OASIS-sarif@ConnectedCommunity.org
Contacts
Chair: Luke Cartey, Microsoft
lcartey@github.com
Chair: David Keaton
dmk@dmk.com
OASIS Staff Contact: Kelly Cullinane
kelly.cullinane@oasis-open.org
Description
Defining a standard output format for static analysis tools
Group Notes
Table of Contents
Announcements
Influx of Cybersecurity Leaders Sign On to Support New Version of OASIS SARIF Standard for Detecting Software Vulnerabilities. See the complete press release here.
Static Analysis Results Interchange Format (SARIF) Version 2.1.0 is now an OASIS Standard. For details, see the announcement.
View recording of SARIF briefing for prospective members, held 21 Sept 2018.
OASIS Awards 2018 Open Standards Cup to KMIP for Key Management Security and SARIF for Static Analysis Tools; 20 Aug 2018
Participation in the OASIS SARIF TC is open to all interested parties. SARIF TC members include major software companies, cybersecurity providers, government agencies, security orchestration specialists, programmers, and consultants. Contact join@oasis-open.org for more information.
Overview
SARIF TC members are developing an interoperability standard for detecting software defects and vulnerabilities. The goal is to define a common output format for static analysis tools that will make it feasible for developers and teams to view, understand, interact with, and manage the results produced by all their tools.
SARIF represents a leap forward in the usability of static analysis tools. Many organizations in the safety and security communities use several competing tools on their code. SARIF will allow them to combine and compare the results more easily to gain a sharper picture of the issues in their code that need to be addressed. Engineering teams will be able to easily access a broad range of potential defects and vulnerabilities in compliance with privacy and accessibility standards. SARIF will support the development of products whose code spans languages and operating systems.
For more information, see the SARIF TC Charter.
TC Tools and Approved Publications
Technical Work Produced by the Committee
Static Analysis Results Interchange Format (SARIF) Version 2.1.0. Edited by Michael C. Fanning and Laurence J. Golding. 27 March 2020. OASIS Standard. https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html. Latest stage: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html.
Static Analysis Results Interchange Format (SARIF) Version 2.1.0. Edited by Michael C. Fanning and Laurence J. Golding. 23 July 2019. OASIS Committee Specification 01. https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html. Latest version: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html.
Mailing Lists and Comments
sarif: the discussion list used by TC members to conduct Committee work. TC membership is required to post, and TC members are automatically subscribed. The public may view the OASIS list archives.
sarif-comment: a public mailing list for providing feedback on the technical work of the OASIS SARIF TC. Send a comment or view the OASIS comment list archives.
Press Coverage and Commentary
- Industry leaders collaborate to define SARIF interoperability standard for detecting software defects and vulnerabilities: Common data format for static analysis tools is being advanced by CA Technologies, Cryptsoft, FireEye, GrammaTech, Hewlett Packard Enterprise (HPE), Micro Focus, Microsoft, New Context, Phantom, RIPS, SWAMP, Synopsys, U.S. DHS, U.S. NIST, and others; 12 Oct 2017
Additional Information