[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Raw chat trace of meeting #3 - 2017-SEP-27
# Agenda for September 27, 2017 MEETING OF OASIS SARIF TC ------------------------------------- ## Time 16:30-18:30 UTC (09:30-11:30 PDT, 12:30-14:30 EDT, 18:30-20:30 CEST) (Other timezone? Try eg. https://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=9&day=27&hour=16&min=30&sec=0&p1=47&p2=69&p3=179 ) ## Meeting Chat Location URL: http://webconf.soaphub.org/conf/room/sarif ## Meeting Audio - Skype for Business meeting link: - URL: https://meet.lync.com/microsoft/mikefan/KBJF1STH 1. Opening Activities 1.1 Opening comments (Co-Chair Keaton) 1.2 Introduction of participants/roll call (Co-Chair Cartey) 1.3 Procedures for this meeting (Co-Chair Keaton) 1.4 Approval of agenda (Co-Chair Keaton) URL: https://www.oasis-open.org/committees/download.php/61661/agenda_20170927.html 1.5 Approval of previous minutes [Minutes of 2017-09-20 Meeting#2] (Co-Chair Keaton) URL: https://www.oasis-open.org/committees/download.php/61655/sarif-minutes-20170920-meeting-2.html 1.6 Review of action items and resolutions (Secretary Hagen) - Stefan to create Doodle poll: Status: Done. Details: Input contributed by 13 members (cf. derived proposal ref. in 2.1.1 below) - Laurence to publish the editor revision transcribed into OASIS workproduct format via kavi Done. URL: https://www.oasis-open.org/committees/download.php/61618/sarif-v1.0-wd01.docx - Editors to transfer issues on github from former sarif to new sarif-tc OASIS repo: Status: Done. Details: URL: https://github.com/oasis-tcs/sarif-spec/issues - Michael to combine minutes and his collected notes from previous meeting on principles to produce suggested principles for the next meeting. Ref: https://www.oasis-open.org/committees/download.php/61655/sarif-minutes-20170920-meeting-2.html#7.1 Status: Done. Details: URL: https://github.com/oasis-tcs/sarif-spec/issues/1 1.7 Identification of SARIF TC voting members (Co-Chair Cartey) 1.7.1 Prospective members attending their first meeting 1.7.2 Members attaining voting rights at the end of this meeting 1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends 1.7.4 Members who previously lost voting rights who are attending this meeting 1.7.5 Members who have declared a leave of absence 2. Future Meetings 2.1 Discuss future meeting schedule [Doodle poll] (Co-Chair Keaton) The Doodle poll went out for various teleconference starting times on the dates below. The selected time was 09:30-11:30 Pacific (16:30 UTC summer time/17:30 UTC winter time). Teleconferences (Wednesdays): October 11 October 25 November 8 November 29 December 13 January 10 Face-to-face meeting (reminder from last meeting): January 22-23 (tentative) 3. Adopt Driving Principles 3.1 Discuss what principles will guide the work (Co-Editor Fanning) Discussion began at the previous meeting. A summary of the results is in the SARIF TC's github issue #1 for consideration at this meeting. [https://github.com/oasis-tcs/sarif-spec/issues/1] If a motion is made to adopt the principles as amended, consider the motion. 4. Begin document review (time permitting) 4.1 Start reviewing the working draft from the beginning, collecting questions and comments (Co-Editor Fanning) 5. Other Business 6. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end) 6.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton) 6.2 Review of Decisions Reached (Secretary Hagen) 6.3 Review of Action Items (Secretary Hagen) 7. Next Meeting 8. Adjournment # -------------------------------------------------------------------------- Meeting Member URL: - URL = https://www.oasis-open.org/apps/org/workgroup/sarif/event.php?event_id=46021 - Please use starting approx. 15 minutes before the meeting for self registration. Thanks. - Self registration deep link (as a service): - https://www.oasis-open.org/apps/org/workgroup/sarif/record_my_attendance.php?event_id=46021&confirmed=1 [17:10] Stefan Hagen: Note: Updated channel info from revised agenda [17:50] Stefan Hagen: # Doodle final result link: https://doodle.com/poll/khs54abdxfvmdgpa [18:32] Stefan Hagen: Voting Members: 7 of 18 (38%) (used for quorum calculation) [18:34] Stefan Hagen: @AndrewBrowne: Please help me find you on the roster: Member/Observer ... can't find you, sorry [18:36] Stefan Hagen: Voting Members: 10 of 18 (55%) (used for quorum calculation) [18:37] Stefan Hagen: 1. Opening Activities 1.1 Opening comments (Co-Chair Keaton) 1.2 Introduction of participants/roll call (Co-Chair Cartey) 1.3 Procedures for this meeting (Co-Chair Keaton) [18:38] Stefan Hagen: 1.4 Approval of agenda (Co-Chair Keaton) URL: https://www.oasis-open.org/committees/download.php/61661/agenda_20170927.html [18:38] Michael C. Fanning: 1. Add help property to a rule [18:38] Michael C. Fanning: 2. Repository details [18:38] Michael C. Fanning: 3. Formatting of results [18:38] Michael C. Fanning: 4. What about the ability of converters to decorate SARIF [18:38] Michael C. Fanning: 5. Computed fingerprints [18:39] Stefan Hagen: Target is to amend item 4.1 of published agenda [18:39] Stefan Hagen: No other amendments proposed [18:39] Michael C. Fanning: I propose to replace item 4.1 in the agenda with the five specific topics of discussion above [18:40] Stefan Hagen: Laurence so moves, Michael seconds [18:41] Stefan Hagen: no discussion, no objection, putting these 5 points in place of item 4.1 of published agenda, motion carries, is amende [18:41] Stefan Hagen: Larne moves to approve, Michael seconds. [18:41] Stefan Hagen: No discussion, no objections the agenda is adopted as amended [18:41] Stefan Hagen: 1.5 Approval of previous minutes [Minutes of 2017-09-20 Meeting#2] (Co-Chair Keaton) URL: https://www.oasis-open.org/committees/download.php/61655/sarif-minutes-20170920-meeting-2.html [18:42] Stefan Hagen: Minutes approved unchanged as published [18:42] Stefan Hagen: 1.6 Review of action items and resolutions (Secretary Hagen) - Stefan to create Doodle poll: Status: Done. Details: Input contributed by 13 members (cf. derived proposal ref. in 2.1.1 below) - Laurence to publish the editor revision transcribed into OASIS workproduct format via kavi Done. URL: https://www.oasis-open.org/committees/download.php/61618/sarif-v1.0-wd01.docx - Editors to transfer issues on github from former sarif to new sarif-tc OASIS repo: Status: Done. Details: URL: https://github.com/oasis-tcs/sarif-spec/issues - Michael to combine minutes and his collected notes from previous meeting on principles to produce suggested principles for the next meeting. Ref: https://www.oasis-open.org/committees/download.php/61655/sarif-minutes-20170920-meeting-2.html#7.1 Status: Done. Details: URL: https://github.com/oasis-tcs/sarif-spec/issues/1 [18:44] Michael C. Fanning: https://github.com/oasis-tcs/sarif-spec/pull/45/files [18:45] Stefan Hagen: Henny and Pooya will win voting rights after this meeting [18:46] Stefan Hagen: Some will loose voting rights after this meeting (details later) [18:47] Stefan Hagen: Sunny also gaining voting rights after this meeting [18:47] Stefan Hagen: 1.7 Identification of SARIF TC voting members (Co-Chair Cartey) 1.7.1 Prospective members attending their first meeting 1.7.2 Members attaining voting rights at the end of this meeting 1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends 1.7.4 Members who previously lost voting rights who are attending this meeting 1.7.5 Members who have declared a leave of absence 2. Future Meetings 2.1 Discuss future meeting schedule [Doodle poll] (Co-Chair Keaton) The Doodle poll went out for various teleconference starting times on the dates below. The selected time was 09:30-11:30 Pacific (16:30 UTC summer time/17:30 UTC winter time). Teleconferences (Wednesdays): October 11 October 25 November 8 November 29 December 13 January 10 Face-to-face meeting (reminder from last meeting): January 22-23 (tentative) [18:48] Stefan Hagen: David shortly presents the selected meeting times from the doodle poll and the dates listed [18:48] Stefan Hagen: Stefan moves to adopt these meeting times [18:48] Stefan Hagen: (for the regular teleconferences [18:48] Stefan Hagen: Michael seconds [18:48] Stefan Hagen: No discussion, no objections, motion carries [18:49] Stefan Hagen: 3. Adopt Driving Principles 3.1 Discuss what principles will guide the work (Co-Editor Fanning) Discussion began at the previous meeting. A summary of the results is in the SARIF TC's github issue #1 for consideration at this meeting. [https://github.com/oasis-tcs/sarif-spec/issues/1] If a motion is made to adopt the principles as amended, consider the motion. [18:51] Stefan Hagen: All look at the latest comment/document inside this issue from Michael (3 items): [18:51] Stefan Hagen: 1. The primary purpose of SARIF is to enable low cost development of rich functionality (viewers, work item filers, etc.) that operates against a broad range of SARIF producers. A key design principle for all SARIF properties, therefore, is that any proposed data should be clearly useful in a consumption scenario. As an important but secondary concern, SARIF is designed to allow the output of existing tools to be normalized to a common format. In order to support the ability for consumers to process, display, etc., this information in an appropriate and consistent way, it must be possible to normalize any proposed SARIF data to a common form. The SARIF format specification should clearly describe the semantic meaning and intended purpose for all properties, to assist producers in populating this data with values that drive effective consumption. [18:51] Stefan Hagen: (above numbering of items 2. and 3. got lost in the scribe's clipboard, sorry [18:55] Stefan Hagen: Laurence: Asks, if not supporting LifeCycle removal of existing properties is planned/intended [18:57] Stefan Hagen: Michael: No, not intended. He suggests to identify any tipping point to not get pulled into divergent topics, but to describe enough to expose sufficient context (finding a balance to allow basics, but focus on obvious and essential). BaselineId is such a key minimal data allowing a post processing tool to continue [18:59] Stefan Hagen: Paul suggests that item 7 (unknown to the scribe!) should be modified [19:02] Stefan Hagen: Michael agrees, that there is some loss, not supporting all possible result structures and use cases (like JIRA integration use case mentioned by Paul) [19:02] Stefan Hagen: @Michael: Scribe is at a loss here, what are the majority of participants looking at while discussing - I see no item 7 for one ... [19:03] [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/pull/45/files [19:03] Stefan Hagen: @David: Thanks [19:03] Stefan Hagen: Above link is the document all look at - *not* the issue [19:04] Stefan Hagen: Document as service in here: [19:04] Stefan Hagen: 1. The primary purpose of SARIF is to enable low cost development of rich functionality (viewers, work item filers, etc.) that operates against a broad range of SARIF producers. A key design principle for all SARIF properties, therefore, is that any proposed data should be clearly useful in a consumption scenario. 2. As an important but secondary concern, SARIF is designed to allow the output of existing tools to be normalized to a common format. In order to support the ability for consumers to process, display, etc., this information in an appropriate and consistent way, it must be possible to normalize any proposed SARIF data to a common form. 3. The SARIF format specification should clearly describe the semantic meaning and intended purpose for all properties, to assist producers in populating this data with values that drive effective consumption. 4. SARIF defines a range of data that shall be expressed in order to best support static analysis tooling. The specification describes a JSON implementation of this standard. It should be possible to define other implementations (such as XML). 5. SARIF is designed for static analysis tools and any concept that generally applies for this scenario shall be considered for the format. SARIF can clearly be used for many dynamic analysis scenarios and we should consider augmenting the format for this class of tooling, but not in cases where what is proposed is applicable to the dynamic analysis domain only. 6. SARIF is domain-agnostic; that is, it does not contain objects or properties that are specific to a single domain, such as security or compliance. However, SARIF might define specific values for properties that are specific to a single domain. For example, the proposed result.taxonomies property might define a dictionary entry whose key invokes a standard classification for memory safety issues only. 7. The SARIF design is focused on expressing results as produced by a tool at a specific point-in-time and current excludes detailed thinking related to results management (associated result work item, false positive evaluation, etc.). These concepts may be addressed by defining or proposing 'profiles' that broaden SARIF's design surface area, contingent on progress with core work. [19:05] Stefan Hagen: # --- [19:08] Stefan Hagen: Laurence suggests shifting perspective from principles of first implementation towards principles of which perspectives to approach in which version of the format (some important topics later, not in version say initial, restricted); he does not want to shut down discussion, but preserve the thrust [19:10] Stefan Hagen: Michael agrees that this is important to name and think through the most important domains the members contribute (like formerly discussed with Paul); so that we have some thoughts on how to proceed when those domains will be applied (possibly in later versions) [19:10] Stefan Hagen: David asks if there is other discussion [19:11] Stefan Hagen: David asks, what is the preferred way of carrying forward with these seven points? [19:11] Stefan Hagen: I move we follow the seven guiding principles [19:11] Stefan Hagen: Laurence seconds [19:12] Stefan Hagen: No discussion, no objections, the motion carries [19:13] Michael C. Fanning: 1. Add help property to a rule [19:13] Laurence J. Golding: https://github.com/oasis-tcs/sarif-spec/issues/27 [19:13] Stefan Hagen: We are in the amended 4. Begin document review (time permitting) [19:15] Stefan Hagen: All discuss the issue 27 - Add help property to a rule [19:15] Laurence J. Golding: Item #2: https://github.com/oasis-tcs/sarif-spec/issues/14 [19:15] Stefan Hagen: Luke is in favour of the proposal of issue#27 [19:16] Laurence J. Golding: Item #3: https://github.com/oasis-tcs/sarif-spec/issues/33 [19:18] Stefan Hagen: Laurence agrees with Michael, that markdown and html are good formats for this, but of course all need security and dialect guards enabled [19:19] Laurence J. Golding: Item #5: https://github.com/oasis-tcs/sarif-spec/issues/10 [19:19] Stefan Hagen: Jim agrees with the security concerns of html esp. w.r.t. embedding fragments, and thus advises against it, but agrees with using text and markdown if dialects/flavours are chosen/clear [19:19] Stefan Hagen: Above Laurence and Michael also suggested text format, but scribe did skip - sorry [19:21] Stefan Hagen: Laurence asks, if someone is willing to take an action to select a safe and widely used flavour of markdown? [19:22] Stefan Hagen: Ken suggests maybe github? [19:22] Laurence J. Golding: https://github.com/github/markup/issues/245 [19:22] Stefan Hagen: Laurence volunteers to investigate [19:24] Stefan Hagen: 2. item: Issue #14 - Should we allow file identity to be specified by reference to a commit... [19:24] Stefan Hagen: https://github.com/oasis-tcs/sarif-spec/issues/14 [19:25] Stefan Hagen: Luke asks, if this is file level info? [19:25] Stefan Hagen: Michael, states, maybe yes, but there might be mixed situations [19:27] Stefan Hagen: All discuss multiplicity/dimension of entries/properties [19:28] Stefan Hagen: Jim suggests maybe a map of repos including a default? [19:28] Stefan Hagen: Jim adds, that git can nest repositories, so a structure should be able to map that into our structures [19:29] Stefan Hagen: Michael agrees, that the main intended use case, is fetch the file to be able to overlay results (display association) [19:31] Stefan Hagen: Jim and Michael come to agreement on how to proceed in this regard [19:32] Stefan Hagen: Laurence asks, if someone will take an action to actually amend the issue with our findings/results? [19:32] Stefan Hagen: Michael will take this action item, if not someone else on the call will want to do this? [19:32] Stefan Hagen: Michael takes this action [19:34] Stefan Hagen: On to Issue #33 - Should we allow formatting in messages? https://github.com/oasis-tcs/sarif-spec/issues/33 [19:35] Stefan Hagen: Luke mentions, that we may want to add links and then also to make them understandable in the markdown for the consumer [19:35] Stefan Hagen: Michael agrees entirely [19:35] Stefan Hagen: Luke and Michael both think in terms of published micro format for this [19:37] Stefan Hagen: All discuss if there is prior art or proven way to construct such a microformat [19:40] Stefan Hagen: Luke suggests use cases and round trip navigation experiences enabled by the Semmle products [19:41] Stefan Hagen: All discuss further details on html element level ... [19:42] Stefan Hagen: Michael takes the action to compare a couple of embedding strategies for those location info relating also to cross referencing (Paul is in favour) [19:43] [Co-Chair] David Keaton: Michael's 4. What about the ability of converters to decorate SARIF? [19:43] Laurence J. Golding: Item #4: https://github.com/oasis-tcs/sarif-spec/issues/15 [19:43] Luke Cartey: Is this the right issue for Item #4: https://github.com/oasis-tcs/sarif-spec/issues/15 ? [19:44] Stefan Hagen: Issue #15 - Document how converters should provide notifications https://github.com/oasis-tcs/sarif-spec/issues/15 [19:45] Stefan Hagen: Laurence suggests, the IDs themselves encode themselves the source [19:45] Stefan Hagen: @Laurence/Michael: Please correct above sentence [19:45] Stefan Hagen: thanks [19:47] Stefan Hagen: All discuss about the issue - adding historical context [19:52] Stefan Hagen: Jim suggests adding provenance [19:53] Stefan Hagen: @Joseph: If this "anonymous" is you, could you please use the top middle "Settings" button to change your name in the display? Thanks [19:54] Stefan Hagen: @anaonymous: If you are not Joseph, could you please change your display name to your member name? Thanks [19:54] Stefan Hagen: Michael asks if Jim encountered in SWAMP situations where this would have been useful? [19:55] Stefan Hagen: Jim states, that yes! Example errors during execution, he would like to be able offering partial results to the customers (which currently complain, that there are none) [19:56] Stefan Hagen: Michael likes this and imagines we can add to this issue [19:57] Stefan Hagen: Michael thinks that IDs might be enriched with target semantics like number of processors used while encountering some error [19:58] Stefan Hagen: Now to the last the fingerprint issue [19:58] Laurence J. Golding: https://github.com/oasis-tcs/sarif-spec/issues/10 [19:58] Stefan Hagen: Issue #10 - Do we want an array of computedFingerprints on result? https://github.com/oasis-tcs/sarif-spec/issues/10 [20:01] Stefan Hagen: Luke informs, that Semmle products do fingerprinting via region matching, and sink only might not suffice [20:03] Stefan Hagen: All discuss on generalisations of changes based on region addressing [20:04] Stefan Hagen: Michael thinks that this is an interesting extension of the currently considered model of fingerprint application [20:05] Stefan Hagen: Michael understands 1) there could be different methods for fingerprinting (the issue) but also 2) also any location contributing to the result might ... [20:05] Stefan Hagen: Michael asks how do the correlations among regions are made in practice? [20:05] Stefan Hagen: ... in such an array [20:06] Stefan Hagen: Association of the fingerprint is currently on the result (Laurence) [20:06] Stefan Hagen: Michael understands the proposal from Luke to put the fingerprint on the location [20:07] Stefan Hagen: Yekatarina explains the way their products generate the hash/number related to the results (complicated formula) - in the end it is just a number associated per result [20:10] Stefan Hagen: All continue discussion rigidness vs. flexibility of the fingerprinting that lead to the current idea of fingerprints in SARIF draft [20:12] Stefan Hagen: Paul reports, that their tool does such a fingerprinting based summary but he adds that fingerprints are kind of pristine that is not changeable, so some tool error situation some backup data structure might be helpful to provide some plan b provisioning of info in case the first try fingerprint association does fail [20:13] Stefan Hagen: All continue discussing the issue [20:17] Stefan Hagen: David reminds of the time [20:18] Stefan Hagen: Jim agrees that the fingerprint is tool specific, it should relate to the result, it might be useful to have a dictionary as there might be more than one, maybe also suggest a version ordering with rules one could use to base decisions on [20:18] Stefan Hagen: Michael will add these inputs to the issues [20:20] Stefan Hagen: All agree, that it is not yet clear how we will exactly proceed: Offer one or more fingerprints is not decided yet. [20:21] Stefan Hagen: 4. Begin document review (time permitting) 4.1 Start reviewing the working draft from the beginning, collecting questions and comments (Co-Editor Fanning) SKIPPED 5. Other Business NONE [20:21] Stefan Hagen: 6. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end) 6.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton) 6.2 Review of Decisions Reached (Secretary Hagen) 1. agreed meeting times 2. principles were agreed [20:21] Stefan Hagen: 6.3 Review of Action Items (Secretary Hagen) 1. Officers to create the meetings for the agreed meeting times 2. Michael to accept/merge the pull request https://github.com/oasis-tcs/sarif-spec/pull/45 to expose these principles as agreed 3. Laurence to investigate which safe and widely used flavour of markdown we might use 4. Michael to amend the Issue #14 - Should we allow file identity to be specified by reference to a commit... with results from the meeting discussion 5. Michael takes the action to compare a couple of embedding strategies for those location info relating also to cross referencing 6. Michael will combine notes he took and the minutes as inputs to integrate them in the issues [20:22] Stefan Hagen: 7. Next Meeting [20:22] Stefan Hagen: October 11, 2017 16:30 UTC [20:23] Stefan Hagen: 8. Adjournment [20:23] Stefan Hagen: Meeting adjourned by Chair
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]