OASIS Static Analysis Results Interchange Format (SARIF) TC Meeting #1 September 06, 2017

Acting convener: Ram

Chat transcript from room: sariftc
From 2017-09-06 16:05 UTC until 18:18 UTC

1. Call to Order and Welcome

Convener: Called the meeting to order @ 16:05 UTC.

2. Roll call

All participants recorded their attendance on the OASIS meeting calendar - quorum was reached.

All participants were kindly encouraged to registrate themselves to optimize the use of the shared time during the meeting in one of two ways:
Either click the link with the text "Register my attendance" on the top of the event page or directly visit the per event direct "record my attendace link":
https://www.oasis-open.org/apps/org/workgroup/sarif/record_my_attendance.php?event_id=45798&confirmed=1, Thanks

Details cf. normative attendance sheet for this meeting (event_id=45798).

2.1 Participants

2.1.1 Voting Members present

Note: Inaugural call special rule applies - registrated before some date and present in first meeting leads to voting member status already in that meeting.

Chris Wysopal (CA Technologies)
David Keaton (Individual)
Douglas Smith (Kestrel Technology)
Duncan Sparrell (sFractal Consulting LLC)
Jim Kupsch (SWAMP)
Joseph Feiman (CA Technologies)
Kevin Greene (DHS Office of Cybersecurity and Communications (CS&C))
Larry Hines (Novell)
Laurence Golding (Microsoft)
Luke Cartey (Semmle)
Mel Llaguno (Synopsys)
Michael Fanning (Microsoft)
Paul Anderson (GrammaTech, Inc.)
Philip Royer (Phantom)
Ram Jeyaraman (Microsoft)
Stefan Hagen (Individual)
Vamshi Basupalli (SWAMP)
Yekaterina ONeil (Hewlett Packard Enterprise (HPE))

2.1.2 Members present

Note: Despite the (mis-)calculations of the tool in the TC workspace, it is sufficient to participate in two subsequent meetings of a TC to obtain voting rights after that meeting.

Ken Prole (Code Dx Inc.)

2.1.3 Observers present

Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.

Andrew Browne (Oracle)

2.2 Voting Right Changes Effective After The Roll call of this Meeting

2.2.1 Members who gained Voting Rights

Chris Wysopal (CA Technologies)
David Keaton (Individual)
Douglas Smith (Kestrel Technology)
Duncan Sparrell (sFractal Consulting LLC)
Jim Kupsch (SWAMP)
Joseph Feiman (CA Technologies)
Kevin Greene (DHS Office of Cybersecurity and Communications (CS&C))
Larry Hines (Novell)
Laurence Golding (Microsoft)
Luke Cartey (Semmle)
Mel Llaguno (Synopsys)
Michael Fanning (Microsoft)
Paul Anderson (GrammaTech, Inc.)
Philip Royer (Phantom)
Ram Jeyaraman (Microsoft)
Stefan Hagen (Individual)
Vamshi Basupalli (SWAMP)
Yekaterina ONeil (Hewlett Packard Enterprise (HPE))

2.2.2 Members who lost Voting Rights

None

3. Review Agenda

Ram: Shorty presented the tentative agenda:

 1) Welcome
 2) Roll call (and confirm voting members) [Convener]
 3) Review agenda [Convener]
 4) Election of Chair(s) [Convener]
 5) Election of Secretary and Specification Editor(s) [Chair]
 6) Review TC charter and timeline, and call for contributions [Chair]
 7) Overview of TC process and tools (including Jira bug tracking) [TC administrator]
 8) Acknowledge and review contributions [Chair]
 9) Future meetings (teleconference meetings plus potential future F2F meetings)
10) Any other business

Convener: No objections. Agenda approved unchanged as published.

4. Election of Chair(s)

Laurence I move that we appoint David Keaton and Luke Cartey as co-Chairs of the SARIF TC. Stefan seconds.

Convener: No further discussion. No objection to unanimous consent. Motion passes.

Ram: Convener hands over to the elected Co-Chairs

Acting chair: David Keaton

5. Election of Secretary and Specification Editor(s)

5.1 Election of Secretary

Laurence I nominate Stefan Hagen as TC secretary of the SARIF TC. Michael seconds.

Chair: No further discussion. No objection to unanimous consent. Stefan is elected as Secretary of this TC.

5.2 Election of Specification Editor(s)

Michael I nominate Laurence Golding as specification editor.

Laurence I nominate myself and Michael Fanning as co-Editors of the specification. Stefan seconds.

Chair: Nominations closed.

Chair: No further discussion. No objections. Laurence and Michael are elected as co-Editors of this specification

6. Review TC charter and timeline, and call for contributions

6.1 Review TC charter

TC Charter publicly accessible at: https://www.oasis-open.org/committees/sarif/charter.php

Chair: No objections. Charter adopted.

6.2 Review TC Timeline

Chair: Hands over to Laurence for presentation of tentative Timeline

Laurence: Walks all thorugh the proposal for the timeline

Stefan: Publicly accessible link to the timeline proposal presented is: https://www.oasis-open.org/committees/download.php/61518/SARIF TC Timeline.pptx

Duncan: Welcomes the timeline although it seems aggressive

Ram: Asks, if the spec as currently formulated will harmonise with existing tools

Laurence: Mentions, that the current input revision for the spec is already well fitting the tool landscape.

Michael: Interoperability testing is critical to drive a quality specification

Chet: Informs, that TC administration can support technically with the open projects approach and with intro events and will be happy to do so

Laurence: Asks, if these intro events will happen in sequence or in parallel to the review calls of the specification publication process?

Chet: Answers, that this is up to the TC to decide, well within the constraints, of course, that any intro must be based upon some existing shared facts

Laurence: Further asks, if there might be partial exclusions possible, e.g. excluding section so and so, as still in flux?

Chet: Mentions CTI TC as prior occurrences of such partial interop events

Ram: Mentions, that this is less process ruled, but more TC defined (best) for pulling in most of the industry in intro tests

Duncan: What will be the working methods? In particular where will the work products reside? If there is an initial draft - where is it? open question: will we address dynamic analysis scenarios?

Ram: Chet will walk us through the TC process, document folder, etc.

Michael: Discussing applicability of SARIF to dynamic analysis should be an early topic (Relayed questions from Skype chat, about ability to integrate dynamic analysis (like with fuzzers) to put it on the "track record")

6.3 Call for contributions

Chair: Calls for anyone having a written contribution she wants us to consider

Laurence: Has the contribution ready and will add this to kavi workspace, and after that talk about what he submitted

Ram: Suggests, that Laurence uses the comment field of the upload form to include the contribution statement

Stefan: The resulting public link is: https://www.oasis-open.org/committees/download.php/61525/Static Analysis Results Interchange Format (SARIF).html

Michael: Link to (now soon deprecated) master is here: https://rawgit.com/sarif-standard/sarif-spec/master/Static Analysis Results Interchange Format (SARIF).html

Chet: Shortly informs everyone about the rules and consequences for contributions under the OASIS rules

Stefan: As service URL describing TC process at OASIS and also the terms and meanings at OASIS where specifically defined: https://www.oasis-open.org/policies-guidelines/tc-process-2017-05-26

Stefan: Technical kavi handling note: Quick Add does bypass any ability to comment during upload

Chair: Hands over to Laurence to walk all through the motivational slides for the contribution

Laurence walks all through motivational slides for the contribution at: https://www.oasis-open.org/apps/org/workgroup/sarif/download.php/61527/SARIF TC Contribution Overview.pptx

All: Discuss implications and clarify details to grow a shared understanding

Laurence: States, that the proposed format of SARIF is more flexible (not only static ...) than anticipated, but in this TC the focus is currently assumed to be more on the static aspect (in contrast to compositional or dynamic analysis)

Michael: Adds, that address static analysis first was a good start, but maybe along the way, we may decide to widen the scope, to better serve dynamic or other aspects and as long as this is aligned with our chapter.

Laurence: States, that both quality and security shall be served by the final spec

Kevin: Contributes a link to the research he has funded around this area: https://www.fbo.gov/index?s=opportunity&mode=form&id=08c964597fe81a759b165eb46ba30f78&tab=core&_cview=0 and suggests the members take a look at the research i.e. Hybrid Analysis Mapping (HAM).

Philip: Kindly asks for links to other projects that have already been integrated via converters

Laurence: Currently has no explicit list, but it is embedded in the repo, as the converters themselves document this (cppcheck, ...)

Michael: Shortly names some (outside of microsoft tooling).

Laurence: Kindly asks for an action item on him, to contribute such a list to the TC

Hereby granted ;-)

Michael: Answers question from Paul on how the results management can be addressed best for enabling metadata exchange in the ecosystem

Laurence: Suggests, that he might propose at some time, to in any case not slow down publication of the format in it's current scope, but try adding the report format related aspects for some time

All: Discussion continues about the amount of programming languages and there intermix that will be covered presumably

Joseph: Asks, about considerations for cross domain support

Laurence: follows up with stating, that it is usual to run multiple tools with different strengths inside a single domain (like e.g. security or quality)

Kevin: Expects the multi tool integration support, as in the field multiple tools reduce false positive count and minimise the gaps

All: No further discussion

Laurence: Continues the presentation of the contribution

Kevin: Contributes another link. A link to NSA Center for Assured Software (CAS) Tool study: CAS 2012 Static Analysis Tool Study Methodology.pdf

Michael and Laurence: Emphasize, that the dynamic analysis tool or web scanning tool support is just thought of as an optional bonus, but they do not think, that the reports from those tools are not substantially different - thus if there is interest and support from the TC it might be possible

Chair: Asks, if there are any further contributions?

Paul: Comments, that he has seen several proposed formats, and thinks the one contributed here is in his opinion far superior.

Kevin: Contributes another link to one of his R&D programs underway now. The goal is to modernize open-source static analysis tools. He sees tremendous synergies with SARIF: https://www.fbo.gov/utils/view?id=4a1745db09f002f2609e5ada47b8a622 (CSD_BAA_Call_STAMP_Amend_00003.pdf)

Chair: Notes, that there are no further contributions this time

7. Overview of TC process and tools (including Jira bug tracking)

Chair: Hands over to Chet for OASIS presentation

Chet: Walks all through he slides https://www.oasis-open.org/committees/download.php/61441/SARIF-09-06-17.pptx

Chet: Hint for tracking requests to OASIS administration in TC Admin JIRA at https://issues.oasis-open.org/issues/?jql=project = TCADMIN AND status = Open ORDER BY priority DESC

Paul: Asks, if a proxy might be sent if not possible to attend some day

Chet: Answers, that no

Stefan: Mentions, that depending on the handling of the TC, and abiding with Robert's rules, one can register online and thus state, that all business conducted is in his sense

8. Acknowledge and review contributions

The TC already acknowledged and reviewed the sole contribution in section 6.3

9. Future meetings (teleconference meetings plus potential future F2F meetings)

David: Suggests to meet every other week

9.1 Date and time of next meeting

David: Suggests to meet already next week same weekday and time for the second meeting

Stefan: Regrets, as he will not be available next wednesday

Paul: Regrets, as he will also not be available on that day

Chair: Suggested is to meet two weeks from today and half an hour later than todays start

All: Next meeting will start 2017-09-20 16:30 UTC with a duration of 2 hours

10. Any other business

No other business

11. Adjourn

Laurence moves to adjourn. Michael seconds.

The meeting was adjourned at 18:18 UTC.