RE: [sarif] RE: your thoughts on DARIF

[Michael Fanning <Michael.Fanning@microsoft.com>]

It seems like we’ve got the nucleus of an interesting moving forward plan.

 

1. Invoke the OASIS machinery to expand the charter of this technical committee to include dynamic analysis results/metrics.
2. As part of this process, remap the ‘S’ in SARIF to ‘Software’ to retain the brand. Bless the new proposed standard as a v3 effort to indicate it is a major revision.
3. Explore moving forward funding/staffing of the technical committee.

 

David pointed out offline that convening a moving forward v3 effort might also create more flexibility in bug-fixing the v2 spec along the way (a point I agree with).

 

I will float this idea around MS a bit.

 

On a separate note, a different team approached me on producing a standard that attempts to codify a complete data model for end-to-end engineering, including static analysis. Think models to express projects, people, release pipelines, deployment environments, analysis results, etc. etc. and linking them together. For quality, compliance, auditing, chain-of-custody purposes.

 

Michael

From: Paul Anderson <paul@grammatech.com>
Sent: Friday, July 19, 2019 9:24 AM
To: Larry Golding (Myriad Consulting Inc) <v-lgold@microsoft.com>; Michael Fanning <Michael.Fanning@microsoft.com>; Yekaterina O'Neil <katrina@microfocus.com>; sarif@lists.oasis-open.org
Subject: Re: [sarif] RE: your thoughts on DARIF

 

All:

We're very interested too. We've had some success with expressing dynamic properties in SARIF already. I would argue that we should work to have one standard that can satisfy both needs. Perhaps the 'S' should stand for just 'Software'. Having said that, someone here is also looking at using it to express properties in HDLs.

To express test coverage results it will be important to express metrics in the format. For example, a commonly used metric is the Test Effectiveness Ratio (TER), which is percentage of the function that got covered by the test suite. It would be super useful to be able to express that in SARIF. (Some organizations have rules that require TER to be greater than some threshold, and violations of that rule can then be expressed as SARIF results.) Many other dynamic results (e.g., profiling) are also expressed as metrics, so I believe that's the biggest gap in SARIF for dynamic use.

-Paul

On 7/18/2019 6:53 PM, Larry Golding (Myriad Consulting Inc) wrote:

Yes, I would also be very interested in exploring this.

 

Larry

 

From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of Michael Fanning
Sent: Thursday, July 18, 2019 3:51 PM
To: Yekaterina O'Neil <katrina@microfocus.com>; sarif@lists.oasis-open.org
Subject: [sarif] RE: your thoughts on DARIF

 

Microsoft would definitely be interested in exploring this possibility. I was just pinged this week on the possibilities using SARIF for capturing code coverage results (which are apparently of significant compliance interest for the automotive industry). This would be a good ‘seed’ scenario for a dynamic analysis initiative (along with profiling, web testing, etc.).

 

Pull us in when you’re ready to talk. I will help connect the conversation with MS teams who are stakeholders in these areas.

 

https://en.wikipedia.org/wiki/ISO_26262

 

From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of Yekaterina O'Neil
Sent: Thursday, July 18, 2019 11:16 AM
To: sarif@lists.oasis-open.org
Subject: [sarif] your thoughts on DARIF

 

Hi all,

 

As we are hopefully approaching the release of the first version of the SARIF standard, I wanted to bring up the conversation we had earlier about standardizing dynamic results. I was curious who on this list would potentially be interested in pursuing a DARIF some time in the future.

 

Thanks!

k

-- 

Paul Anderson, VP of Engineering, GrammaTech, Inc.

531 Esty St., Ithaca, NY 14850

Tel: +1 607 273-7340 x118; http://www.grammatech.com