OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [sarif] Second draft of Candidate OASIS Standard statements

Thanks, Michael. That explanation is exactly the kind of thing I was looking for, and it clears up a lot. (And no, it isn't too late.)

Part of what we did wrong was that we tried to make the statement apply to more than one purpose, and in so doing, we said too much. It would be fine to create a joint press release between two committees, but if we do, that should be separate from this statement. The one purpose of this statement is to fill a roughly one-paragraph space in the form to apply for Candidate OASIS Standard status -- a paragraph that explains very briefly why SARIF was needed when there was a standard that targeted a related but not identical purpose.

Given the new information, I'd like to pare down the statement to focus on that one purpose. Here is my suggestion.

"The Object Management Group's Tool Output Integration Format (TOIF) is an existing standard that integrates diverse static analysis result formats into the lowest common denominator representation, as one form of evidence in a software assurance system. By contrast, SARIF accommodates deep, precise expression of static analysis results to provide full support for the capabilities of advanced static analysis systems, enabling the sharing of sophisticated visualization and processing components that previously were specific to individual static analysis tools."


On 2019-09-25 07:53, Michael Fanning wrote:
I apologize for being so late to this discussion. I might need some clarification here, as I don't agree with this point. SARIF is designed to accommodate deep, precise expression of static analysis results that can drive the range of evaluation and disposition activities. As an outcome, tools may be able to share very sophisticated viewers/systems where today, all these are specific to individual tools.

As it has played out, the SARIF design doesn't propose much in our domain that is novel or which can't be derived from existing tool concepts (as expressed in log files). We took this design path because we value uptake of the format (to realize value in a multitool eco-system) over attempting to drive innovation of tools.

We have multiple proof points that we succeeded in this, as we have converters that do a very good job for both a deep Microsoft checker (the 'static driver verifier') and MicroFocus Fortify SCA. For both these tools, we can create SARIF files, by converting original log files, that drive various SARIF experiences (such as VS Code results debugging).

David where are we at with this? Has the ship sailed on reviewing/modifying this content?

-----Original Message-----
From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of Larry Golding (Myriad Consulting Inc)
Sent: Friday, September 6, 2019 4:33 PM
To: David Keaton <dmk@dmk.com>; sarif@lists.oasis-open.org
Subject: RE: [sarif] Second draft of Candidate OASIS Standard statements

No, I don't.

-----Original Message-----
From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of David Keaton
Sent: Friday, September 6, 2019 4:32 PM
To: sarif@lists.oasis-open.org
Subject: Re: [sarif] Second draft of Candidate OASIS Standard statements

[I'm replying to just the list, to keep from sending multiple copies to the participants in the conversation.]

On 2019-09-06 17:26, Larry Golding (Myriad Consulting Inc) wrote:
I would propose either to

- Remove entirely the clause "which often requires..."
- Replace that clause with "which can be accomplished by modifying the tools to produce SARIF output natively or by providing a converter from the tool's output to SARIF"

       To me, both of those options weaken the case for voting to make SARIF an OASIS standard.  Do you have another key valuable difference between the two to propose in place of this statement?


To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]