Members of the OASIS Static Analysis Results Interchange Format (SARIF) Technical Committee wish to register a media type associated with the recently-approved SARIF Version 2.1.0 OASIS Standard. We post the registration request form here for review before submitting it to IANA. I am the administrative contact for OASIS for IANA registration requests. The technical contacts for this request are Michael Fanning (
mikefan@microsoft.com ) and David Keaton (
dmk@dmk.com ). They are tasked by the OASIS SARIF TC to provide any additional information or answers to questions that you may have. Thank you in advance for your comments and feedback. /chet ensign OASIS Open, Inc. IETF RFC6838 Section 5.6. Registration Template
https://tools.ietf.org/html/rfc6838#section-5.6 --- Type name: application Subtype name: sarif-external-properties+json Required parameters: N/A Optional parameters: N/A Encoding considerations: Binary: UTF8-encoded text only Security considerations: - Since SARIF external property files are serialized as JSON, they are subject to the same security vulnerabilities as any JSON file. - The SARIF external property file format captures results from static analysis tools. Such analysis might disclose information about software vulnerabilities. Therefore SARIF external property file contents can be extremely sensitive, requiring external privacy and integrity protection. Even when the analysis results themselves are not sensitive, SARIF external property files can have other security issues: - SARIF external property files can embed the contents of the programming artifacts (such as source or binary files) that were analyzed. Such content can be of any type and may include compressed material, with all their associated vulnerabilities. - SARIF external property files can refer to programming artifacts through arbitrary URIs, with all their associated vulnerabilities. - SARIF external property files produced by web site analysis tools can contain the full contents of the web requests sent by the tool, and the resulting web responses. The contents of the requests and responses can be of any type, with the associated vulnerabilities of those types. - The use of absolute paths in analysis result location URIs might reveal sensitive information about the machine on which the scan was performed. - The use of the hostname component in analysis result location URI might reveal the network location of the machine on which the scan was performed. - The use of raw HTML in message strings expressed in Markdown might allow arbitrary code execution (for example, through _javascript_: links). - Any other vulnerabilities associated with Markdown can be leveraged to attack a SARIF processor. For example, the use of deeply nested constructs in Markdown message strings might lead to stack overflow in some Markdown implementations. - Certain properties of the SARIF object model might reveal information about the machine on which a scan was run. (The specification allows such properties to be omitted or "redacted".) - SARIF external property files can contain information about how the analysis tool was invoked, including the command line that was executed. This can contain arbitrary commands which might damage a machine on which they are run. - SARIF external property files can contain information about when the analysis tool was invoked. An attacker might be able to deduce how frequently scans are run, and therefore might be able to make a malicious change and then revert it before the next scan detects the problem. - SARIF external property files can contain information about errors encountered by the analysis tool, including its exit code. This can allow an attacker to craft input to attack the analysis tool. Interoperability considerations: N/A Published specification: Static Analysis Results Interchange Format (SARIF) Version 2.1.0. Edited by Michael C. Fanning and Laurence J. Golding. 27 March 2020. OASIS Standard.
https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html . Latest stage:
https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html . Applications that use this media type: The following list is not exhaustive: - Static analysis tools - Static analysis results visualization tools (viewers) - Bug filing tools - Defect databases - Compliance systems Fragment identifier considerations: N/A Additional information: Deprecated alias names for this type: N/A Magic number(s): N/A File extension(s): .sarif-external-properties, .sarif-external-properties.json Macintosh file type code(s): N/A Person & email address to contact for further information: Michael C. Fanning (
mikefan@microsoft.com ) and David Keaton (
dmk@dmk.com ) Intended usage: COMMON Restrictions on usage: N/A Author: Static Analysis Results Interchange Format (SARIF) TC (
https://www.oasis-open.org/committees/sarif ) Change controller: OASIS Open (
https://www.oasis-open.org/ ) -- Chet Ensign Chief Technical Community Steward OASIS Open +1 201-341-1393
chet.ensign@oasis-open.org www.oasis-open.org