OASIS Static Analysis Results Interchange Format (SARIF) TC

 View Only

Draft IANA registration for media type application/sarif+json

  • 1.  Draft IANA registration for media type application/sarif+json

    Posted 04-03-2020 18:06
      |   view attached
    Please take a look and give feedback.   I don’t know what to put for “interoperability consideration”. I don’t know what to put for “restrictions on usage”. The list of “applications that use this media type” isn’t intended to be exhaustive, but if you want to add something (especially I think Jim will want to add some SWAMP tools) just let me know. Also if I’ve misnamed any of the tools please let me know. CodeHawk-C was formerly KT-Advance. Let me know if you want to provide something for “Any other information” at the bottom. Type name: application Subtype name: sarif+json Required parameters: N/A Optional parameters: N/A Encoding considerations: UTF8 only Security considerations: - The use of absolute paths in analysis result location URIs might reveal sensitive information about the machine on which the scan was performed. - The use of the hostname component in analysis result location URI might reveal the network location of the machine on which the scan was performed. - The use of raw HTML in message strings expressed in Markdown might allow arbitrary code execution (for example, through javascript: links). - The use of deeply nested constructs in Markdown message strings might lead to stack overflow in some Markdown implementations. - Certain properties of the SARIF object model might reveal information about the machine on which a scan was run. (The specification allows such properties to be omitted or "redacted".) - Certain properties of the SARIF object model (such as the command line that invoked the analysis tool) can contain arbitrary commands which might damage a machine on which they are run. Interoperability considerations: Published specification: Static Analysis Results Interchange Format (SARIF) Version 2.1.0. Edited by Michael C. Fanning and Laurence J. Golding. 27 March 2020. OASIS Standard. https://docs.oasisopen.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html . Latest stage: https://docs.oasisopen.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html . Applications that use this media type: - CodeHawk-C - Fortify - Microsoft C#/VB compilers - Microsoft C++ compiler code analysis (PREfast) - Semmle - Clients of the .NET SARIF SDK ( https://github.com/microsoft/sarif-sdk ) Fragment identifier considerations: N/A Additional information: Deprecated alias names for this type: N/A Magic number(s): N/A File extension(s): .sarif, .sarif.json Macintosh file type code(s): N/A Person & email address to contact for further information: Michael C. Fanning (mikefan@microsoft.com) and Laurence J. Golding (v-lgold@microsoft.com) Intended usage: LIMITED USE Restrictions on usage: (Any restrictions on where the media type can be used go here.) Author: OASIS Static Analysis Results Interchange Format (SARIF) TC ( https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif ) Change controller: OASIS Open ( https://www.oasis-open.org/ ) Provisional registration? (standards tree only): No (Any other information that the author deems interesting may be added below this line.)

    Attachment(s)

    txt
    sarif-media-type.txt   2 KB 1 version