[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Raw chat trace of meeting #2 on 2017-SEP-20
[17:23] Room information was updated by: Stefan Hagen
Please use https://meet.lync.com/microsoft/mikefan/185FPQFS for voice/screenshare and
this here ( http://webconf.soaphub.org/conf/room/sarif ) for persistent chat/ minutes input.
Register your attendance at https://www.oasis-open.org/apps/org/workgroup/sarif/event.php?event_id=46016
Agenda draft from https://www.oasis-open.org/committees/download.php/61578/agenda_20170920.html copied below for your convenience:
Agenda for September 20, 2017
MEETING OF OASIS SARIF TC
Time
09:30-11:30 PDT
16:30-18:30 UTC
Meeting Chat Location
http://webconf.soaphub.org/conf/room/sarif
Meeting Audio
A Skype for Business invitation will be sent to the mailing list.
1. Opening Activities
1.1 Opening comments (Co-Chair Keaton)
1.2 Introduction of participants/roll call (Co-Chair Cartey)
1.3 Procedures for this meeting (Co-Chair Keaton)
1.4 Approval of agenda (Co-Chair Keaton)
1.5 Approval of previous minutes [Minutes of 2017-09-06 Meeting#1 (Inaugural)] (Co-Chair Keaton)
1.6 Review of action items and resolutions (Secretary Hagen)
1.7 Identification of SARIF TC voting members (Co-Chair Cartey)
1.7.1 Prospective members attending their first meeting
1.7.2 Members attaining voting rights at the end of this meeting
1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends
1.7.4 Members who previously lost voting rights who are attending this meeting
1.7.5 Members who have declared a leave of absence
2. Future Meetings
2.1 Discuss future meeting schedule (Co-Chair Keaton)
The following list is proposed as a starting point. This takes us just over half way into the expected SARIF schedule, and then provides for a face-to-face meeting where the remainder of the work can be planned.
Teleconferences (Wednesdays 09:30 Pacific):
September 27
October 11
October 25
November 8
November 29
December 13
January 10
Face-to-face meeting:
January 22-23 (possibly Phoenix?)
3. Selection of Working Draft
3.1 Acknowledge contributions and review any new contributions (Co-Chair Keaton)
3.2 Vote to select a working draft (Co-Chair Keaton)
Reminder that this is the starting point for further work, not the end point.
3.3 Reminder to read the working draft for discussions beginning at the next meeting (Co-Chair Keaton)
3.4 Procedures for issue tracking and revisions to the working draft (Editor Fanning)
4. Adopt Driving Principles
4.1 Discuss what principles will guide the work (Editor Fanning)
Suggested approach: refine, add to, or subtract from the following list
SARIF is primarily designed to advance the industry by providing the best direct production format possible. Aggregating results from other formats is another important scenario but secondary to direct production.
SARIF defines a range of data that shall be expressed in order to best support static analysis tooling. Our specification describes a JSON implementation of this standard. It should be possible to define other implementations (such as XML).
SARIF is designed for static analysis tools and any concept that generally applies for this scenario shall be considered for the format. SARIF can clearly be used for many dynamic analysis scenarios and we should consider augmenting the format for this class of tooling, but not in cases where what is proposed is applicable to the dynamic analysis domain only (excluding static).
If a motion is made to adopt the principles as amended, consider the motion.
5. Other Business
6. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)
6.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton)
6.2 Review of Decisions Reached (Secretary Hagen)
6.3 Review of Action Items (Secretary Hagen)
7. Next Meeting
8. Adjournment
[18:20] Stefan Hagen: H4Q::Voting Members: 1 of 19 (5%) (used for quorum calculation)
[18:27] Stefan Hagen: H4Q::Voting Members: 1 of 19 (5%) (used for quorum calculation)
[18:30] Stefan Hagen: H4Q::Voting Members: 6 of 19 (31%) (used for quorum calculation)
[18:31] Stefan Hagen: H4Q::Voting Members: 7 of 19 (36%) (used for quorum calculation)
[18:32] Stefan Hagen: H4Q::Voting Members: 8 of 19 (42%) (used for quorum calculation)
[18:33] Kevin E. Greene : hello everyone
[18:33] Laurence J. Golding: Hello Kevin!
[18:33] Stefan Hagen: H4Q::Voting Members: 9 of 19 (47%) (used for quorum calculation)
[18:33] Mel Llaguno: hello
[18:33] Stefan Hagen: ... one missing for quorum
[18:35] Stefan Hagen: H4Q::Voting Members: 10 of 19 (52%) (used for quorum calculation)
[18:35] Stefan Hagen: H4Q::Voting Members: 11 of 19 (57%) (used for quorum calculation)
[18:36] Stefan Hagen: Meeting called to order by acting chair David
[18:36] Stefan Hagen: 1.1 Opening comments (Co-Chair Keaton)
1.2 Introduction of participants/roll call (Co-Chair Cartey)
[18:39] [Co-Chair] David Keaton: Pooya: Please join the Skype meeting at https://meet.lync.com/microsoft/mikefan/185FPQFS
[18:40] Kevin E. Greene : i'm present
[18:43] Stefan Hagen: Observing Members: 1 of 8 (12%)
Contributing Members: 15 of 32 (46%)
Voting Members: 13 of 19 (68%) (used for quorum calculation)
[18:43] Stefan Hagen: Andrew Brown Observer
[18:43] Stefan Hagen: Vadim Okan Observer
[18:43] Kevin E. Greene : Hello Henny
[18:44] Stefan Hagen: roll call over
[18:44] Stefan Hagen: 1.3 Procedures for this meeting (Co-Chair Keaton)
[18:45] Stefan Hagen: 1.4 Approval of agenda (Co-Chair Keaton)
[18:45] Stefan Hagen: https://www.oasis-open.org/committees/download.php/61578/agenda_20170920.html
[18:45] Stefan Hagen: Michael Fanning moves to approve the agenda
[18:45] Stefan Hagen: Laurence golding seconds
[18:45] Stefan Hagen: no Discussion, no objection, agenda approved unchanged as pubished
[18:46] Stefan Hagen: 1.5 Approval of previous minutes [Minutes of 2017-09-06 Meeting#1 (Inaugural)] (Co-Chair Keaton)
[18:46] Stefan Hagen: Minutes approved unchanged as published
[18:46] Stefan Hagen: 1.6 Review of action items and resolutions (Secretary Hagen)
[18:48] Stefan Hagen: Laurence golding sent list for the already present converters to the mailing list short before the meeting to respond to the action on him
[18:48] Stefan Hagen: Nothing else
[18:48] Stefan Hagen: 1.7 Identification of SARIF TC voting members (Co-Chair Cartey)
[18:49] Stefan Hagen: Andrew Pardoe and Pooya Mehregan are identified as prospective new members after the next meeting if they attend
[18:49] Stefan Hagen: 1.7.2 Members attaining voting rights at the end of this meeting
1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends
1.7.4 Members who previously lost voting rights who are attending this meeting
1.7.5 Members who have declared a leave of absence
2. Future Meetings
2.1 Discuss future meeting schedule (Co-Chair Keaton)
The following list is proposed as a starting point. This takes us just over half way into the expected SARIF schedule, and then provides for a face-to-face meeting where the remainder of the work can be planned.
Teleconferences (Wednesdays 09:30 Pacific):
September 27
October 11
October 25
November 8
November 29
December 13
January 10
Face-to-face meeting:
January 22-23 (possibly Phoenix?)
[18:50] Stefan Hagen: Laurence and Yekatarina in speaker queue
[18:50] Stefan Hagen: Laurence moves to approve the list of meetings
[18:50] Stefan Hagen: Kevin Greene seconds
[18:50] Stefan Hagen: Laurence Godling asks if possibly Phoenix or definitively?
[18:52] Stefan Hagen: David Keaton clarifies, the motion fixes only the list and the idea of a face to face, not yet who will pay for the venue etc.
[18:52] Stefan Hagen: Yekatarina asks if a shift to a different week day than Wednesday would be ok
[18:52] Stefan Hagen: all discuss
[18:53] Stefan Hagen: Some mention, that Fridays would be better
[18:54] Stefan Hagen: Yekatarina could be available Wednesdays in part only
[18:55] Stefan Hagen: Some suggest meeting earlier on Wednesdays to accommodate
[18:55] Stefan Hagen: Suggested currently possibly 08:30 PDT (15:30 UTC)
[18:56] Stefan Hagen: Stefan suggests a doodle for long term and next week like a compromise
[18:57] Stefan Hagen: Setfan moves to amend in that sense
[18:57] Stefan Hagen: no debate
[18:57] Stefan Hagen: no objection to meet one week from today same time and have a doodle poll for remaining times
[18:58] Stefan Hagen: two members signal problems joining next week
[18:58] Stefan Hagen: David asks if October 11 would be an option? Yekatarina still has an issue
[18:59] Stefan Hagen: Yekatarina could join, if meeting one hour earlier
[18:59] Stefan Hagen: David asks if one hour earlier next week
[18:59] Stefan Hagen: Two members have problems with next week (still)
[19:00] Stefan Hagen: Yekatarina possibly not present next week then.
[19:00] Stefan Hagen: David suggests to continue with the motion to amend a doodle for long term and next week like a compromise
[19:00] Stefan Hagen: no objections we will meet September 27 at the same time
[19:01] Stefan Hagen: A doodle poll for the remaining meetings will be set up after the meeting
[19:01] Stefan Hagen: Motion as amended is to meet next week at the same time
[19:01] Stefan Hagen: no objections the motion carries
[19:01] Stefan Hagen: 3. Selection of Working Draft
[19:02] Stefan Hagen: 3.1 Acknowledge contributions and review any new contributions (Co-Chair Keaton)
[19:02] Stefan Hagen: Michael Fanning moves to chose the contribution from Microsoft (the single one) to accept as first working draft. Laurence Golding seconds
[19:03] Stefan Hagen: no objections, unanimous consent, the contribution has been approved as first working draft candidate
[19:03] Stefan Hagen: 3.2 Vote to select a working draft (Co-Chair Keaton)
Reminder that this is the starting point for further work, not the end point.
3.3 Reminder to read the working draft for discussions beginning at the next meeting (Co-Chair Keaton)
[19:04] Stefan Hagen: Laurence has transcribed the HTML input into the provided working product format from OASIS which he will subsequently post to the kavi
[19:04] Stefan Hagen: 3.4 Procedures for issue tracking and revisions to the working draft (Editor Fanning)
[19:04] anonymous morphed into Sunny Chatterjee
[19:05] Stefan Hagen: Michael Fanning shares his screen and walks all through the proposed workflow and thanks the OASIS administration for the timely provisioning of a github hosted TC repository
[19:06] Stefan Hagen: @Michael: Please provide the document shown in kavi as calendar document so we can link to it in the minutes. Thanks
[19:09] Robin Cover (OASIS): Issues now: https://github.com/sarif-standard/sarif-spec/issues
[19:10] Stefan Hagen: @Robin: Thanks!
[19:10] Stefan Hagen: @Robin: Thanks!
[19:10] Stefan Hagen: New target repo is: https://github.com/oasis-tcs/sarif-spec
[19:11] Stefan Hagen: 4. Adopt Driving Principles
4.1 Discuss what principles will guide the work (Editor Fanning)
Suggested approach: refine, add to, or subtract from the following list
SARIF is primarily designed to advance the industry by providing the best direct production format possible. Aggregating results from other formats is another important scenario but secondary to direct production.
SARIF defines a range of data that shall be expressed in order to best support static analysis tooling. Our specification describes a JSON implementation of this standard. It should be possible to define other implementations (such as XML).
SARIF is designed for static analysis tools and any concept that generally applies for this scenario shall be considered for the format. SARIF can clearly be used for many dynamic analysis scenarios and we should consider augmenting the format for this class of tooling, but not in cases where what is proposed is applicable to the dynamic analysis domain only (excluding static).
If a motion is made to adopt the principles as amended, consider the motion.
[19:15] Stefan Hagen: Laurence Golding walks through the suggested principles (listed above)
[19:18] Stefan Hagen: Henny Sipma suggests if one could add more positive ("safe") results as type - which could contradict the results of other heuristic tools, but this could assist in triaging in case of conflict
[19:19] Stefan Hagen: Laurence Golding thinks this is an interesting and welcome suggestion.
[19:21] Stefan Hagen: Sorry, still new to the groups voice characteristics: Michael Fanning walked all and discussed with Henny.
[19:22] Stefan Hagen: Laurence discusses details on positive results as observations
[19:23] Stefan Hagen: Michael continues listing the present means of the SARIF draft to contain and purport characterizations
[19:23] Stefan Hagen: Laurence adds, that the target architecture e.g. where the rule was in some run not tested against, could not be purported - issues to track this will be added
[19:24] Stefan Hagen: Jim Kusch adds that metrics and other info might need structure added?
[19:24] Stefan Hagen: Michael seconds that as a good thing to discuss
[19:26] Kevin E. Greene : metrics are hard to produce
[19:29] Stefan Hagen: All discuss pro and con of introduction of new top level objects (complexity vs. clients needing to grab to much in property bags)
[19:29] Stefan Hagen: Jim Kusch suggests to support more than just CWE taxonomies - maybe a generalisation to apply additional labelling to some weakness
[19:30] Stefan Hagen: Kevin agrees with Jim
[19:32] Stefan Hagen: Laurence Golding proposes another principle. In the past he opposed to CWE because of not being domain agnostic, but generalising CWE (idea from Jim Kupsch) could be very good way to go
[19:34] Stefan Hagen: Luke suggests to offer in any case a consistent way of storage inside SARIF, so we do not end up with the same kind of info added in two different ways
[19:34] Stefan Hagen: Luke also talks on optional features in SARIF
[19:34] Stefan Hagen: Luke asks if groupings as sets of optional features have been considered?
[19:35] Stefan Hagen: Laurence states, that this has been considered, it was in an annex, that was removed some time ago; he thinks of profiles as the way to resolve this
[19:37] Stefan Hagen: Michael suggests to put this also on the list for discussion
[19:38] Stefan Hagen: Yekatarina suggests to in any case generalise - people use different taxonomies and the mappings among them may be off topic for the format
[19:38] Kevin E. Greene : I think it's important to consider the targeted users... and what features/functionality may most resonate with them
[19:39] Stefan Hagen: Michael Fanning wraps up the multiple CWE suggestions wighted against parsing complexity issues
[19:40] Stefan Hagen: Henry likes the idea of generalising the taxonomies considered; based on C-Standard Kestrel already has such a taxonomy in use
[19:42] Stefan Hagen: Michael Fanning thinks this is doable, and adds it as important to for any introduced "placeholder" there must be a concise notion (so this does not blur the semantics, thus no ambivalence in where to store what is introduced)
[19:43] Stefan Hagen: Michael: Sample: Memory Safety Taxonomy
[19:45] Stefan Hagen: Jim Kusch thinks it would be nice, if we could represent CWE, Memory Safety Taxonomies, etc. inside SARIF so no one needs to repeat them in full and in parallel to provide
[19:46] Stefan Hagen: Laurence Golding likes the generalised taxonomy idea, and within providing explicit support for well-known ones. He still offers, that the format should be domain agnostic
[19:47] Kevin E. Greene : I agree with Laurence
[19:49] Stefan Hagen: Time-check (invitation set to 90 minutes, but call planned for 120)
[19:52] Stefan Hagen: Henry suggests we clarify what it means, when we agree on some taxonomy representation in SARIF, if semantics are included or if we only provide a stiff container without semantics
[19:52] Stefan Hagen: Laurence and Michael are in favour of including the semantics applicable - so meaning should always be associated in some way
[19:54] Stefan Hagen: Michael Fanning mentions many possible rankings as driving principle, to minimise any ranking display / storage as to reduce the noise and focus on the core facts (that do not change too much)
[19:56] Stefan Hagen: Laurence moves to postpone decision to a later meeting
[19:57] Stefan Hagen: Michael Fanning has collected notes and will combine with the minutes to produce suggested principles for the next meeting
[19:58] Stefan Hagen: 5. Other Business
6. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)
6.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton)
6.2 Review of Decisions Reached (Secretary Hagen)
6.3 Review of Action Items (Secretary Hagen)
[19:59] Stefan Hagen: Next meeting September 27
[19:59] Stefan Hagen: Meeting adjourned
# --- participation info:
Company Name ascending Role
GrammaTech, Inc. Paul Anderson Voting Member
SWAMP Vamshi Basupalli Voting Member
--- Browne, Andrew Guest
Semmle Luke Cartey Chair
Microsoft Sunny Chatterjee Member
OASIS Robin Cover OASIS Staff Contact
Microsoft Michael Fanning Voting Member
Individual Laurence Golding Voting Member
DHS Office of Cy... Kevin Greene Voting Member
Individual Stefan Hagen Secretary
Novell Larry Hines Voting Member
Individual David Keaton Chair
SWAMP Jim Kupsch Voting Member
Synopsys Mel Llaguno Voting Member
Security Compass Pooya Mehregan Member
NIST Vadim Okun Observer
Hewlett Packard ... YEKATERINA ONEIL Voting Member
Microsoft Andrew Pardoe Voting Member
Kestrel Technology Henny Sipma Member
Kestrel Technology Douglas Smith Voting Member
# --- Meeting Statistics:
Quorum rule 51% of voting members
Achieved quorum yes
Individual Attendance
Guest Attendees: 1
Observing Members: 1 of 8 (12%)
Contributing Members: 18 of 32 (56%)
Voting Members: 14 of 19 (73%) (used for quorum calculation)
Company Attendance
Observing Companies: 1 of 4 (25%)
Contributing Companies: 12 of 20 (60%)
Voting Companies: 10 of 13 (76%)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]