OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [sarif] First Draft Statement of Relationship to Similar Work

David,

OK, we could apply the characterization that I have originally used for TOIF  for both TOIF and SARIF as you suggest. In this case I would like to add one more sentence to better characterize TOIFâs objective (see below).

I can promote this write-up with the OMG community. 

Best regards,
Nick

> On Sep 6, 2019, at 2:04 PM, David Keaton <dmk@dmk.com> wrote:
> 
> Nick,
> 
>     Thanks.  This is actually supposed to be a very brief statement that fits into the form for requesting that SARIF be promoted to Candidate OASIS Standard.  It is primarily about SARIF's relationship to other standards.  To illustrate the level of explanation that we are looking for, here is the summary of what SARIF is, which is a separate statement for the same form that we discussed earlier.
> 
> "Static Analysis Results Interchange Format (SARIF) is a standard output format for static analysis tools.  A static analysis tool is a program that examines programming artifacts in order to detect problems, without executing the program.  A standard output format allows results to be combined across runs of the same tool, and across runs of tools from multiple vendors, to get a more complete picture of the aspects of a program that need improvement."
> 
>     To match this level of explanation, and to keep the statement of relationship to similar work brief and more focused on SARIF, I'd like to suggest the following modification.
> 
> "SARIF represents a different strategy for common representation of the results of static analysis.  The Object Management Group's Tool Output Integration Format (TOIF) is an existing standard in this space that is integrated with the OMG's software assurance suite.  TOIF's strategy involves creating adapters from various tools to the reporting format, and as such, it is focused on integrating the diverse input formats into the lowest common denominator representation without having to modify the original tools.

TOIF normalizes the output of static analysis tools so that it can be used as evidence for digital certification of software.
> 
> "By contrast, SARIF aims to support the full capabilities of advanced tools, which generally requires modifying the tools to produce SARIF output natively.
> 
> "Both SARIF and TOIF solve an important problem for the organizations performing software assurance by providing a uniform and vendor-neutral way of deploying and running multiple tools on the same code base, disseminating and interpreting the combined findings, including the reduction in the costs of training developers in how to use multiple tools and, especially, how to interpret the results from each tool."
> 
> 					David

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]