[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [sarif] Second draft of Candidate OASIS Standard statements
I apologize for being so late to this discussion. I might need some clarification here, as I don't agree with this point. SARIF is designed to accommodate deep, precise expression of static analysis results that can drive the range of evaluation and disposition activities. As an outcome, tools may be able to share very sophisticated viewers/systems where today, all these are specific to individual tools.
As it has played out, the SARIF design doesn't propose much in our domain that is novel or which can't be derived from existing tool concepts (as expressed in log files). We took this design path because we value uptake of the format (to realize value in a multitool eco-system) over attempting to drive innovation of tools.
We have multiple proof points that we succeeded in this, as we have converters that do a very good job for both a deep Microsoft checker (the 'static driver verifier') and MicroFocus Fortify SCA. For both these tools, we can create SARIF files, by converting original log files, that drive various SARIF experiences (such as VS Code results debugging).
David where are we at with this? Has the ship sailed on reviewing/modifying this content?
Michael
-----Original Message-----
From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of Larry Golding (Myriad Consulting Inc)
Sent: Friday, September 6, 2019 4:33 PM
To: David Keaton <dmk@dmk.com>; sarif@lists.oasis-open.org
Subject: RE: [sarif] Second draft of Candidate OASIS Standard statements
No, I don't.
-----Original Message-----
From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of David Keaton
Sent: Friday, September 6, 2019 4:32 PM
To: sarif@lists.oasis-open.org
Subject: Re: [sarif] Second draft of Candidate OASIS Standard statements
[I'm replying to just the list, to keep from sending multiple copies to the participants in the conversation.]
On 2019-09-06 17:26, Larry Golding (Myriad Consulting Inc) wrote:
> I would propose either to
>
> - Remove entirely the clause "which often requires..."
> OR
> - Replace that clause with "which can be accomplished by modifying the tools to produce SARIF output natively or by providing a converter from the tool's output to SARIF"
To me, both of those options weaken the case for voting to make SARIF an OASIS standard. Do you have another key valuable difference between the two to propose in place of this statement?
David
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php&data=02%7C01%7Cmichael.fanning%40microsoft.com%7C4b0b53d06cc849cf93e808d7332291ef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637034095880338559&sdata=OwCea1MqgzWORDt06mVjVHWF00wkNUX68jsIdC%2FW5AA%3D&reserved=0
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]