OASIS Static Analysis Results Interchange Format (SARIF) TC

  • 1.  Corrected chat trace for Day 2

    Posted 02-02-2018 01:36
    Pooya Mehregan: Has the meeting started yet? Larry Golding: Not quite Please change your name from 'anonymous' using the Settings button anonymous morphed into [Co-Chair] David Keaton [Co-Chair] David Keaton: Audio: https://meet.lync.com/microsoft/mikefan/RVLT09SG [Co-Chair] David Keaton: The agenda was just updated a second time. Please download the new one. Its title is "Revised**2 Agenda". [Co-Chair] David Keaton: https://www.oasis-open.org/apps/org/workgroup/sarif/download.php/62431/agenda_20180131.html [Co-Chair] David Keaton: 11.2 James: SWAMP demo [Co-Chair] David Keaton: 11.3 Larry: SARIF Viewer for Visual Studio demo [Co-Chair] David Keaton: Consider a "future" issue for localization [Co-Chair] David Keaton: 11.4 Henny: Kestrel demo [Co-Chair] David Keaton: Break until 10:40, then review data files [Co-Chair] David Keaton: 11.5 Review data files [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/tree/master/Tool%20Samples [Co-Chair] David Keaton: Review data files until 11:00 [Co-Chair] David Keaton: Discussed items found in data files [Co-Chair] David Keaton: Detailed review of CodeSonar data guided by Paul [Co-Chair] David Keaton: Anyone who wants to preserve a need they observed during the data file review, please type an abbreviated line about it in the chat trace. Michael C. Fanning1: new issue to consider, when specifying a code snippet, do we need a broader range for the snippet, then a more specific region of interest in the snippet Michael C. Fanning1: Does the call return code flow kind allow sufficient expressiveness to reflect a value that changes as a result of being passed as a reference/out arg? Michael C. Fanning1: should sarif carry information suitable for debugging a code flow (that, for example, returns a false positive) in addition to the information intended to literally be examined/diagnosed by the user? Michael C. Fanning1 morphed into Michael C. Fanning [Co-Chair] David Keaton: Break for lunch until 13:30 [Co-Chair] David Keaton: 12.1 (10.1 Enable traceability from converted SARIF file to original analysis tool log file [#66]) [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/66 [Co-Chair] David Keaton: What to do with "region" if the region is the whole file? [Co-Chair] David Keaton: Does absence of the "region" object mean the whole file? [Co-Chair] David Keaton: *** ACTION: Larry to write text to implement #66 and submit for review. [Co-Chair] David Keaton: 12.1 (10.3 Code flow enhancement items raised yesterday) [Co-Chair] David Keaton: Which items are most important for us to address? [Co-Chair] David Keaton: Michael: Luke's Type of code flow items e.g. call is both node and edge [Co-Chair] David Keaton: Michael: Michael's Event links [Co-Chair] David Keaton: Luke: Right selection of kinds? [Co-Chair] David Keaton: Michael: Exception types (annotated code location kind) [Co-Chair] David Keaton: Jim: Implicit code execution such as macros [Co-Chair] David Keaton: Jim: Implicit code execution such as macros [Co-Chair] David Keaton: Paul: Threads - separate flows [Co-Chair] David Keaton: Deep dive: Luke: Type of code flow items e.g. call is both node and edge [Co-Chair] David Keaton: 12.2 Walk through issues and determine which will be in Committee Specification Draft [Co-Chair] David Keaton: CSD.1 tag applied to all github issues that must be addressed before the first Committee Specification Draft [Co-Chair] David Keaton: #80 can be "addressed" by discussing it and implementing part of it [Co-Chair] David Keaton: *** ACTION: Larry and David will discuss citations for the list of hash algorithms. [Co-Chair] David Keaton: 12.3 Results management disscussion [Co-Chair] David Keaton: Michael: Want to discuss guiding principles for how much of this should be part of SARIF [Co-Chair] David Keaton: Items to consider: Validity, Confidence, Severity, Scheduling [Co-Chair] David Keaton: ID field, fingerprint, suppression state are what we need. The rest can be built outside of SARIF. [Co-Chair] David Keaton: 13. Discuss Next Steps [Co-Chair] David Keaton: Agree to hold more discussions on the github issues. [Co-Chair] David Keaton: Everybody should "Watch" the SARIF repo so they will see all the discussions. [Co-Chair] David Keaton: Plan: Editorial committee meetings next week and two weeks later. [Co-Chair] David Keaton: Changed Plan: Two editorial committee meetings, schedule TBD. [Co-Chair] David Keaton: *** DECISION: Two SARIF TC teleconferences, then CSD 1. [Co-Chair] David Keaton: *** DECISION: SARIF TC teleconference on February 28th at the usual time. [Co-Chair] David Keaton: *** ACTION: Michael will file an issue on Jim's concern about parsing paths that include . and .. *** DONE! (#86) [Co-Chair] David Keaton: *** DECISION: We will address all issues marked CSD.1 for the first Committee Specification Draft and will not address any issues not marked CSD.1 for the first CSD. [Co-Chair] David Keaton: *** DECISION: We will not address any results management issues except instance ID in CSD.1.


  • 2.  Re: [sarif] Corrected chat trace for Day 2

    Posted 02-02-2018 12:28
    I tried to join several times yesterday. ------------ Kevin E. Greene (KevEG) The MITRE Corporation ?On 2/1/18, 8:35 PM, "sarif@lists.oasis-open.org on behalf of David Keaton" <sarif@lists.oasis-open.org on behalf of dmk@dmk.com> wrote: Pooya Mehregan: Has the meeting started yet? Larry Golding: Not quite Please change your name from 'anonymous' using the Settings button anonymous morphed into [Co-Chair] David Keaton [Co-Chair] David Keaton: Audio: https://meet.lync.com/microsoft/mikefan/RVLT09SG [Co-Chair] David Keaton: The agenda was just updated a second time. Please download the new one. Its title is "Revised**2 Agenda". [Co-Chair] David Keaton: https://www.oasis-open.org/apps/org/workgroup/sarif/download.php/62431/agenda_20180131.html [Co-Chair] David Keaton: 11.2 James: SWAMP demo [Co-Chair] David Keaton: 11.3 Larry: SARIF Viewer for Visual Studio demo [Co-Chair] David Keaton: Consider a "future" issue for localization [Co-Chair] David Keaton: 11.4 Henny: Kestrel demo [Co-Chair] David Keaton: Break until 10:40, then review data files [Co-Chair] David Keaton: 11.5 Review data files [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/tree/master/Tool%20Samples [Co-Chair] David Keaton: Review data files until 11:00 [Co-Chair] David Keaton: Discussed items found in data files [Co-Chair] David Keaton: Detailed review of CodeSonar data guided by Paul [Co-Chair] David Keaton: Anyone who wants to preserve a need they observed during the data file review, please type an abbreviated line about it in the chat trace. Michael C. Fanning1: new issue to consider, when specifying a code snippet, do we need a broader range for the snippet, then a more specific region of interest in the snippet Michael C. Fanning1: Does the call return code flow kind allow sufficient expressiveness to reflect a value that changes as a result of being passed as a reference/out arg? Michael C. Fanning1: should sarif carry information suitable for debugging a code flow (that, for example, returns a false positive) in addition to the information intended to literally be examined/diagnosed by the user? Michael C. Fanning1 morphed into Michael C. Fanning [Co-Chair] David Keaton: Break for lunch until 13:30 [Co-Chair] David Keaton: 12.1 (10.1 Enable traceability from converted SARIF file to original analysis tool log file [#66]) [Co-Chair] David Keaton: https://github.com/oasis-tcs/sarif-spec/issues/66 [Co-Chair] David Keaton: What to do with "region" if the region is the whole file? [Co-Chair] David Keaton: Does absence of the "region" object mean the whole file? [Co-Chair] David Keaton: *** ACTION: Larry to write text to implement #66 and submit for review. [Co-Chair] David Keaton: 12.1 (10.3 Code flow enhancement items raised yesterday) [Co-Chair] David Keaton: Which items are most important for us to address? [Co-Chair] David Keaton: Michael: Luke's Type of code flow items e.g. call is both node and edge [Co-Chair] David Keaton: Michael: Michael's Event links [Co-Chair] David Keaton: Luke: Right selection of kinds? [Co-Chair] David Keaton: Michael: Exception types (annotated code location kind) [Co-Chair] David Keaton: Jim: Implicit code execution such as macros [Co-Chair] David Keaton: Jim: Implicit code execution such as macros [Co-Chair] David Keaton: Paul: Threads - separate flows [Co-Chair] David Keaton: Deep dive: Luke: Type of code flow items e.g. call is both node and edge [Co-Chair] David Keaton: 12.2 Walk through issues and determine which will be in Committee Specification Draft [Co-Chair] David Keaton: CSD.1 tag applied to all github issues that must be addressed before the first Committee Specification Draft [Co-Chair] David Keaton: #80 can be "addressed" by discussing it and implementing part of it [Co-Chair] David Keaton: *** ACTION: Larry and David will discuss citations for the list of hash algorithms. [Co-Chair] David Keaton: 12.3 Results management disscussion [Co-Chair] David Keaton: Michael: Want to discuss guiding principles for how much of this should be part of SARIF [Co-Chair] David Keaton: Items to consider: Validity, Confidence, Severity, Scheduling [Co-Chair] David Keaton: ID field, fingerprint, suppression state are what we need. The rest can be built outside of SARIF. [Co-Chair] David Keaton: 13. Discuss Next Steps [Co-Chair] David Keaton: Agree to hold more discussions on the github issues. [Co-Chair] David Keaton: Everybody should "Watch" the SARIF repo so they will see all the discussions. [Co-Chair] David Keaton: Plan: Editorial committee meetings next week and two weeks later. [Co-Chair] David Keaton: Changed Plan: Two editorial committee meetings, schedule TBD. [Co-Chair] David Keaton: *** DECISION: Two SARIF TC teleconferences, then CSD 1. [Co-Chair] David Keaton: *** DECISION: SARIF TC teleconference on February 28th at the usual time. [Co-Chair] David Keaton: *** ACTION: Michael will file an issue on Jim's concern about parsing paths that include . and .. *** DONE! (#86) [Co-Chair] David Keaton: *** DECISION: We will address all issues marked CSD.1 for the first Committee Specification Draft and will not address any issues not marked CSD.1 for the first CSD. [Co-Chair] David Keaton: *** DECISION: We will not address any results management issues except instance ID in CSD.1. --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


  • 3.  Re: [sarif] Corrected chat trace for Day 2

    Posted 02-02-2018 16:54
    Kevin, Hi. Sorry to hear about the difficulty. Would you mind replying to me privately and letting me know where the problem was? Is it possible that you accidentally used the previous day's Skype link, or was there a technical problem that we need to look into? (I'm just including the list so everyone knows that your issue is being dealt with.) David On 02/02/2018 04:27 AM, Greene, Kevin E. wrote: I tried to join several times yesterday. ------------ Kevin E. Greene (KevEG) The MITRE Corporation