[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Default lookup for helper rules
So, all of Fortify rules come as plugins, if I understand what a plugin is in the spec correctly. Basically, all of Fortify rules come in the form of various xml files that contain rules. These files (we call
them rulepacks) are separate from the analysis engine (you won’t get any results if you run the engine without supplying the rulepacks). We do distinguish between default rules (those supplied by Fortify) and custom rules (those written by customers), but
their format and pretty much everything (except for perhaps the fact that default rules are encrypted and custom rules are not) else is the same. Does this answer your questions? k From: sarif@lists.oasis-open.org [mailto:sarif@lists.oasis-open.org]
On Behalf Of Larry Golding (Myriad Consulting Inc)
I agree. The draft will stand as written: no special case for
reportingDescriptorReferences that occur in
threadFlowLocation.taxa (the helper rules). If
reportingDescriptorReferences.toolComponent is absent, it will default to the driver, as for all other
reportingDescriptorReferences. Thanks, Larry From: Michael Fanning <Michael.Fanning@microsoft.com>
It would be cleaner to simply have the same defaulting semantics in this case, in my opinion. We have recently worked through a round of last minute clean-up in the spec related to non-obvious differences in default behaviors. Michael From: Larry Golding (Myriad Consulting Inc) <v-lgold@microsoft.com>
Hello Yekaterina, In the description comment for Issue #381, Michael wrote this: Add threadFlowLocation.taxa, an array of reportingDescriptorReferences,
the default location of which (in case where only the RDR index is provided) is the relevant tool component rules data. Here’s what he meant: A reportingDescriptorReference object (say, one that points to an analysis rule) can contain a property named
toolComponent which identifies the tool component that defined the rule. The spec says that if
reportingDescriptorReference.toolComponent is missing, you look up the tool in the “driver” tool component. This is a sensible “happy path” optimization: most rules are defined in drivers rather than plugins; many tools
don’t even have a plugin model. But Michael reasoned that helper rules are probably defined in the same tool component that defined the analysis rule, so he felt that this was a better default for those reportingDescriptorReference objects that occur in threadFlowLocations.taxa. He might be right, but I wanted to confirm with you. Because it occurred to me that – if Fortify has a plugin model – that your
driver might define all the helper rules, as part of your engine. And perhaps plugins can define new analysis rules but not new helper rules. If that were true, then the usual default for looking up a reporting descriptor from a reference would still make sense: look in the driver by default. So my questions are:
Thanks! Larry |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]