OASIS Static Analysis Results Interchange Format (SARIF) TC

 View Only
  • 1.  Change bars for Issue #158 (result.correlationId)

    Posted 06-06-2018 21:13
      |   view attached
    Normally I incorporate amendments adopted by the TC into the provisional draft without asking for further review. In the case of Issue #158 (Introduce result.correlationId and clarify purpose of result.fingerprints array), the changes were substantive enough that I wanted to show them to you explicitly. I’ve attached a change-barred version of the provisional draft that shows the changes I made based on the TC’s feedback.   I am going to merge these changes, along with the other changes we adopted today. But if you disagree with the way I incorporated the feedback on #158, now’s your chance to tell me.   Thanks, Larry Attachment: sarif-v2.0-issue-158-result.correlationGuid-as-amended.docx Description: application/vnd.openxmlformats-officedocument.wordprocessingml.document


  • 2.  RE: [sarif] Change bars for Issue #158 (result.correlationId)

    Posted 06-07-2018 06:23
    Sorry for not bringing these up earlier, but I have a couple of comments:   1)       Regarding result.fingerprints property: the spec says that “A direct SARIF producer SHOULD NOT populate this property.” In that case, what should we do with our instance ids which are actually generated by the analyzer? I thought that this property is what we would use for them. On the other hand, the spec also says: “EXAMPLE: In this example, the producer has calculated a fingerprint using version 2 of a fingerprinting method it refers to as "contextRegionHash"”, implying that the producer does calculate the fingerprint. 2)       Regarding result.ruleId property: majority of Fortify results are produced with the help of more than one rule, so this really should be an array.   Thanks! k   From: sarif@lists.oasis-open.org [mailto:sarif@lists.oasis-open.org] On Behalf Of Larry Golding (Comcast) Sent: Wednesday, June 06, 2018 2:11 PM To: sarif@lists.oasis-open.org; Michael Fanning <Michael.Fanning@microsoft.com> Subject: [sarif] Change bars for Issue #158 (result.correlationId) Importance: High   Normally I incorporate amendments adopted by the TC into the provisional draft without asking for further review. In the case of Issue #158 (Introduce result.correlationId and clarify purpose of result.fingerprints array), the changes were substantive enough that I wanted to show them to you explicitly. I’ve attached a change-barred version of the provisional draft that shows the changes I made based on the TC’s feedback.   I am going to merge these changes, along with the other changes we adopted today. But if you disagree with the way I incorporated the feedback on #158, now’s your chance to tell me.   Thanks, Larry


  • 3.  RE: [sarif] Change bars for Issue #158 (result.correlationId)

    Posted 06-07-2018 18:22
    Michael – please read this carefully to see if I’ve correctly conveyed your philosophy for analysis tool design.   Hi Katrina,   1. First of all, don’t worry, you can indeed populate result.fingerprints . “SHOULD NOT” means “don’t do it unless you have a good reason,” and I guess your tool has a good reason


  • 4.  RE: [sarif] Change bars for Issue #158 (result.correlationId)

    Posted 06-07-2018 23:55




    Hi Larry,
     
    1.       
    Ok, understood, but it does feel like a re-phrase of some sort would be helpful.
    2.       
    Yeah, we indeed don’t mean the same thing by the term “rule”. Not all of our rules result in a specific finding on their own. In fact, majority of our dataflow rules, for example, are helper rules that
    don’t result in any finding on their own – they just help the analyzer do its job. So, the dataflow finding is generated by a set of rules, and only the sink rule corresponds to a “specific criterion of correctness verified by a static analysis tool”.
    k
     


    From: Larry Golding (Comcast) [mailto:larrygolding@comcast.net]

    Sent: Thursday, June 07, 2018 11:20 AM
    To: 'O'Neil, Yekaterina Tsipenyuk' <katrina@microfocus.com>; sarif@lists.oasis-open.org; 'Michael Fanning' <Michael.Fanning@microsoft.com>
    Subject: RE: [sarif] Change bars for Issue #158 (result.correlationId)
    Importance: High


     
    Michael – please read this carefully to see if I’ve correctly conveyed your philosophy for analysis tool design.
     
    Hi Katrina,
     
    1. First of all, don’t worry, you can indeed populate
    result.fingerprints . “SHOULD NOT” means “don’t do it unless you have a good reason,” and I guess your tool has a good reason