[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SARIF taxonomies
Just wanted to shine a light on an effort Microsoft is helping with, to convert a number of prominent standards to SARIF taxonomies, which are designed to help tool producers link their findings to specific standards.
We started with a few obvious standards of importance (particularly used in the Heimdall effort), CSE, OWASP NIST SP800-53, etc.
Our thought is that there could be three distinct efforts here:
All SARIF taxonomies can be referenced indirectly to help keep log size to a minimum.
Would love to talk with others on this effort, interested in suggestions on how to maintain these taxonomies, etc. etc.
A current PR on creating a NIST SARIF taxonomy. Our strategy is to check in and maintain code, where possible, that processes some official standard representation to produce the taxonomy (rather than creating/maintaining SARIF JSON manually).
Heimdall mappings as CSV: