OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [sarif] First Draft Statement of Relationship to Similar Work

My only comment is about this, referring to SARIF: "... which generally requires modifying the tools to produce SARIF output natively".

The spec describes "converters" as well as "direct producers" -- that is, converters are definitely a "thing" in SARIF -- so I suggest: "... which generally requires either modifying the tools to produce SARIF output natively, or writing a converter from the tools's output format to SARIF."

But once you say that -- isn't the same true of TOIF? If you want TOIF, you either have to modify your tool to produce it, or (as TOIF apparently prefers) write a converter.


-----Original Message-----
From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of David Keaton
Sent: Friday, September 6, 2019 12:10 PM
To: Nick Mansourov <nick@kdmanalytics.com>
Cc: sarif@lists.oasis-open.org
Subject: Re: [sarif] First Draft Statement of Relationship to Similar Work


      Thanks.  How about one small change to keep the two strategies together so that the "By contrast . . ." still makes the most sense.

"SARIF represents a different strategy for common representation of the results of static analysis.  The Object Management Group's Tool Output Integration Format (TOIF) is an existing standard in this space that is integrated with the OMG's software assurance suite.  TOIF normalizes the output of static analysis tools so that it can be used as evidence for digital certification of software.

"TOIF's strategy involves creating adapters from various tools to the reporting format, and as such, it is focused on integrating the diverse input formats into the lowest common denominator representation without having to modify the original tools.  By contrast, SARIF aims to support the full capabilities of advanced tools, which generally requires modifying the tools to produce SARIF output natively.

"Both SARIF and TOIF solve an important problem for the organizations performing software assurance by providing a uniform and vendor-neutral way of deploying and running multiple tools on the same code base, disseminating and interpreting the combined findings, including the reduction in the costs of training developers in how to use multiple tools and, especially, how to interpret the results from each tool."


To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]