OASIS Static Analysis Results Interchange Format (SARIF) TC

 View Only
  • 1.  SARIF writer and SWAMP SCARF to SARIF converter

    Posted 09-19-2018 20:58
    Hi, For use in the SWAMP ( https://www.continuousassurance.com ), we created an open source Perl library to produce SARIF ( https://github.com/mirswamp/swamp-sarif-io ). It provides a streaming interface based on the streaming library used to write a SCARF (SWAMP Common Assessment Result Format) formatted file. Although it was written for for use by the SWAMP, it not specific to the SWAMP. We used this library to produce a converter ( https://github.com/mirswamp/swamp-scarf-sarif ) from SCARF to SARIF. Currently the converter produces valid SARIF files from assessment results of 35 of the tools supported in the SWAMP, and contains all the data from SCARF and some data from other artifacts produced during assessments in the SWAMP. We will soon make available SARIF files containing assessment results from many packages and tools combinations produced by the converter. We will also continue to enhance the library with additional functionality to support more of SARIF starting with additional data that we can extract from the SWAMP artifacts and raw tool output. Any comments or suggestion are welcome. Jim


  • 2.  Re: [sarif] SARIF writer and SWAMP SCARF to SARIF converter

    Posted 09-21-2018 16:36
    Jim: This is great! Thanks for making it available. For use in the SWAMP ( https://www.continuousassurance.com ), we created an open source Perl library to produce SARIF ( https://github.com/mirswamp/swamp-sarif-io ). It provides a streaming interface based on the streaming library used to write a SCARF (SWAMP Common Assessment Result Format) formatted file. Although it was written for for use by the SWAMP, it not specific to the SWAMP. Someone just asked me if I knew of any open source tools that could produce SARIF, so I pointed him here. His question was about what license is on the code, but I didn't see one. Is there a master SWAMP license that would apply? We used this library to produce a converter ( https://github.com/mirswamp/swamp-scarf-sarif ) from SCARF to SARIF. Currently the converter produces valid SARIF files from assessment results of 35 of the tools supported in the SWAMP, and contains all the data from SCARF and some data from other artifacts produced during assessments in the SWAMP. We will soon make available SARIF files containing assessment results from many packages and tools combinations produced by the converter. We will also continue to enhance the library with additional functionality to support more of SARIF starting with additional data that we can extract from the SWAMP artifacts and raw tool output. I look forward to seeing these. If possible, I'd like to draw on them to validate our own importer. Again, knowing the license will be important. Can I ask which version of SARIF you are using? I ask because this is something we're facing ourselves. Until now we've been using committee specification draft 1, but will probably change to use a newer version containing all the changes that the TC have agreed upon once fixes to issues 235 and 240 have been agreed to. -Paul -- Paul Anderson, VP of Engineering, GrammaTech, Inc. 531 Esty St., Ithaca, NY 14850 Tel: +1 607 273-7340 x118; http://www.grammatech.com


  • 3.  Re: [sarif] SARIF writer and SWAMP SCARF to SARIF converter

    Posted 09-21-2018 19:04
    Paul, The license is Apache 2.0 ( http://www.apache.org/licenses/LICENSE-2.0 ). This will added to the repository shortly. This produces SARIF that is tracking the latest 2.0 draft standard and validates against the JSON Schema found in the SARIF repository ( https://github.com/oasis-tcs/sarif-spec/ ). At this point it only produces a subset of capabilities needed to translate SCARF to SARIF, with more to come. Jim On 09/21/2018 11:35 AM, Paul Anderson wrote: > Jim: > > This is great! Thanks for making it available. > > >> For use in the SWAMP ( https://www.continuousassurance.com ), we created >> an open source Perl library to produce SARIF >> ( https://github.com/mirswamp/swamp-sarif-io ). It provides a streaming >> interface based on the streaming library used to write a SCARF (SWAMP >> Common Assessment Result Format) formatted file. Although it was >> written for for use by the SWAMP, it not specific to the SWAMP. > Someone just asked me if I knew of any open source tools that could > produce SARIF, so I pointed him here. His question was about what > license is on the code, but I didn't see one. Is there a master SWAMP > license that would apply? >> We used this library to produce a converter >> ( https://github.com/mirswamp/swamp-scarf-sarif ) from SCARF to SARIF. >> Currently the converter produces valid SARIF files from assessment >> results of 35 of the tools supported in the SWAMP, and contains all the >> data from SCARF and some data from other artifacts produced during >> assessments in the SWAMP. >> >> We will soon make available SARIF files containing assessment results >> from many packages and tools combinations produced by the converter. We >> will also continue to enhance the library with additional functionality >> to support more of SARIF starting with additional data that we can >> extract from the SWAMP artifacts and raw tool output. > I look forward to seeing these. If possible, I'd like to draw on them to > validate our own importer. Again, knowing the license will be important. > > Can I ask which version of SARIF you are using? I ask because this is > something we're facing ourselves. Until now we've been using committee > specification draft 1, but will probably change to use a newer version > containing all the changes that the TC have agreed upon once fixes to > issues 235 and 240 have been agreed to. > > -Paul >