RE: [sarif] First Draft Statement of Relationship to Similar Work

["Larry Golding (Myriad Consulting Inc)" <v-lgold@microsoft.com>]

Responding to your comment of 2019-09-06 14:20, "... SARIF provides access to features that often can't be gleaned by converters": generally, the things a converter doesn't know aren't related to the feature-richness of the tool's output format. They are more bookkeeping details, like:

- Was the file system on which the tool was run case-sensitive?
- Is the tool's 3-component version number actually a semantic version?
- Can I safely remove a '..' segment from a URL, or is there a symbolic link in play?
- Is the file in which the tool detected a result also the file that the tool was instructed to scan (the "analysis target")?

Responding to your follow-up comment, "... the human-readable output of tools, [misses] a lot of the internals that can help characterize a run":

I agree that if a tool vendor decides to produces SARIF natively, they has the opportunity to populate more information than their native output format provides. And I suppose you could argue that since TOIF aspires to be a least-common-denominator interchange format, it is less likely that a tool vendor who decided to emit TOIF natively would all of a sudden discover opportunities to provide richer output. Is that the point you're making?

At this point, having made my contribution, which was just to remind you that "converters are a thing", I'm fine with changing "generally" to "often" and calling it a day.

Larry

-----Original Message-----
From: David Keaton <dmk@dmk.com> 
Sent: Friday, September 6, 2019 1:27 PM
To: Larry Golding (Myriad Consulting Inc) <v-lgold@microsoft.com>; Nick Mansourov <nick@kdmanalytics.com>
Cc: sarif@lists.oasis-open.org
Subject: Re: [sarif] First Draft Statement of Relationship to Similar Work

Larry,

      The other thing to remember is that before SARIF, most conversion strategies operated on the human-readable output of tools, which missed a lot of the internals that can help characterize a run.

					David

On 2019-09-06 14:20, David Keaton wrote:
> Larry,
> 
>  ÂÂÂÂ Maybe we could change "generally" to "often."Â The point is that 
> SARIF provides access to features that often can't be gleaned by 
> converters, in contrast to TOIF's lowest common denominator approach.
> 
>  ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ David
> 
> On 2019-09-06 14:14, Larry Golding (Myriad Consulting Inc) wrote:
>> My only comment is about this, referring to SARIF: "... which 
>> generally requires modifying the tools to produce SARIF output natively".
>>
>> The spec describes "converters" as well as "direct producers" -- that 
>> is, converters are definitely a "thing" in SARIF -- so I suggest: "...
>> which generally requires either modifying the tools to produce SARIF 
>> output natively, or writing a converter from the tools's output 
>> format to SARIF."
>>
>> But once you say that -- isn't the same true of TOIF? If you want 
>> TOIF, you either have to modify your tool to produce it, or (as TOIF 
>> apparently prefers) write a converter.
>>
>> Larry
>>
>>
>> -----Original Message-----
>> From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On 
>> Behalf Of David Keaton
>> Sent: Friday, September 6, 2019 12:10 PM
>> To: Nick Mansourov <nick@kdmanalytics.com>
>> Cc: sarif@lists.oasis-open.org
>> Subject: Re: [sarif] First Draft Statement of Relationship to Similar 
>> Work
>>
>> Nick,
>>
>>  Thanks. How about one small change to keep the two strategies 
>> together so that the "By contrast . . ." still makes the most sense.
>>
>> "SARIF represents a different strategy for common representation of 
>> the results of static analysis. The Object Management Group's Tool 
>> Output Integration Format (TOIF) is an existing standard in this 
>> space that is integrated with the OMG's software assurance suite. 
>> TOIF normalizes the output of static analysis tools so that it can be 
>> used as evidence for digital certification of software.
>>
>> "TOIF's strategy involves creating adapters from various tools to the 
>> reporting format, and as such, it is focused on integrating the 
>> diverse input formats into the lowest common denominator 
>> representation without having to modify the original tools. By 
>> contrast, SARIF aims to support the full capabilities of advanced 
>> tools, which generally requires modifying the tools to produce SARIF 
>> output natively.
>>
>> "Both SARIF and TOIF solve an important problem for the organizations 
>> performing software assurance by providing a uniform and 
>> vendor-neutral way of deploying and running multiple tools on the 
>> same code base, disseminating and interpreting the combined findings, 
>> including the reduction in the costs of training developers in how to 
>> use multiple tools and, especially, how to interpret the results from 
>> each tool."
>>
>> ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ David
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that 
>> generates this mail. Follow this link to all your TCs in OASIS at:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
>> .oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php
>> &amp;data=02%7C01%7Cv-lgold%40microsoft.com%7C11ceaf8a6e1c48ab404108d
>> 73308a075%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63703398445899
>> 1548&amp;sdata=7uBlWO3B1I1Qpt%2FJCh%2B7YlWUjAx2oNtNgwJOoKTwIDE%3D&amp
>> ;reserved=0
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that 
> generates this mail. Follow this link to all your TCs in OASIS at:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php&a
> mp;data=02%7C01%7Cv-lgold%40microsoft.com%7C11ceaf8a6e1c48ab404108d733
> 08a075%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637033984458991548
> &amp;sdata=7uBlWO3B1I1Qpt%2FJCh%2B7YlWUjAx2oNtNgwJOoKTwIDE%3D&amp;rese
> rved=0