OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Second draft of Candidate OASIS Standard statements

To sum up what we have developed, here are the statements we have for our application for Candidate OASIS Standard status. The purpose is to explain to OASIS members why they should vote to make SARIF an OASIS Standard. Thanks for all the helpful input. (I was just finishing this up when Nick's consolidation came through. Nick's version is missing the change from "generally" to "often," but otherwise the two versions of the second statement are identical.) 

Required element:  Clear English-language summary of the specification
"Static Analysis Results Interchange Format (SARIF) is a standard output format for static analysis tools. A static analysis tool is a program that examines programming artifacts in order to detect problems, without executing the program. A standard output format allows results to be combined across runs of the same tool, and across runs of tools from multiple vendors, to get a more complete picture of the aspects of a program that need improvement." 

Required element:  Relationship of this specification to similar work
"SARIF represents a different strategy for common representation of the results of static analysis. The Object Management Group's Tool Output Integration Format (TOIF) is an existing standard in this space that is integrated with the OMG's software assurance suite. TOIF normalizes and integrates the output of static analysis tools and other artifacts as evidence for software assurance.
"TOIF's strategy involves creating adapters from various tools to the reporting format, and as such, it is focused on integrating the diverse formats into the lowest common denominator representation without having to modify the original tools. By contrast, SARIF aims to support the full capabilities of advanced tools, which often requires modifying the tools to produce SARIF output natively.
"Both SARIF and TOIF solve an important problem for the organizations performing software assurance by providing a uniform and vendor-neutral way of deploying and running multiple tools on the same code base, disseminating and interpreting the combined findings, including the reduction in the costs of training developers in how to use multiple tools and, especially, how to interpret the results from each tool." 

					David

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]