OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sarif message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Draft IANA registration for media type application/sarif+json


Please take a look and give feedback.

 

  • I don’t know what to put for “interoperability consideration”.

  • I don’t know what to put for “restrictions on usage”.

  • The list of “applications that use this media type” isn’t intended to be exhaustive, but if you want to add something (especially I think Jim will want to add some SWAMP tools) just let me know.

  • Also if I’ve misnamed any of the tools please let me know. CodeHawk-C was formerly KT-Advance.

  • Let me know if you want to provide something for “Any other information” at the bottom.
Type name: application

Subtype name: sarif+json

Required parameters: N/A

Optional parameters: N/A

Encoding considerations: UTF8 only
	
Security considerations:

- The use of absolute paths in analysis result location URIs might reveal sensitive information about the machine on which the scan was performed.
- The use of the hostname component in analysis result location URI might reveal the network location of the machine on which the scan was performed.
- The use of raw HTML in message strings expressed in Markdown might allow arbitrary code execution (for example, through javascript: links).
- The use of deeply nested constructs in Markdown message strings might lead to stack overflow in some Markdown implementations.
- Certain properties of the SARIF object model might reveal information about the machine on which a scan was run. (The specification allows such properties to be omitted or "redacted".)
- Certain properties of the SARIF object model (such as the command line that invoked the analysis tool) can contain arbitrary commands which might damage a machine on which they are run.

Interoperability considerations:

Published specification: Static Analysis Results Interchange Format (SARIF) Version 2.1.0. Edited by Michael C. Fanning and Laurence J. Golding. 27 March 2020. OASIS Standard. https://docs.oasisopen.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html. Latest stage: https://docs.oasisopen.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html.

Applications that use this media type:

- CodeHawk-C
- Fortify
- Microsoft C#/VB compilers
- Microsoft C++ compiler code analysis (PREfast)
- Semmle
- Clients of the .NET SARIF SDK (https://github.com/microsoft/sarif-sdk)

Fragment identifier considerations: N/A

Additional information:

  Deprecated alias names for this type: N/A
  Magic number(s): N/A
  File extension(s): .sarif, .sarif.json
  Macintosh file type code(s): N/A

Person & email address to contact for further information: Michael C. Fanning (mikefan@microsoft.com) and Laurence J. Golding (v-lgold@microsoft.com)

Intended usage: LIMITED USE

Restrictions on usage:

(Any restrictions on where the media type can be used go here.)

Author: OASIS Static Analysis Results Interchange Format (SARIF) TC (https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif)

Change controller: OASIS Open (https://www.oasis-open.org/)

Provisional registration? (standards tree only): No

(Any other information that the author deems interesting may be added below this line.)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]