SARIF taxonomies

Just wanted to shine a light on an effort Microsoft is helping with, to convert a number of prominent standards to SARIF taxonomies, which are designed to help tool producers link their findings to specific standards.

We started with a few obvious standards of importance (particularly used in the Heimdall effort), CSE, OWASP NIST SP800-53, etc.

Our thought is that there could be three distinct efforts here:

Create and maintain stand-alone SARIF taxonomic descriptions of a standard, e.g., CWE
Encourage tool developers to expand their tool output to describe relationships between their output and a standard they ‘understand’.
Create and maintain stand-alone SARIF taxonomies that describe relationships between two standards, e.g., a CWE<->OWASP mapping. This eco-system will eventually lower costs to categorize tool output. If a tool maps itself successfully to CWE, for example, these other taxonomies may allow easy mapping to arbitrary other standards (without requiring the tool to emit all standards-relevant data comprehensively).

All SARIF taxonomies can be referenced indirectly to help keep log size to a minimum.

Would love to talk with others on this effort, interested in suggestions on how to maintain these taxonomies, etc. etc.

Michael

A current PR on creating a NIST SARIF taxonomy. Our strategy is to check in and maintain code, where possible, that processes some official standard representation to produce the taxonomy (rather than creating/maintaining SARIF JSON manually).

NIST_SP800-53_v4.sarif and tool code by shaopeng-gh · Pull Request #4 · sarif-standard/taxonomies (github.com)

Heimdall mappings as CSV:

heimdall_tools/lib/data at master · mitre/heimdall_tools (github.com)

sarif message