OASIS Static Analysis Results Interchange Format (SARIF) TC

  • 1.  Re: SHOULD => SHALL in "Security implications"

    Posted 01-11-2018 17:11
    Dear members, I hereby suggest we use MUST NOT instead of SHALL NOT. SHALL and SHOULD have an unnecessary small Levenshtein distance ;-) It also challenges some non-native readers more than required. With MUST all is so much clearer, isn't it :-? All the best, Stefan. On 11/01/18 16:32, Michael Fanning wrote: > Thanks, Larry. I agree this is the right thing to do. > > Nice catch, Jim. Security is important.


  • 2.  RE: [sarif] Re: SHOULD => SHALL in "Security implications"

    Posted 01-11-2018 17:58
    Stefan, That's an interesting suggestion. Please open an issue in the GitHub repo and I will consider it. For those of you who aren't familiar with RFC 2119, both SHALL and SHOULD (and, for that matter, REQUIRED) are permitted when expressing an absolute requirement. There are places in the spec where "SHALL" sounds better to me, other places where "MUST" sounds better to me, and still other places where they sound equally good to me. For example, consider this sentence from §3.2: Two URIs SHALL be considered equivalent if their normalized forms are the same... To my ear, MUST does not sound as good here. I'm not sure I can fully explain why. I think it is because in English, "MUST" has more of a feeling of "telling someone what to do". SHALL is more impersonal. If I write "Two URIs MUST be considered equivalent..." it sounds (to me) like a parent telling a child that they "must clean up their room". It sounds like a command, rather than a simple description of how the world has to be. I tend to use MUST in requirements that describe a syntactic constraint. For example, consider this sentence from §3.4: Unless otherwise specified in the description of a specific property, all properties whose values are of type "string" MUST have a non-empty value. Again I can't fully explain why. I think it's because here, I'm telling the string how to behave, and I don't have any trouble giving commands to a string


  • 3.  RE: [sarif] Re: SHOULD => SHALL in "Security implications"

    Posted 01-11-2018 18:15
    Knowing your work as I do, I am confident you will give this a good think and make some appropriate changes. I will say that for the specific case we're discussing (making the adjustment for banning potentially executable code from SARIF markdown), I like the clarity and additional emphasis that MUST provides. Michael


  • 4.  Re: [sarif] Re: SHOULD => SHALL in "Security implications"

    Posted 01-11-2018 18:22
    Before making this change, please consider what you want the future of this document to be. If you think you might ever want to promote this to an ISO standard, you will want to avoid the word "must". ISO/IEC Directives Part 2 state: "Do not use 'must' as an alternative for 'shall'." The reason is that "must" has a different meaning to ISO. You might want to keep these directives in mind in general, to protect future options for the document. http://www.iso.org/sites/directives/2016/part2/index.xhtml David On 01/11/2018 10:14 AM, Michael Fanning wrote: Knowing your work as I do, I am confident you will give this a good think and make some appropriate changes. I will say that for the specific case we're discussing (making the adjustment for banning potentially executable code from SARIF markdown), I like the clarity and additional emphasis that MUST provides. Michael


  • 5.  RE: [sarif] Re: SHOULD => SHALL in "Security implications"

    Posted 01-11-2018 18:40
    Hm, interesting. Use of MUST in our case certainly doesn't conform to ISO's notion of it. I see the following list of ISO acceptable alternates to SHALL NOT. Not sure whether any of these meet Stefan's criteria of being more accessible to non-native EN speakers. is not allowed [permitted] [acceptable] [permissible] is required to be not is required that … be not is not to be need not do not Again, back to this specific issue. I wonder if we shouldn't inject a note that amplifies on the spec language (which refers to SHALL NOT). We'd want to emphasize that it is really not acceptable for SARIF to contain executable code but that due to lack of controls on user-input and/or guaranteeing the integrity of a SARIF file and the dangers of failure to sanitize, consumers can't assume that the spec has been met for this case. It is not acceptable for producers to inject executable code into SARIF markdown. It is not acceptable for consumers to fail to sanitize.


  • 6.  RE: [sarif] Re: SHOULD => SHALL in "Security implications"

    Posted 01-11-2018 20:09
    David, thanks for that information. I'll add it to my TODO list to revisit that ISO Directives document (I read it once, a year ago, when we were considering taking SARIF to ISO), and then I'll respond back to this thread with a proposal. Larry


  • 7.  RE: [sarif] Re: SHOULD => SHALL in "Security implications"

    Posted 01-11-2018 20:24
    (and Michael, I'll add it to my TODO least to add, as a "NOTE", the stronger language about security.)


  • 8.  RE: [sarif] Re: SHOULD => SHALL in "Security implications"

    Posted 01-11-2018 21:12
    Sounds good. All this reminds me that we need to be sure not to drop the suggestion made by the working group to consider how SARIF files might be signed to ensure they haven't been tampered wi Issue #47 in the repo. https://github.com/oasis-tcs/sarif-spec/issues/47th .


  • 9.  RE: [sarif] Re: SHOULD => SHALL in "Security implications"

    Posted 01-11-2018 21:30
    Good catch. I defined a new label in the repo, "required", and I tagged Issue #47 with it. We can use it to identify the things we have to do before we send out a draft for comment. Larry


  • 10.  RE: [sarif] Re: SHOULD => SHALL in "Security implications"

    Posted 01-12-2018 05:45
    As a non-native speaker, I have to say I had to pause for a second to think about what the proposal of changing SHOULD to SHALL means. I did infer the meaning of the change correctly, but I think it was mainly due to the fact that the attention was drawn to making this change. That is, if I was just reading the final version of the spec, I would have not picked up on the connotation. I think the options listed below would not cause a confusion for me though. k