OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [sarif] SARIF writer and SWAMP SCARF to SARIF converter

Paul,

The license is Apache 2.0 (http://www.apache.org/licenses/LICENSE-2.0). 
This will added to the repository shortly.

This produces SARIF that is tracking the latest 2.0 draft standard and 
validates against the JSON Schema found in the SARIF repository 
(https://github.com/oasis-tcs/sarif-spec/).  At this point it only 
produces a subset of capabilities needed to translate SCARF to SARIF, 
with more to come.

Jim



On 09/21/2018 11:35 AM, Paul Anderson wrote:
> Jim:
> 
> This is great! Thanks for making it available.
> 
> 
>> For use in the SWAMP (https://www.continuousassurance.com), we created
>> an open source Perl library to produce SARIF
>> (https://github.com/mirswamp/swamp-sarif-io). It provides a streaming
>> interface based on the streaming library used to write a SCARF (SWAMP
>> Common Assessment Result Format) formatted file. Although it was
>> written for for use by the SWAMP, it not specific to the SWAMP.
> Someone just asked me if I knew of any open source tools that could 
> produce SARIF, so I pointed him here. His question was about what 
> license is on the code, but I didn't see one. Is there a master SWAMP 
> license that would apply?
>> We used this library to produce a converter
>> (https://github.com/mirswamp/swamp-scarf-sarif) from SCARF to SARIF.
>> Currently the converter produces valid SARIF files from assessment
>> results of 35 of the tools supported in the SWAMP, and contains all the
>> data from SCARF and some data from other artifacts produced during
>> assessments in the SWAMP.
>>
>> We will soon make available SARIF files containing assessment results
>> from many packages and tools combinations produced by the converter. We
>> will also continue to enhance the library with additional functionality
>> to support more of SARIF starting with additional data that we can
>> extract from the SWAMP artifacts and raw tool output.
> I look forward to seeing these. If possible, I'd like to draw on them to 
> validate our own importer. Again, knowing the license will be important.
> 
> Can I ask which version of SARIF you are using? I ask because this is 
> something we're facing ourselves. Until now we've been using committee 
> specification draft 1, but will probably change to use a newer version 
> containing all the changes that the TC have agreed upon once fixes to 
> issues 235 and 240 have been agreed to.
> 
> -Paul
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]