OASIS Static Analysis Results Interchange Format (SARIF) TC

RE: continuing the discussion from today's meeting

  • 1.  RE: continuing the discussion from today's meeting

    Posted 03-29-2021 15:07
        Sent from Mail for Windows 10   From: Michael Fanning Sent: Thursday, March 25, 2021 10:10 AM To: Yekaterina O'Neil ; sarif@lists.oasis-open.org Subject: [EXTERNAL] [sarif] RE: continuing the discussion from today's meeting   Thank you very much for offering these comments. I will ask David whether this is a way we can integrate them into the minutes.   From my perspective, +1 on all of this. Fingerprints are confusing. It’s hard to document/provide guarantees on what portion of SARIF is populated. It’s interesting to consider how our standards effort could help.   Your thoughts on a dynamic analysis standard are clarifying. If we can create a metastandard/core as you say and extract/separate static vs dynamic, that could be very useful. Perhaps extensions for results management could be another add-on. Finally, some sort of descriptor/manifest in the log file document what’s persisted to it could be of general value, and perhaps we could leverage that to address how to enforce SARIF consistency (as produced by diverse tools).   Thanks again for taking the time to put this together. We’ll do a better job with time mgmt. next call to ensure everyone has a chance to speak.   MCF From: Yekaterina O'Neil Sent: Thursday, March 25, 2021 9:24 AM To: sarif@lists.oasis-open.org Subject: [EXTERNAL] [sarif] continuing the discussion from today's meeting   Hi all,   I kept postponing making comments during the meeting, until we ran out of time :) So, I am gonna jot them down in an e-mail, so I don’t forget them before the next meeting…   Micro Focus is one of those big commercial vendors referred to on the call, however we do understand the value of SARIF, and everyone at Fortify is bought into it. Most of our customers use several tools / vendors, so it makes perfect sense for us to support the standard. In fact, our developers are excited about potentially substituting our proprietary format with SARIF eventually, considering performance gains it could bring. But of course, it’s all a matter of priority, and, unfortunately, so far we’ve only implemented the ability to consume SARIF as opposed to produce it. But Alex Hoole and I keep pushing :)   Here are a couple of pieces of feedback I heard from within the organization regarding SARIF that we might want to consider in our TC discussions going forward:   Making sure that standards mappings and taxonomies work well within the standard. Better understanding of how the standard could help with migration issues, when results generated by older versions of the tools get migrated for the use with newer versions of the tools. There is still confusion about fingerprints / partialFingerprints, so perhaps adding more examples of when and how exactly each of those attributes should be used would be helpful. From our interaction with GitHub, it became clear that producing SARIF is easier than consuming it because other producers might have stricter (or more relaxed) usages of the standard (like it was in the case of GitHub), so is there a way to help with this? Finally, everyone at Fortify feels that extending SARIF to include dynamic results does not make sense: static and dynamic results have different attributes associated with them, and lumping both sets into one standard will make it overly complex and bloated. Instead, it makes sense to abstract the common attributes into a meta-standard, and then make room for plugging-in appropriate standards depending on the types of results in question. That way, we could support not just static and dynamic, but have the ability to support other types of analysis results.   Hope this makes sense.   Looking forward to working with everyone, k