating the results of various analysis tools into common workflows.

* Capture information that is useful for assessing a project's compliance with corporate policy or conformance to certification standards.

* Adopt a widely used serialization format that can be parsed by readily available tools.

* Represent analysis results for all kinds of programming artifacts, including source code and object code.

(1)(c) Scope of work

The scope of work of the TC is to produce a specification that defines the SARIF format.

Specifically, the SARIF specification will describe:

* Multiple "runs" of different analysis tools in a single log file.
* The analysis tool that performs each run, including:
    * Tool name
    * Tool version
* The invocation of the analysis tool, including:
    * Command line
    * Begin and end time
* The files that were analyzed, including:
    * URI
    * MIME type
* Nested files, such as files contained within a compressed archive such as a ZIP file.
* The analysis rules that were executed.
* Information about each analysis result that was produced, including:
    * The location of the result.
    * The rule that was violated.
    * The severity of the violation.
    * Execution paths through the code that are relevant to the result.
    * Call stacks relative to the result.
    * Possible fixes for the problem.
* Notifications produced by the analysis tool, including:
    * Progress messages.
    * Configuration information.

The following are not within the scope of work of the TC:

* The definition or implementation of any application programming interfaces (APIs) for accessing, manipulating, or managing the information contained in a SARIF file.

* The definition or implementation of any experiences for viewing or otherwise interacting with the information contained in a SARIF file.

(1)(d) Deliverables

The TC's primary deliverable is a specification that defines the SARIF format. Projected completion date is 9 months from the date of the first meeting of the TC.

The TC may also produce other such educational or explanatory non-normative materials as it judges useful to assist in adoption of the specification.

(1)(e) IPR Mode

The TC will operate under the "RF on RAND Terms" IPR Mode.

(1)(f) Anticipated audience or users

The SARIF specification will be used by the following classes of users:

* Developers and others who use static analysis tools to measure, assess, and track the quality of their software products.

* The developers of static analysis tools, who will use it to enable their tools to produce output in the SARIF format.

* The developers of conversion tools, who will use it to write tools that convert the output of existing static analysis tools to the SARIF format.

* The developers of "result management systems" who will use it to enable their systems to consume the output from any tool that can produce the SARIF format. (A results management system consumes the output of analysis tools, and produces reports that allow teams to assess the quality of their software products and to track it over time.)

* The developers of Integrated Development Environments (IDEs), who will use it to provide experiences for viewing, interacting with, and managing the results from any analysis tool that produces results in the SARIF format.

(1)(g) Language

The TC shall conduct business in English.


Section 2: Additional Information 

(2)(a) Identification of Similar Work 

The proposers do not know of any similar or applicable work in OASIS or elsewhere.

(2)(b) First TC Meeting 

        Wednesday, September 04, 2017
        By telephone
        Sponsored by Microsoft

(2)(c) Ongoing Meeting Schedule

We will conduct one 2-hour teleconference every other week for the first three months (to produce a Committee Specification Draft). The first meeting in each month will focus on a portion of the spec comprising approximately one third of the entire spec. The second meeting in each month will focus on closing issues raised in the first meeting.
       
(2)(d) TC Proposers

* Michael Fanning - Microsoft - mikefan@microsoft.com
* Laurence J. Golding - Microsoft - lgolding@microsoft.com
* Luke Cartey - Semmle - luke@semmle.com
* Rex Jaeschke - Microsoft designee - rex@RexJaeschke.com
* Yekaterina Tsipenyuk O'Neil - Hewlett Packard Enterprise - katrina@hpe.com
* Chris Wysolpal - CA Technologies - cwysopal@Veracode.com

(2)(e)  Primary Representatives' Support

* I, Steve W. Wierenga (steve.wierenga@hpe.com), as HPE Primary Representative to OASIS, confirm our support for the SARIF Technical Committee proposed charter and the participation of our organization's co-proposer [Yekaterina Tsipenyuk O'Neil] as named above.

* I, Paul Lipton, paul.lipton@ca.com, as OASIS primary representative for CA Technologies, confirm our support for this charter and endorse our listed proposer above [Chris Wysopal] as named co-proposer.

* I, Oege de Moor (oege@semmle.com), as Semmle Primary Representative to OASIS, confirm our support for the SARIF Technical Committee proposed charter and the participation of our organization's co-proposer as named above.

(2)(f) TC Convener

Ram Jeyaraman - Microsoft - ramjay@microsoft.com

(2)(g) OASIS Member Section 

None. The TC does not intend to affiliate with any Member Section. 

(2)(h) Anticipated Contributions

* Static Analysis Results Interchange Format, available at
        https://rawgit.com/lgolding/sarif-spec/master/Static%20Analysis%20Results%20Interchange%20Format%20(SARIF).html

(2)(i) FAQ Document

None at this time

(2)(j) Work Product Titles and Acronyms

* Static Analysis Results Interchange Format (SARIF)

--

/chet 
----------------
Chet Ensign
Director of Standards Development and TC Administration 
OASIS: Advancing open standards for the information society
http://www.oasis-open.org

Primary: +1 973-996-2298
Mobile: +1 201-341-1393 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]