Dear members of the CSAF TC,
the OASIS SARIF TC is planning to publish the SARIF v2.2
specification shortly, to fully focus on the next major SARIF
standard in version 3.0.
SARIF is known as the "Static Analysis Results Interchange Format"
in versions 2.x, but will widen its scope to become the
"System Analysis Results Interchange Format" in versions 3.0 and
later after version 2.2 will have been published.
Call for action: Please kindly consider joining and supporting
the SARIF TC on this journey with your use cases.
I see a very interesting overlap of interests and possibilities
for delegation of work between CSAF and SARIF esp. when
detailed vulnerability descriptions would assist the consumers
of security advisories.
Maybe the specific means already available in the SARIF format
of version 2.x (like exact addressing of locations and identification
of systems under test) can be used as foreign parts to not overload
the CSAF format for such needs.
Knowing the CSAF TC members a bit, I am sure, that you have
even more ideas how to realize the synergy between these two
OASIS hosted and managed "solutions".
Let us build something great together through connecting the dots.
Thanks a lot for considering.
Cheers,
Stefan.