Just wanted to shine a light on an effort Microsoft is helping with, to convert a number of prominent standards to SARIF taxonomies, which are designed to help tool producers link their findings to specific standards. We started with a few obvious standards of importance (particularly used in the Heimdall effort), CSE, OWASP NIST SP800-53, etc. Our thought is that there could be three distinct efforts here: Create and maintain stand-alone SARIF taxonomic descriptions of a standard, e.g., CWE Encourage tool developers to expand their tool output to describe relationships between their output and a standard they ‘understand’. Create and maintain stand-alone SARIF taxonomies that describe relationships between two standards, e.g., a CWE<->OWASP mapping. This eco-system will eventually lower costs to categorize tool output. If a tool maps itself successfully to CWE, for example, these other taxonomies may allow easy mapping to arbitrary other standards (without requiring the tool to emit all standards-relevant data comprehensively). All SARIF taxonomies can be referenced indirectly to help keep log size to a minimum. Would love to talk with others on this effort, interested in suggestions on how to maintain these taxonomies, etc. etc. Michael A current PR on creating a NIST SARIF taxonomy. Our strategy is to check in and maintain code, where possible, that processes some official standard representation to produce the taxonomy (rather than creating/maintaining SARIF JSON manually). NIST_SP800-53_v4.sarif and tool code by shaopeng-gh · Pull Request #4 · sarif-standard/taxonomies (github.com) Heimdall mappings as CSV: heimdall_tools/lib/data at master · mitre/heimdall_tools (github.com)