OASIS Static Analysis Results Interchange Format (SARIF) TC

 View Only
  • 1.  SARIF taxonomies

    Posted 05-25-2021 15:31
    Just wanted to shine a light on an effort Microsoft is helping with, to convert a number of prominent standards to SARIF taxonomies, which are designed to help tool producers link their findings to specific standards.   We started with a few obvious standards of importance (particularly used in the Heimdall effort), CSE, OWASP NIST SP800-53, etc.   Our thought is that there could be three distinct efforts here:   Create and maintain stand-alone SARIF taxonomic descriptions of a standard, e.g., CWE Encourage tool developers to expand their tool output to describe relationships between their output and a standard they ‘understand’. Create and maintain stand-alone SARIF taxonomies that describe relationships between two standards, e.g., a CWE<->OWASP mapping. This eco-system will eventually lower costs to categorize tool output. If a tool maps itself successfully to CWE, for example, these other taxonomies may allow easy mapping to arbitrary other standards (without requiring the tool to emit all standards-relevant data comprehensively).   All SARIF taxonomies can be referenced indirectly to help keep log size to a minimum.   Would love to talk with others on this effort, interested in suggestions on how to maintain these taxonomies, etc. etc.   Michael   A current PR on creating a NIST SARIF taxonomy. Our strategy is to check in and maintain code, where possible, that processes some  official standard representation to produce the taxonomy (rather than creating/maintaining SARIF JSON manually). NIST_SP800-53_v4.sarif and tool code by shaopeng-gh · Pull Request #4 · sarif-standard/taxonomies (github.com)   Heimdall mappings as CSV: heimdall_tools/lib/data at master · mitre/heimdall_tools (github.com)