OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [sarif] SARIF writer and SWAMP SCARF to SARIF converter

Jim:

This is great! Thanks for making it available.



For use in the SWAMP (https://www.continuousassurance.com), we created
an open source Perl library to produce SARIF
(https://github.com/mirswamp/swamp-sarif-io). It provides a streaming
interface based on the streaming library used to write a SCARF (SWAMP
Common Assessment Result Format) formatted file.  Although it was
written for for use by the SWAMP, it not specific to the SWAMP.
Someone just asked me if I knew of any open source tools that could produce SARIF, so I pointed him here. His question was about what license is on the code, but I didn't see one. Is there a master SWAMP license that would apply? 
We used this library to produce a converter
(https://github.com/mirswamp/swamp-scarf-sarif) from SCARF to SARIF.
Currently the converter produces valid SARIF files from assessment
results of 35 of the tools supported in the SWAMP, and contains all the
data from SCARF and some data from other artifacts produced during
assessments in the SWAMP.

We will soon make available SARIF files containing assessment results
from many packages and tools combinations produced by the converter.  We
will also continue to enhance the library with additional functionality
to support more of SARIF starting with additional data that we can
extract from the SWAMP artifacts and raw tool output.
I look forward to seeing these. If possible, I'd like to draw on them to validate our own importer. Again, knowing the license will be important.
Can I ask which version of SARIF you are using? I ask because this is something we're facing ourselves. Until now we've been using committee specification draft 1, but will probably change to use a newer version containing all the changes that the TC have agreed upon once fixes to issues 235 and 240 have been agreed to. 

-Paul

--
Paul Anderson, VP of Engineering, GrammaTech, Inc.
531 Esty St., Ithaca, NY 14850
Tel: +1 607 273-7340 x118; http://www.grammatech.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]