OASIS Static Analysis Results Interchange Format (SARIF) TC

 View Only
  • 1.  #381: threadFlowLocation "helper rules"

    Posted 04-25-2019 22:19
    I created and merged a change draft for Yekaterina’s Issue #381 , “Associate descriptor metadata with thread flow locations”:   https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/Accepted/sarif-v2.0-issue-381-helper-rules.docx   Please take a look. The entire change is pasted below.   Yekaterina and Michael : There is a subtle point that I want to discuss in a separate email. It might result in a small change to what I wrote.   Next is Issue #387 : “anyOf externalPropertyFileReference location or guid is required”.   Thanks, Larry   3.37.14 taxa property A threadFlowLocation MAY contain a property named taxa whose value is an array of zero or more unique (§ 3.7.3 ) reportingDescriptorReference objects each of which specifies a category into which this threadFlowLocation falls. NOTE: The motivation for this property is a tool that uses a set of rules to guide its analysis as it traces tainted data from a source to a sink. For example, at one location, the tool might apply a rule that says: “If the input to String.Substr is tainted, then so is the return value.” Such a tool can represent these “helper rules” as a custom taxonomy (§ 3.19.3 ), an array of reportingDescriptor objects (§ 3.48 ). Each member of threadFlowLocation.taxa can reference one of these helper rules. EXAMPLE: This example illustrates the scenario in the above note. {                                # A run object (§ 3.14 ).   "tool": {                      # See § 3.14.6 .     "driver": {       "name": "TaintDetector",       "rules": [         {           "id": "TD0001",           "name": "UntrustedDataStoredInDatabase",           "shortDescription": {             "text": "Data from an untrusted source was stored in a database."           }         },         ...       ],       "taxa": [                  # Custom taxonomy (§ 3.19.3 ) for helper rules.         {                        # A reportingDescriptor object (§ 3.48 ).           "id": "HR0001",           "name": "SubstrPropogatesTaint",           "shortDescription": {             "text": "If the input to String.Substr is tainted,                      so is the return value."           }         },         ...       ]     }   },     "results": [                   # See § 3.14.22 .     {                            # A result object § 3.26 .       "ruleId": "TD0001",       ...       "codeFlows": [             # See § 3.26.18 .         {                        # A codeFlow object (§ 3.35 ).           "threadFlows": [       # See § 3.35.3 .             {                    # A threadFlow object (§ 3.36 ).               "locations": [     # See § 3.36.6 .                 ...                 {                # A threadFlowLocation object.                   "location": {  # See § 3.37.3 .                     "physicalLocation": {                       "artifactLocation": {                         "uri": "io/input.c",                         "uriBaseId": "SRCROOT"                       },                       "region": {                         "startLine": 32                       }                     }                   },                   "taxa": [                     {        # A reportingDescriptorReference object (§ 3.51 ).                       "id": "TD0001",                       "index": 0                     }                   ]                 },                 ...               ]             }           ]         }       ]     }   ] }  


  • 2.  RE: #381: threadFlowLocation "helper rules"

    Posted 04-26-2019 16:22
    Caution: This email originated from outside the organization. Do not click links or open attachments unless you have verified this email is legitimate.   A couple of comments:   -           In the draft, there is a sentence: “ Such a can represent these “helper rules” as a custom taxonomy (§3.19.3), an array of reportingDescriptor objects (§3.48). ” It should be: “ Such a tool can represent these “helper rules” as a custom taxonomy (§3.19.3), an array of reportingDescriptor objects (§3.48). ” -           Also, shouldn’t the threadFlowLocation in the example reference rule “ HR0001 ” instead of rule “ TD0001 ”?   Thanks! k   From: sarif@lists.oasis-open.org [mailto:sarif@lists.oasis-open.org] On Behalf Of Larry Golding (Myriad Consulting Inc) Sent: Thursday, April 25, 2019 3:19 PM To: OASIS SARIF TC Discussion List <sarif@lists.oasis-open.org> Cc: Harleen Kaur Kohli <harleen.kohli@microsoft.com> Subject: [sarif] #381: threadFlowLocation "helper rules" Importance: High   Caution: This email originated from outside the organization. Do not click links or open attachments unless you have verified this email is legitimate.   I created and merged a change draft for Yekaterina’s Issue #381 , “Associate descriptor metadata with thread flow locations”:   https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/Accepted/sarif-v2.0-issue-381-helper-rules.docx   Please take a look. The entire change is pasted below.   Yekaterina and Michael : There is a subtle point that I want to discuss in a separate email. It might result in a small change to what I wrote.   Next is Issue #387 : “anyOf externalPropertyFileReference location or guid is required”.   Thanks, Larry   3.37.14 taxa property A threadFlowLocation MAY contain a property named taxa whose value is an array of zero or more unique (§3.7.3) reportingDescriptorReference objects each of which specifies a category into which this threadFlowLocation falls. NOTE: The motivation for this property is a tool that uses a set of rules to guide its analysis as it traces tainted data from a source to a sink. For example, at one location, the tool might apply a rule that says: “If the input to String.Substr is tainted, then so is the return value.” Such a tool can represent these “helper rules” as a custom taxonomy (§3.19.3), an array of reportingDescriptor objects (§3.48). Each member of threadFlowLocation.taxa can reference one of these helper rules. EXAMPLE: This example illustrates the scenario in the above note. {                                # A run object (§3.14).   "tool": {                      # See §3.14.6.     "driver": {       "name": "TaintDetector",       "rules": [         {           "id": "TD0001",           "name": "UntrustedDataStoredInDatabase",           "shortDescription": {             "text": "Data from an untrusted source was stored in a database."           }         },         ...       ],       "taxa": [                  # Custom taxonomy (§3.19.3) for helper rules.         {                        # A reportingDescriptor object (§3.48).           "id": "HR0001",           "name": "SubstrPropogatesTaint",           "shortDescription": {             "text": "If the input to String.Substr is tainted,                      so is the return value."           }         },         ...       ]     }   },     "results": [                   # See §3.14.22.     {                            # A result object §3.26.       "ruleId": "TD0001",       ...       "codeFlows": [             # See §3.26.18.         {                        # A codeFlow object (§3.35).           "threadFlows": [       # See §3.35.3.             {                    # A threadFlow object (§3.36).               "locations": [     # See §3.36.6.                 ...                 {                # A threadFlowLocation object.                   "location": {  # See §3.37.3.                     "physicalLocation": {                       "artifactLocation": {                         "uri": "io/input.c",                         "uriBaseId": "SRCROOT"                       },                       "region": {                         "startLine": 32                       }                     }                   },                   "taxa": [                     {        # A reportingDescriptorReference object (§3.51).                       "id": "TD0001",                       "index": 0                     }                   ]                 },                 ...               ]             }           ]         }       ]     }   ] }