[18:20] Room information was updated by: Stefan Hagen # October 11, 2017 MEETING #4 OF OASIS SARIF TC Meeting Member URL: - URL =
https://www.oasis-open.org/apps/org/workgroup/sarif/event.php?event_id=46072 - Please use starting approx. 15 minutes before the meeting for self registration. Thanks. - Self registration deep link (as a service): -
https://www.oasis-open.org/apps/org/workgroup/sarif/record_my_attendance.php?event_id=46072&confirmed=1 Agenda-Draft-EMail: - E-Mail Public URL =
https://lists.oasis-open.org/archives/sarif/201710/msg00001.html Agenda-Draft: - Document URL:
https://www.oasis-open.org/committees/download.php/61745/agenda_20171011.html # Agenda for October 11, 2017 MEETING #4 OF OASIS SARIF TC ------------------------------------- ## Time 16:30-18:30 UTC (09:30-11:30 PDT, 12:30-14:30 EDT, 18:30-20:30 CEST) (Other timezone? Try eg.
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=10&day=11&hour=16&min=30&sec=0&p1=47&p2=69&p3=179 ) ## Meeting Chat Location URL:
http://webconf.soaphub.org/conf/room/sarif ## Meeting Audio - Skype for Business meeting link: - URL:
https://meet.lync.com/microsoft/mikefan/186L6QQK 1. Opening Activities 1.1 Opening comments (Co-Chair Keaton) 1.2 Introduction of participants/roll call (Co-Chair Cartey) 1.3 Procedures for this meeting (Co-Chair Keaton) 1.4 Approval of agenda (Co-Chair Keaton) URL =
https://www.oasis-open.org/committees/download.php/61745/agenda_20171011.html 1.5 Approval of previous minutes [Minutes of 2017-09-27 Meeting#3] (Co-Chair Keaton) URL =
https://www.oasis-open.org/committees/download.php/61664/sarif-minutes-20170927-meeting-3.html 1.6 Review of action items and resolutions (Secretary Hagen) - Officers to create the meetings for the agreed meeting times Status: Ongoing (Done for today - Michael to accept/merge the pull request
https://github.com/oasis-tcs/sarif-spec/pull/45 to expose these principles as agreed Status: Completed (pull request merged) - Laurence to investigate which safe and widely used flavour of markdown we might use Status: Reported as
https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/sarif-v1.0-issue-33-gfm.docx Details: Further information in mail
https://lists.oasis-open.org/archives/sarif/201710/msg00003.html - Michael to amend the Issue #14 - Should we allow file identity to be specified by reference to a commit... with results from the meeting discussion Status: Ongoing - Michael to compare a couple of embedding strategies for those location info relating also to cross referencing Status: Ongoing - Michael will combine notes he took and the minutes as inputs to integrate them in the issues Status: Ongoing - Laurence aggregates a taxonomy proposal Status: Reported as
https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/sarif-v1.0-issue-3-taxonomies.docx Details: Further Information in mail
https://lists.oasis-open.org/archives/sarif/201710/201710/msg00002.html 1.7 Identification of SARIF TC voting members (Co-Chair Cartey) 1.7.1 Prospective members attending their first meeting 1.7.2 Members attaining voting rights at the end of this meeting 1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends 1.7.4 Members who previously lost voting rights who are attending this meeting 1.7.5 Members who have declared a leave of absence 2. Future Meetings 2.1 Future meeting schedule (Co-Chair Keaton) Teleconferences (Wednesdays at 09:30 Pacific): October 25 November 8 November 29 December 13 January 10 Face-to-face meeting January 22-23 (tentative) 3. Document review 3.1 Begin reviewing the working draft from the beginning, collecting questions and comments (Co-Editor Fanning) 4. Other Business 5. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end) 5.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton) 5.2 Review of Decisions Reached (Secretary Hagen) 5.3 Review of Action Items (Secretary Hagen) 6. Next Meeting October 25, 2017 / 09:30-11:30 PDT / 16:30-18:30 UTC 7. Adjournment # -------------------------------------------------------------------------- Meeting Member URL: - URL =
https://www.oasis-open.org/apps/org/workgroup/sarif/event.php?event_id=46072 - Please use starting approx. 15 minutes before the meeting for self registration. Thanks. - Self registration deep link (as a service): -
https://www.oasis-open.org/apps/org/workgroup/sarif/record_my_attendance.php?event_id=46072&confirmed=1 [18:34] Stefan Hagen: Meeting starts [18:34] Stefan Hagen: 1. Opening Activities 1.1 Opening comments (Co-Chair Keaton) [18:37] Stefan Hagen: 1.2 Introduction of participants/roll call (Co-Chair Cartey) [18:40] Stefan Hagen: Andrew Brown on the call [18:40] Stefan Hagen: Voting Members: 14 of 19 (73%) (used for quorum calculation) [18:40] Stefan Hagen: 1.3 Procedures for this meeting (Co-Chair Keaton) [18:40] Stefan Hagen: 1.4 Approval of agenda (Co-Chair Keaton) URL =
https://www.oasis-open.org/committees/download.php/61745/agenda_20171011.html [18:41] Stefan Hagen: Laurence moves to approve, Michael seconds [18:41] Stefan Hagen: Laurence moves to amend [18:41] Laurence J. Golding: 3. Accouncements (Co-Editor Fanning) 4. Discuss Issue 33
https://github.com/oasis-tcs/sarif-spec/issues/33 Should we allow formatting in messages? 5. Discuss Issue 56
https://github.com/oasis-tcs/sarif-spec/issues/56 Consider adding namespaces to tags 6. Discuss Issue 57
https://github.com/oasis-tcs/sarif-spec/issues/57 Consider URL protocol to reference internal files and provide an associated region 7. Discuss Issue 58
https://github.com/oasis-tcs/sarif-spec/issues/58 Consider adding 'rank' or 'probability' property 8. Discuss Issue 27:
https://github.com/oasis-tcs/sarif-spec/issues/27 Add 'help' property to rule object 9. Discuss Issue 55:
https://github.com/oasis-tcs/sarif-spec/issues/55 Consider restructuring SARIF to be location, not results-focused [18:42] Stefan Hagen: Michael seconds [18:43] Stefan Hagen: No discussion, no objections, the motion is thus amended [18:44] Stefan Hagen: Henny moves to amend the agenda 5.17.4 level discussion [18:44] Stefan Hagen: Michael seconds [18:44] Stefan Hagen: No discussion, no objections, so ordered. [18:47] Stefan Hagen: No discussion on agenda as amended, no objections to adopt as amended, the amended agenda is adopted [18:47] Stefan Hagen: 1.5 Approval of previous minutes [Minutes of 2017-09-27 Meeting#3] (Co-Chair Keaton) URL =
https://www.oasis-open.org/committees/download.php/61664/sarif-minutes-20170927-meeting-3.html [18:47] Stefan Hagen: Stefan moves to approve, Michael seconds [18:48] Stefan Hagen: No discussion, no objections, the minutes are approved unchanged as published [18:48] Stefan Hagen: 1.6 Review of action items and resolutions (Secretary Hagen) - Officers to create the meetings for the agreed meeting times Status: Ongoing (Done for today - Michael to accept/merge the pull request
https://github.com/oasis-tcs/sarif-spec/pull/45 to expose these principles as agreed Status: Completed (pull request merged) - Laurence to investigate which safe and widely used flavour of markdown we might use Status: Reported as
https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/sarif-v1.0-issue-33-gfm.docx Details: Further information in mail
https://lists.oasis-open.org/archives/sarif/201710/msg00003.html - Michael to amend the Issue #14 - Should we allow file identity to be specified by reference to a commit... with results from the meeting discussion Status: Ongoing - Michael to compare a couple of embedding strategies for those location info relating also to cross referencing Status: Ongoing - Michael will combine notes he took and the minutes as inputs to integrate them in the issues Status: Ongoing - Laurence aggregates a taxonomy proposal Status: Reported as
https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/sarif-v1.0-issue-3-taxonomies.docx Details: Further Information in mail
https://lists.oasis-open.org/archives/sarif/201710/201710/msg00002.html [18:50] Stefan Hagen: 1.7 Identification of SARIF TC voting members (Co-Chair Cartey) 1.7.1 Prospective members attending their first meeting [18:50] Stefan Hagen: None [18:51] Stefan Hagen: 1.7.2 Members attaining voting rights at the end of this meeting [18:51] Stefan Hagen: Ken will become voting member at the end of the meeting [18:51] Stefan Hagen: 1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends [18:51] Stefan Hagen: Someone look at roster scribe lost sync [18:51] Stefan Hagen: 1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends 1.7.4 Members who previously lost voting rights who are attending this meeting 1.7.5 Members who have declared a leave of absence 2. Future Meetings 2.1 Future meeting schedule (Co-Chair Keaton) Teleconferences (Wednesdays at 09:30 Pacific): October 25 November 8 November 29 December 13 January 10 Face-to-face meeting January 22-23 (tentative) [18:52] Stefan Hagen: 3. Accouncements (Co-Editor Fanning) [18:52] Paul Anderson: Correction to last URL:
https://lists.oasis-open.org/archives/sarif/201710/msg00002.html [18:52] Stefan Hagen: @Paul: Thanks [18:53] Stefan Hagen: Michael went through lots of issues and merged in the notes and updated the status of some [18:53] Stefan Hagen: Michael reports of a "bucket-bug" #48
https://github.com/oasis-tcs/sarif-spec/issues/48 [18:54] Stefan Hagen: Michael: reports source control repository rendering is still in analysis and kindly asks for Atlasssian experts to check back [18:55] Stefan Hagen: Michael: Proposal on fingerprinting and asks members to collaborate on this one [18:56] Stefan Hagen: Michael reports from newly raised issues: metrics on log files - should the format be location focused? Proposal only touch this to leave time for the discussion on the issue Henny raised [18:56] Stefan Hagen: 4. Discuss Issue 33
https://github.com/oasis-tcs/sarif-spec/issues/33 Should we allow formatting in messages? [18:56] Michael C. Fanning:
https://github.com/oasis-tcs/sarif-spec/issues/33 [18:56] Stefan Hagen: Laurence walks all through a summary of the issue [18:57] Stefan Hagen: In markdown all dialogs are depending on the security of the processor, as all somehow allow embedding any HTML [18:58] Stefan Hagen: Laurence proposal to adopt github flavoured markdown [18:59] Stefan Hagen: Laurence offers to share
https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/sarif-v1.0-issue-33-gfm.docx especially section 3.10.3 [19:00] Stefan Hagen: All discuss [19:07] Stefan Hagen: Luke asks on 3.10.1 in proposed draft topic inline links and brief messages [19:08] Stefan Hagen: All discuss [19:11] Stefan Hagen: All discuss briefness vs. richness [19:12] Stefan Hagen: Michael suggests to take the discussion offline [19:12] Stefan Hagen: Paul comments on substitution strings. Is the intention that the string substituted may also contain markup? [19:13] Stefan Hagen: Laurence states, that this was not the original intention [19:13] Stefan Hagen: All discuss [19:14] Stefan Hagen: Paul understands, that the substitution itself should not contain markdown [19:15] Stefan Hagen: Michael suggests the agreement might be, t ensure the injected strings must be validated as not exposing side effects (sanitised input) [19:18] Stefan Hagen: All discuss further on the proposal and already specified aspects in the spec [19:18] Stefan Hagen: Jim asks how to distinguish regular and format message in proposal [19:21] Stefan Hagen: All discuss the options [19:23] Stefan Hagen: Stefan suggests to in JSON not show keys that carry no values, so if we have future ideas, we should insert keys for them in the future and not now (sample mime-type) [19:23] Stefan Hagen: Henny describes the issue she raised and the proposal [19:24] Stefan Hagen: Context level property [19:30] Stefan Hagen: Laurence moves to recess [19:30] Stefan Hagen: Michael suggests 15 minutes (a fire alarm) [19:30] Stefan Hagen: Laurence seconds [19:30] Stefan Hagen: No discussion, no objections so ordered, we will come back in 15 minutes [19:32] Stefan Hagen: Meeting will be continued at 19:45 CEST, 17:45 UTC, 13:45 EDT, 10:45 PDT [19:33] Paul Anderson: It's just that my version of the document doesn't have a 5.17.4, but section 3.17.4 seems to be the right one, so I'm wondering if I'm looking at the same thing everyone else is. I'm looking at the two versions I just downloaded - the one with the taxonomies changes, and the other with the gfm changes. [19:33] Stefan Hagen: Please add a URL to Henny's proposal for 5.17.4 to be included in the minutes and maybe help the participants to follow the discussion (at least the scribe is currently lost only mechanically typing words thanks [19:34] Stefan Hagen: @Channel: Anyone :-? [19:39] Paul Anderson: None of the documents under
https://github.com/oasis-tcs/sarif-spec/tree/master/Documents have a section 5.17.4. [19:40] Laurence J. Golding: Paul, we are talking about 3.17.4 [19:40] Laurence J. Golding: Explanation: [19:41] Laurence J. Golding: The original HTML-based spec was written to mimic the ISO template. When I re-cast it into .docx in the OASIS template, the section numbers changed. [19:41] Laurence J. Golding: Presumably Henny was looking at the HTML version. [19:42] Paul Anderson: Got it. Thanks. [19:46] Stefan Hagen: Laurence asks the values in the tools considered if they are related to other ones or are a distinct dimension [19:47] Stefan Hagen: Henry states that these do not correlate to warnings etc. because e.g. a value like safe is an immediate tool result without interpretation or scoring. [19:53] Stefan Hagen: All discuss [19:55] Stefan Hagen: Mel is concerned about leaking implementation details when using specific tool labels, but instead use proposed namespace policies, as e.g. did code could be a policy [19:55] Stefan Hagen: Discussion continues [20:04] Stefan Hagen: All discuss on namespace proposal and level / poly space forward slash structuring options [20:07] Stefan Hagen: Michael will create a new issue to continue the conversation [20:08] Stefan Hagen: Henry will suggest some polyspace specific terms so we can start from there [20:08] Stefan Hagen: 5. Discuss Issue 56
https://github.com/oasis-tcs/sarif-spec/issues/56 Consider adding namespaces to tags [20:09] Stefan Hagen: Luke reports that with their products, the rules are already tagged and it works pretty well [20:10] Stefan Hagen: Jim asks if the dash in the displayed samples means something. [20:10] Stefan Hagen: Laurence responds that no. [20:11] Stefan Hagen: All discuss how tags may be mapped to other tags [20:17] Stefan Hagen: Paul and Michael discuss [20:18] Stefan Hagen: Laurence asks if the proposal for taxonomy might be a good alternative to the namespace/tags and level proposals [20:18] Stefan Hagen: Laurence sent the taxonomies proposal in response to issue #3 [20:19] Stefan Hagen: Michael has issues with this proposal [20:20] Stefan Hagen: All discuss taxonomies and multiplicities [20:23] Stefan Hagen: 5. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end) 5.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton) [20:23] Stefan Hagen: 5.2 Review of Decisions Reached (Secretary Hagen) - Continue discussion on
https://github.com/oasis-tcs/sarif-spec/issues/33 on the mailing list 5.3 Review of Action Items (Secretary Hagen) - Stefan to create all scheduled teleconference meetings before the next meeting - Michael will create a new issue to continue the conversation on namespaces and tool level <placeholder for better term> [20:23] Stefan Hagen: 6. Next Meeting October 25, 2017 / 09:30-11:30 PDT / 16:30-18:30 UTC 7. Adjournment [20:24] Stefan Hagen: Meeting adjourned by chair # Meeting Attendees ## Company Name ascending Role GrammaTech, Inc. Paul Anderson Voting Member Semmle Luke Cartey Chair Microsoft Michael Fanning Voting Member Individual Laurence Golding Voting Member DHS Office of Cybersecurity and Communicat... Kevin Greene Voting Member Individual Stefan Hagen Secretary Micro Focus Larry Hines Voting Member Individual David Keaton Chair SWAMP Jim Kupsch Voting Member Synopsys Mel Llaguno Voting Member Security Compass Pooya Mehregan Member Micro Focus Yekaterina O'Neil Voting Member NIST Vadim Okun Observer Code Dx, Inc. Ken Prole Voting Member Kestrel Technology Henny Sipma Voting Member Kestrel Technology Douglas Smith Voting Member # Meeting Statistics Quorum rule: 51% of voting members Achieved quorum: yes Individual Attendance Observing Members: 1 of 8 (12%) Contributing Members: 15 of 33 (45%) Voting Members: 14 of 19 (73%) (used for quorum calculation) Company Attendance Observing Companies: 1 of 4 (25%) Contributing Companies: 11 of 20 (55%) Voting Companies: 10 of 11 (90%)