[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [sarif] SARIF writer and SWAMP SCARF to SARIF converter
Paul, The license is Apache 2.0 (http://www.apache.org/licenses/LICENSE-2.0). This will added to the repository shortly. This produces SARIF that is tracking the latest 2.0 draft standard and validates against the JSON Schema found in the SARIF repository (https://github.com/oasis-tcs/sarif-spec/). At this point it only produces a subset of capabilities needed to translate SCARF to SARIF, with more to come. Jim On 09/21/2018 11:35 AM, Paul Anderson wrote: > Jim: > > This is great! Thanks for making it available. > > >> For use in the SWAMP (https://www.continuousassurance.com), we created >> an open source Perl library to produce SARIF >> (https://github.com/mirswamp/swamp-sarif-io). It provides a streaming >> interface based on the streaming library used to write a SCARF (SWAMP >> Common Assessment Result Format) formatted file. Although it was >> written for for use by the SWAMP, it not specific to the SWAMP. > Someone just asked me if I knew of any open source tools that could > produce SARIF, so I pointed him here. His question was about what > license is on the code, but I didn't see one. Is there a master SWAMP > license that would apply? >> We used this library to produce a converter >> (https://github.com/mirswamp/swamp-scarf-sarif) from SCARF to SARIF. >> Currently the converter produces valid SARIF files from assessment >> results of 35 of the tools supported in the SWAMP, and contains all the >> data from SCARF and some data from other artifacts produced during >> assessments in the SWAMP. >> >> We will soon make available SARIF files containing assessment results >> from many packages and tools combinations produced by the converter. We >> will also continue to enhance the library with additional functionality >> to support more of SARIF starting with additional data that we can >> extract from the SWAMP artifacts and raw tool output. > I look forward to seeing these. If possible, I'd like to draw on them to > validate our own importer. Again, knowing the license will be important. > > Can I ask which version of SARIF you are using? I ask because this is > something we're facing ourselves. Until now we've been using committee > specification draft 1, but will probably change to use a newer version > containing all the changes that the TC have agreed upon once fixes to > issues 235 and 240 have been agreed to. > > -Paul >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]