RE: [sarif] Second draft of Candidate OASIS Standard statements

["Larry Golding (Myriad Consulting Inc)" <v-lgold@microsoft.com>]

I am happy we're making such good progress on this statement. I have one reservation:

I donât want to leave readers with the impression that the only way for tools to participate in the SARIF ecosystem is by altering their internals. There are actually three ways that SARIF output comes into existence:

- By modifying the tools themselves (a strategy followed by many Microsoft tools, and also Clang Analyzer and others)
- By writing converters (the SARIF SDK contains converters for Fortify, Pylint, AndroidStudio, FxCop, and others. See https://github.com/microsoft/sarif-sdk, in the src/Sarif.Converters folder.)
- By taking advantage of a toolâs existing "formatter plugin" architecture (we have written a SARIF formatter plugin for the ESLint JavaScript analyzer, and we are currently writing one for Bandit , a Python security analyzer)

The barrier to entry to the SARIF ecosystem is quite low, and I'm concerned that the statement in its current form doesn't make that clear.

I would propose either to

- Remove entirely the clause "which often requires..."
OR
- Replace that clause with "which can be accomplished by modifying the tools to produce SARIF output natively or by providing a converter from the tool's output to SARIF"

Larry

-----Original Message-----
From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of David Keaton
Sent: Friday, September 6, 2019 4:17 PM
To: OASIS SARIF TC Discussion List <sarif@lists.oasis-open.org>
Subject: [sarif] Second draft of Candidate OASIS Standard statements

      To sum up what we have developed, here are the statements we have for our application for Candidate OASIS Standard status.  The purpose is to explain to OASIS members why they should vote to make SARIF an OASIS Standard.  Thanks for all the helpful input.  (I was just finishing this up when Nick's consolidation came through.  Nick's version is missing the change from "generally" to "often," but otherwise the two versions of the second statement are identical.)

Required element:  Clear English-language summary of the specification

"Static Analysis Results Interchange Format (SARIF) is a standard output format for static analysis tools.  A static analysis tool is a program that examines programming artifacts in order to detect problems, without executing the program.  A standard output format allows results to be combined across runs of the same tool, and across runs of tools from multiple vendors, to get a more complete picture of the aspects of a program that need improvement."

Required element:  Relationship of this specification to similar work

"SARIF represents a different strategy for common representation of the results of static analysis.  The Object Management Group's Tool Output Integration Format (TOIF) is an existing standard in this space that is integrated with the OMG's software assurance suite.  TOIF normalizes and integrates the output of static analysis tools and other artifacts as evidence for software assurance.

"TOIF's strategy involves creating adapters from various tools to the reporting format, and as such, it is focused on integrating the diverse formats into the lowest common denominator representation without having to modify the original tools.  By contrast, SARIF aims to support the full capabilities of advanced tools, which often requires modifying the tools to produce SARIF output natively.

"Both SARIF and TOIF solve an important problem for the organizations performing software assurance by providing a uniform and vendor-neutral way of deploying and running multiple tools on the same code base, disseminating and interpreting the combined findings, including the reduction in the costs of training developers in how to use multiple tools and, especially, how to interpret the results from each tool."

					David

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php&amp;data=02%7C01%7Cv-lgold%40microsoft.com%7C8ad34475a01048492dc208d733205b76%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637034086387098155&amp;sdata=8oxW67kVePr1RJsjNzdrAaw31DxQy%2FjmIsa0we8w1Bo%3D&amp;reserved=0