OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Raw chat trace of meeting #1 on 2017-SEP-06


[17:35] [Microsoft] Ram Jeyaraman: Event details (call-in information): https://www.oasis-open.org/apps/org/workgroup/sarif/manage/modify_event.php?day=&event_id=45798
[17:36] [Microsoft] Ram Jeyaraman: Draft Agenda:
Roll call (and confirm voting members) [Convener]
Review agenda [Convener]
Election of Chair(s) [Convener]
Election of Secretary and Specification Editor(s) [Chair]
Review TC charter and timeline, and call for contributions [Chair]
Overview of TC process and tools (including Jira bug tracking) [TC administrator]
Acknowledge and review contributions [Chair]
Future meetings (teleconference meetings plus potential future F2F meetings)
Any other business
[17:37] [Microsoft] Ram Jeyaraman: Welcome to the first meeting of the OASIS SARIF Technical Committee!
[18:01] [Microsoft] Ram Jeyaraman: We will start in a few minutes as members are dialing in.
[18:15] [Microsoft] Ram Jeyaraman: Voting members of this TC:
[18:15] [Microsoft] Ram Jeyaraman: Chris Wysopal, CA Technologies
Kevin Greene, DHS Office of Cybersecurity and Communications (CS&C)
Paul Anderson, GrammaTech, Inc.
Yekaterina ONeil, Hewlett Packard Enterprise (HPE)
Stefan Hagen, Individual
David Keaton, Individual
Douglas Smith, Kestrel Technology
Michael Fanning, Microsoft
Laurence Golding, Microsoft
Ram Jeyaraman, Microsoft
Larry Hines, Novell
Philip Royer, Phantom
Luke Cartey, Semmle
Duncan Sparrell, sFractal Consulting LLC
Vamshi Basupalli, SWAMP
Jim Kupsch, SWAMP
Mel Llaguno, Synopsys
[18:26] Larry Golding: I move that we appoint David Keaton and Luke Cartey as co-Chairs of the SARIF TC.
[18:26] Stefan Hagen: I second
[18:30] [Microsoft] Ram Jeyaraman: No further discussion
[18:30] [Microsoft] Ram Jeyaraman: No objection to unanimous consent. Motion passes.
[18:31] [Individual] David Keaton morphed into [Co-Chair] David Keaton
[18:32] Larry Golding: I nominate Stefan Hagen as TC secretary.
[18:34] [Microsoft] Ram Jeyaraman: Michael Fanning seconds. No objections. Stefan is elected as Secretary of this TC.
[18:35] [Microsoft] Ram Jeyaraman: Stefan, are you able to take notes from this point on?
[18:35] [Microsoft] Michael C. Fanning: I nominate Larry Golding as specification editor
[18:35] Larry Golding: I nominate myself and Michael Fanning as co-Editors of the specification.
[18:35] Stefan Hagen: @Ram:Yes, thank you!
[18:35] Stefan Hagen: I second the nominations
[18:36] Stefan Hagen: Nominations closed
[18:36] Stefan Hagen: No discussion
[18:38] Stefan Hagen: No objections. Larry and Michael are elected as co-Editors of this specification
[18:38] Stefan Hagen: Now topic TC Charter and Timeline
[18:38] Larry Golding: I have a timeline
[18:40] [Microsoft] Ram Jeyaraman: Charter: https://www.oasis-open.org/apps/org/workgroup/sarif/message.php/201708/msg00000.html
[18:41] Stefan Hagen: Publicly accessible link to charter: https://lists.oasis-open.org/archives/sarif/message.php/201708/msg00000.html
[18:41] Stefan Hagen: No objections. Charter adopted.
[18:42] Larry Golding: I will share screen
[18:42] Stefan Hagen: Larry walks all through the proposal for the timeline
[18:45] Stefan Hagen: Publicly accessible link to the timeline proposal: https://www.oasis-open.org/committees/download.php/61518/SARIF%20TC%20Timeline.pptx
[18:46] Stefan Hagen: Duncan welcomes the timeline although it seems aggressive
[18:47] Stefan Hagen: Ram asks if the spec as currently formulated will harmonise with existing tools
[18:48] Stefan Hagen: Larry mentions, that the current input revision for the spec is already well fitting the tool landscape.
[18:49] [Microsoft] Michael C. Fanning: Interoperability testing is critical to drive a quality specification
[18:49] Stefan Hagen: Chet informs, that TC administration can support technically with the open projects approach and with intro events and will be happy to do so
[18:51] Stefan Hagen: Larry asks if these intro events will happen in sequence or in parallel to the review calls of the specification publication process?
[18:52] Stefan Hagen: Chet states, that this is up to the TC to decide, well within the constraints, of course, that any intro must be based upon some existing shared facts
[18:52] Stefan Hagen: Larry further asks, if there might be partial exclusions possible, e.g. excluding section so and so, as still in flux?
[18:53] Stefan Hagen: Chet mentions CTI TC as prior occurrences of such partial interop events
[18:54] anonymous morphed into Joseph Feiman
[18:54] Paul Anderson: Here's the link I've been looking at: https://rawgit.com/lgolding/sarif-spec/master/Static Analysis Results Interchange Format (SARIF).html
[18:55] [Microsoft] Michael C. Fanning: Link to master is here: https://rawgit.com/sarif-standard/sarif-spec/master/Static%20Analysis%20Results%20Interchange%20Format%20(SARIF).html
[18:55] Stefan Hagen: Ram mentions, that this is less process ruled, but more TC defined (best) for pulling in most of the industry in intro tests
[18:56] Stefan Hagen: Michael: What will be the working methods? In particular where will the work products reside? If there is an initial draft - where is it? open question: will we address dynamic analysis scenarios?
[18:57] [Microsoft] Ram Jeyaraman: Chet will walk us through the TC process, document folder, etc.
[18:58] Duncan Sparrell: How come I got skipped over in queue? This is Duncan
[18:58] Stefan Hagen: @Duncoan: Maybe I removed, because I mistook it for questions from Michael
[18:59] Stefan Hagen: Above questions were from Duncan not from Michael: What will be the working methods? In particular where will the work products reside? If there is an initial draft - where is it? open question: will we address dynamic analysis scenarios?
[19:01] Chris Wysopal: Unfortunately I need to leave the call early. I would like to note that Joseph Feiman from CA has joined the call.
[19:01] Kevin E. Greene : See you later Chris -
[19:01] [Microsoft] Michael C. Fanning: Discussing applicability of SARIF to dynamic analysis should be an early topic
[19:01] Stefan Hagen: Michael relayed questions from Skype chat, about ability to integrate dynamic analysis (like with buzzers) to put it on the "track"
[19:02] Stefan Hagen: Item call for contributions
[19:02] Stefan Hagen: Chair calls for anyone having a written contribution she wants us to consider
[19:03] Stefan Hagen: Chet shortly informs everyone about the rules and consequences for contributions under the OASIS rules
[19:05] Stefan Hagen: As service URL describing TC process at OASIS and also the terms and meanings at OASIS where specifically defined: https://www.oasis-open.org/policies-guidelines/tc-process-2017-05-26
[19:06] Stefan Hagen: Note: Acting Chair is David
[19:07] Stefan Hagen: Larry has the contribution ready and will add this to kavi workspace, and after that talk about what he submitted
[19:08] Stefan Hagen: Ram suggests, that Larry uses the comment field of the upload form to include the contribution statement
[19:09] Stefan Hagen: The public link is https://www.oasis-open.org/committees/download.php/61525/Static%20Analysis%20Results%20Interchange%20Format%20%28SARIF%29.html
[19:09] Stefan Hagen: Note: Quick Add does bypass any ability to comment during upload
[19:09] [Microsoft] Ram Jeyaraman: Microsoft's contribution (from Larry): https://www.oasis-open.org/apps/org/workgroup/sarif/download.php/61525/Static%20Analysis%20Results%20Interchange%20Format%20(SARIF).html
[19:11] Stefan Hagen: Larry walks all through motivational slides for the contribution
[19:14] Stefan Hagen: All discuss over implications and clarify details to grow a shared understanding
[19:17] Stefan Hagen: Larry states, that the proposed format of SARIF is more flexible (not only static ...) than anticipated, but in this TC the focus is currently assumed to be more on the static aspect (in contrast to compositional or dynamic analysis)
[19:18] Stefan Hagen: Michael states, that address static analysis first was a good start, but maybe along the way, we may decide to widen the scope, to better serve dynamic or other aspects and as long as this is aligned with our chapter.
[19:19] Stefan Hagen: Larry states, that both quality and security shall be served by the final spec
[19:20] Kevin E. Greene : Here is a link to the research I've funded around this area -- https://www.sbir.gov/sbirsearch/detail/385995
[19:21] Stefan Hagen: Kevin suggests to take a look at the reseach
[19:21] Kevin E. Greene : It's called Hybrid Analysis Mapping (HAM)
[19:22] Stefan Hagen: Ibid as official link is noted: https://www.fbo.gov/index?s=opportunity&mode=form&id=08c964597fe81a759b165eb46ba30f78&tab=core&_cview=0
[19:24] Stefan Hagen: Philip asks for links to other projects
[19:25] Stefan Hagen: Larry has no explicit list, but it is embedded in the repo, the converters i.e.
[19:25] Stefan Hagen: Michael shortly names some (outside of microsoft tooling).
[19:25] Stefan Hagen: Larry kindly asks for an action item on him, to contribute such a list to the TC
[19:27] Stefan Hagen: That is the link to the slides shown by Larry which above were noted as "motivational slides"
[19:29] Stefan Hagen: Michael answers question from Paul on how the results management can be addressed best for enabling metadata exchange in the ecosystem
[19:30] Stefan Hagen: Larry suggests he might propose at some time, to in any case not slow down publication of the format in it's current scope, but try adding the report format related aspects for some time
[19:32] Stefan Hagen: Discussion continues about the amount of programming languages and there intermix that will be covered presumably
[19:33] Stefan Hagen: Larry follows up with stating, that it is usual to run multiple tools with different strengths inside a single domain (like e.g. security or quality)
[19:35] Stefan Hagen: Kevin expects the multi tool integration support, as in the field multiple tools reduce false positive count and minimise the gaps
[19:36] Stefan Hagen: Joseph asked above w.r.t. cross domain support
[19:37] Stefan Hagen: Larry  continues the presentation of the contribution https://www.oasis-open.org/apps/org/workgroup/sarif/download.php/61527/SARIF%20TC%20Contribution%20Overview.pptx
[19:39] Kevin E. Greene : Here is a link to NSA Center for Assured Software (CAS) Tool study -- https://samate.nist.gov/docs/CAS%202012%20Static%20Analysis%20Tool%20Study%20Methodology.pdf
[19:39] Stefan Hagen: @Kevin: Thank you
[19:44] Stefan Hagen: Michael and Larry emphasize, that the dynamic analysis tool or web scanning tool support is just thought of as an optional bonus, but they do not think, that the reports from those tools are not substantially different - thus if there is interest and support from the TC it might be possible
[19:46] Stefan Hagen: David asks if there are any further contributions?
[19:46] Stefan Hagen: Paul comments, that he has seen several proposed formats, and thinks the one contributed here is in his opinion far superior.
[19:47] Kevin E. Greene : Here is another link to one of my R&D programs underway now... The goal is to modernize open-source static analysis tools.  I see tremendous synergies with SARIF -- https://www.fbo.gov/utils/view?id=4a1745db09f002f2609e5ada47b8a622
[19:47] Stefan Hagen: David notes that there are no further contributions this time
[19:47] Stefan Hagen: David hands over to Chet for OASIS presentation
[19:49] Stefan Hagen: Chet walks all through he slides https://www.oasis-open.org/committees/download.php/61441/SARIF-09-06-17.pptx
[19:52] Kevin E. Greene : I have to run.. thanks and look forward in contributing and driving adoption... Please feel free to reach out to me if you have any questions.
[19:53] Paul Anderson: Bye Kevin.
[20:03] ChetE: TC Admin JIRA -> https://issues.oasis-open.org/issues/?jql=project%20%3D%20TCADMIN%20AND%20status%20%3D%20Open%20ORDER%20BY%20priority%20DESC
[20:12] Stefan Hagen: Paul asks, if a proxy might be sent if not possible to attend some day
[20:12] Stefan Hagen: Chet states that no
[20:13] [Microsoft] Michael C. Fanning: I move
[20:13] Stefan Hagen: Stefan mentions, that depending on the handling of the TC, and abiding with Robert's rules, one can register online and thus state, that all business conducted is in his sense
[20:13] Stefan Hagen: motion seconde
[20:14] Stefan Hagen: Fix the time of the next meeting
[20:14] Stefan Hagen: David suggested to meet every other week
[20:15] Paul Anderson: I won't be available either
[20:15] Stefan Hagen: Stefan not available next week
[20:17] Stefan Hagen: Suggested is to meet two weeks from today and half an hour later than todays start
[20:17] Stefan Hagen: Larry moves so
[20:17] Stefan Hagen: Michael seconds
[20:17] Stefan Hagen: No objections. The motion carries
[20:18] Stefan Hagen: Meeting adjourned by chair
[20:18] ChetE: Congratulations everybody!
[20:18] [Co-Chair] David Keaton: Thanks, everyone!
[20:19] [Microsoft] Ram Jeyaraman: Members who gained voting rights at the first meeting:
[20:19] [Microsoft] Ram Jeyaraman: Joseph Feiman, CA Technologies
Chris Wysopal, CA Technologies
Kevin Greene, DHS Office of Cybersecurity and Communications (CS&C)
Paul Anderson, GrammaTech, Inc.
Yekaterina ONeil, Hewlett Packard Enterprise (HPE)
Stefan Hagen, Individual
David Keaton, Individual
Douglas Smith, Kestrel Technology
Michael Fanning, Microsoft
Laurence Golding, Microsoft
Ram Jeyaraman, Microsoft
Larry Hines, Novell
Philip Royer, Phantom
Luke Cartey, Semmle
Duncan Sparrell, sFractal Consulting LLC
Vamshi Basupalli, SWAMP
Jim Kupsch, SWAMP
Mel Llaguno, Synopsys
[20:20] [Microsoft] Ram Jeyaraman: Members who attended but will gain voting rights later:
[20:20] [Microsoft] Ram Jeyaraman: Ken Prole, Code Dx Inc.
[20:20] [Microsoft] Ram Jeyaraman: Observers in attendance:
[20:20] [Microsoft] Ram Jeyaraman: Andrew Browne (Oracle) [Observer]
Vadim Okun (NIST) [Observer]
# End of raw extract ------


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]