OASIS Static Analysis Results Interchange Format (SARIF) TC

Corrected chat trace from Day 1

  • 1.  Corrected chat trace from Day 1

    Posted 02-02-2018 00:30
    anonymous morphed into Paul Anderson anonymous morphed into Mel Llaguno anonymous morphed into Larry Golding Please change your name from 'anonymous' using the Settings button anonymous morphed into [Co-Chair] David Keaton [Co-Chair] David Keaton: Agenda: https://www.oasis-open.org/apps/org/workgroup/sarif/download.php/62407/agenda_20180131.html anonymous morphed into Michael C. Fanning [Co-Chair] David Keaton: Audio: https://meet.lync.com/microsoft/mikefan/5YKRT9B8 [Co-Chair] David Keaton: Agenda approved [Co-Chair] David Keaton: Previous minutes approved Michael C. Fanning: Motion by Larry to approve agenda Michael C. Fanning: Paul seconds Michael C. Fanning: Motion to approve minutes by Larry Michael C. Fanning: Luke seconds, no discussion, motion approved Michael C. Fanning: Previous actions, collect data on code flow, completed Michael C. Fanning: Waiting on Nikolai re: proposal for rank Michael C. Fanning: Larry filed required JSON issues as discussed in previous meeting Michael C. Fanning: Attendance taken. Michael C. Fanning: Future meetings, next discussion 2/14 at the usual time (9:30 PST) [Co-Chair] David Keaton: Hoping to set Committee Specification Draft schedule during this meeting [Co-Chair] David Keaton: Editor's report discussed [Co-Chair] David Keaton: 4.1 Issues - will get as far as we can this morning, then overflow to same time slot tomorrow [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/47 [Co-Chair] David Keaton: Outside scope [Co-Chair] David Keaton: Larry's drawing: [Co-Chair] David Keaton: runs: [ [Co-Chair] David Keaton: { [Co-Chair] David Keaton: files: { [Co-Chair] David Keaton: "someURL": { [Co-Chair] David Keaton: mimeTYpe [Co-Chair] David Keaton: contents: [Co-Chair] David Keaton: hashes: { [Co-Chair] David Keaton: SHA-1: ... [Co-Chair] David Keaton: That is where the hash would go in Larry's proposal. [Co-Chair] David Keaton: Original #47 was outside scope, but led to this discussion of hashing the source file [Co-Chair] David Keaton: Paul discussed use case for #47: wanting to assure that SARIF output of his tool was not tampered with [Co-Chair] David Keaton: Paul's other use case: combining signed SARIF files would not invalidate the individual signatures [Co-Chair] David Keaton: Larry proposes labeling #47 "future" (later version of the standard) and "results management" [Co-Chair] David Keaton: *** ACTION: Michael will file an issue to make sure this is discussed in security section of standard, even though the full #47 is out of scope [Co-Chair] David Keaton: *** DECISION: Label #47 "future" and "results management" [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/78 [Co-Chair] David Keaton: *** DECISION: Adopt #78 but amended to replace "do not" with "avoid" [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/63 [Co-Chair] David Keaton: #63 is based on RFC 3986. Jim proposes going further and normalizing the full path. [Co-Chair] David Keaton: *** DECISION: Tabled until this time slot tomorrow [Co-Chair] David Keaton: *** ACTION: Larry to decide what result is to be proposed [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/66 [Co-Chair] David Keaton: End of this session for today. To be continued in the same time slot tomorrow. [Co-Chair] David Keaton: Break until 10:40 [Co-Chair] David Keaton: 5.1 Luke's demo [Co-Chair] David Keaton: 5.2 Katrina's demo [Co-Chair] David Keaton: 5.3 Mel's demo [Co-Chair] David Keaton: 6.1 Breakout sessions? [Co-Chair] David Keaton: Return from lunch [Co-Chair] David Keaton: 11.1 (as agreed) Paul's demo [Co-Chair] David Keaton: 6.1 Code flows [Co-Chair] David Keaton: What needs to be addressed? [Co-Chair] David Keaton: Mel: Event tree - conceptual structure [Co-Chair] David Keaton: Katrina: Types of taint [Co-Chair] David Keaton: Michael: Exception types (annotated code location kind) [Co-Chair] David Keaton: Katrina: What is a message vs. description vs. annotation? [Co-Chair] David Keaton: Katrina: External entries (sort of code flows but not really) - URLs [Co-Chair] David Keaton: Katrina: Multiple paths [Co-Chair] David Keaton: Jim: Implicit code execution such as macros [Co-Chair] David Keaton: Jim: Generic code/lambdas [Co-Chair] David Keaton: Jim: Assertions about variable values [Co-Chair] David Keaton: Henny: Bottom-up propagation of properties [Co-Chair] David Keaton: Michael: Event links [Co-Chair] David Keaton: Paul: Taint kinds [Co-Chair] David Keaton: Paul: Threads - separate flows [Co-Chair] David Keaton: Paul: Data marked as coming from a model? [Co-Chair] David Keaton: Paul: Names e.g. functions - Larry: SARIF can handle logical code locations like this [Co-Chair] David Keaton: Paul: Fan-in not important [Co-Chair] David Keaton: Luke: Type of code flow items e.g. call is both node and edge [Co-Chair] David Keaton: Luke: Target of code flows [Co-Chair] David Keaton: Luke: Right selection of kinds? [Co-Chair] David Keaton: Amended agenda to time box & run through remaining 4.2 issues [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/66 [Co-Chair] David Keaton: Jim: Default URI as fallback if not in result [Co-Chair] David Keaton: Jim: May be more than one file that represents a result [Co-Chair] David Keaton: *** ACTION: Larry & Jim will revise #66 proposal for tomorrow *** DONE! [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/75 [Co-Chair] David Keaton: *** ACTION: Larry to remove the word "unique" and submit for review [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/64 [Co-Chair] David Keaton: Paul: Dictionary of dictionaries? [Co-Chair] David Keaton: *** ACTION: Larry to flesh out for next teleconference [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/76 [Co-Chair] David Keaton: *** ACTION: Larry to specify UTF-8 for next teleconference [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/59 [Co-Chair] David Keaton: Not already covered by #56 [Co-Chair] David Keaton: Henny: Propose alternative to the level property [Co-Chair] David Keaton: Defer until after Henny's demo [Co-Chair] David Keaton: Proposal: Add a new level: open (uncertain) [Co-Chair] David Keaton: *** ACTION: Larry to add "open" level and wordsmith for next teleconference (#81) [Co-Chair] David Keaton: *** ACTION: Michael review Polyspace designations to make sure they overlay in a seamless way [Co-Chair] David Keaton: *** ACTION: Larry to define labels "CSD", "future", "results management" *** DONE! [Co-Chair] David Keaton: Mel: Add "metrics" label [Co-Chair] David Keaton: *** ACTION: Larry to open an issue to track metrics *** DONE! (#44) [Co-Chair] David Keaton: Metrics in CSD, results management for a later version? [Co-Chair] David Keaton: *** ACTION: Paul will submit a proposal for metrics. *** DONE!