Acting convener: Ram
Chat transcript from room: sariftc From 2017-09-06 16:05 UTC until 18:18 UTC
Convener: Called the meeting to order @ 16:05 UTC.
All participants recorded their attendance on the OASIS meeting calendar - quorum was reached.
All participants were kindly encouraged to registrate themselves to optimize the use of the shared time during the meeting in one of two ways:
Either click the link with the text "Register my attendance" on the top of the event page or directly visit the per event direct "record my attendace link":
https://www.oasis-open.org/apps/org/workgroup/sarif/record_my_attendance.php?event_id=45798&confirmed=1, Thanks
Details cf. normative attendance sheet for this meeting (event_id=45798).
Note: Inaugural call special rule applies - registrated before some date and present in first meeting leads to voting member status already in that meeting.
Chris Wysopal (CA Technologies) David Keaton (Individual) Douglas Smith (Kestrel Technology) Duncan Sparrell (sFractal Consulting LLC) Jim Kupsch (SWAMP) Joseph Feiman (CA Technologies) Kevin Greene (DHS Office of Cybersecurity and Communications (CS&C)) Larry Hines (Novell) Laurence Golding (Microsoft) Luke Cartey (Semmle) Mel Llaguno (Synopsys) Michael Fanning (Microsoft) Paul Anderson (GrammaTech, Inc.) Philip Royer (Phantom) Ram Jeyaraman (Microsoft) Stefan Hagen (Individual) Vamshi Basupalli (SWAMP) Yekaterina ONeil (Hewlett Packard Enterprise (HPE))
Note: Despite the (mis-)calculations of the tool in the TC workspace, it is sufficient to participate in two subsequent meetings of a TC to obtain voting rights after that meeting.
Ken Prole (Code Dx Inc.)
Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.
Andrew Browne (Oracle)
Chris Wysopal (CA Technologies) David Keaton (Individual) Douglas Smith (Kestrel Technology) Duncan Sparrell (sFractal Consulting LLC) Jim Kupsch (SWAMP) Joseph Feiman (CA Technologies) Kevin Greene (DHS Office of Cybersecurity and Communications (CS&C)) Larry Hines (Novell) Laurence Golding (Microsoft) Luke Cartey (Semmle) Mel Llaguno (Synopsys) Michael Fanning (Microsoft) Paul Anderson (GrammaTech, Inc.) Philip Royer (Phantom) Ram Jeyaraman (Microsoft) Stefan Hagen (Individual) Vamshi Basupalli (SWAMP) Yekaterina ONeil (Hewlett Packard Enterprise (HPE))
None
Ram: Shorty presented the tentative agenda:
1) Welcome 2) Roll call (and confirm voting members) [Convener] 3) Review agenda [Convener] 4) Election of Chair(s) [Convener] 5) Election of Secretary and Specification Editor(s) [Chair] 6) Review TC charter and timeline, and call for contributions [Chair] 7) Overview of TC process and tools (including Jira bug tracking) [TC administrator] 8) Acknowledge and review contributions [Chair] 9) Future meetings (teleconference meetings plus potential future F2F meetings) 10) Any other business
Convener: No objections. Agenda approved unchanged as published.
Laurence I move that we appoint David Keaton and Luke Cartey as co-Chairs of the SARIF TC. Stefan seconds.
Convener: No further discussion. No objection to unanimous consent. Motion passes.
Ram: Convener hands over to the elected Co-Chairs
Acting chair: David Keaton
Laurence I nominate Stefan Hagen as TC secretary of the SARIF TC. Michael seconds.
Chair: No further discussion. No objection to unanimous consent. Stefan is elected as Secretary of this TC.
Michael I nominate Laurence Golding as specification editor.
Laurence I nominate myself and Michael Fanning as co-Editors of the specification. Stefan seconds.
Chair: Nominations closed.
Chair: No further discussion. No objections. Laurence and Michael are elected as co-Editors of this specification
TC Charter publicly accessible at: https://www.oasis-open.org/committees/sarif/charter.php
Chair: No objections. Charter adopted.
Chair: Hands over to Laurence for presentation of tentative Timeline
Laurence: Walks all thorugh the proposal for the timeline
Stefan: Publicly accessible link to the timeline proposal presented is: https://www.oasis-open.org/committees/download.php/61518/SARIF TC Timeline.pptx
Duncan: Welcomes the timeline although it seems aggressive
Ram: Asks, if the spec as currently formulated will harmonise with existing tools
Laurence: Mentions, that the current input revision for the spec is already well fitting the tool landscape.
Michael: Interoperability testing is critical to drive a quality specification
Chet: Informs, that TC administration can support technically with the open projects approach and with intro events and will be happy to do so
Laurence: Asks, if these intro events will happen in sequence or in parallel to the review calls of the specification publication process?
Chet: Answers, that this is up to the TC to decide, well within the constraints, of course, that any intro must be based upon some existing shared facts
Laurence: Further asks, if there might be partial exclusions possible, e.g. excluding section so and so, as still in flux?
Chet: Mentions CTI TC as prior occurrences of such partial interop events
Ram: Mentions, that this is less process ruled, but more TC defined (best) for pulling in most of the industry in intro tests
Duncan: What will be the working methods? In particular where will the work products reside? If there is an initial draft - where is it? open question: will we address dynamic analysis scenarios?
Ram: Chet will walk us through the TC process, document folder, etc.
Michael: Discussing applicability of SARIF to dynamic analysis should be an early topic (Relayed questions from Skype chat, about ability to integrate dynamic analysis (like with fuzzers) to put it on the "track record")
Chair: Calls for anyone having a written contribution she wants us to consider
Laurence: Has the contribution ready and will add this to kavi workspace, and after that talk about what he submitted
Ram: Suggests, that Laurence uses the comment field of the upload form to include the contribution statement
Stefan: The resulting public link is: https://www.oasis-open.org/committees/download.php/61525/Static Analysis Results Interchange Format (SARIF).html
Michael: Link to (now soon deprecated) master is here: https://rawgit.com/sarif-standard/sarif-spec/master/Static Analysis Results Interchange Format (SARIF).html
Chet: Shortly informs everyone about the rules and consequences for contributions under the OASIS rules
Stefan: As service URL describing TC process at OASIS and also the terms and meanings at OASIS where specifically defined: https://www.oasis-open.org/policies-guidelines/tc-process-2017-05-26
Stefan: Technical kavi handling note: Quick Add does bypass any ability to comment during upload
Chair: Hands over to Laurence to walk all through the motivational slides for the contribution
Laurence walks all through motivational slides for the contribution at: https://www.oasis-open.org/apps/org/workgroup/sarif/download.php/61527/SARIF TC Contribution Overview.pptx
All: Discuss implications and clarify details to grow a shared understanding
Laurence: States, that the proposed format of SARIF is more flexible (not only static ...) than anticipated, but in this TC the focus is currently assumed to be more on the static aspect (in contrast to compositional or dynamic analysis)
Michael: Adds, that address static analysis first was a good start, but maybe along the way, we may decide to widen the scope, to better serve dynamic or other aspects and as long as this is aligned with our chapter.
Laurence: States, that both quality and security shall be served by the final spec
Kevin: Contributes a link to the research he has funded around this area: https://www.fbo.gov/index?s=opportunity&mode=form&id=08c964597fe81a759b165eb46ba30f78&tab=core&_cview=0 and suggests the members take a look at the research i.e. Hybrid Analysis Mapping (HAM).
Philip: Kindly asks for links to other projects that have already been integrated via converters
Laurence: Currently has no explicit list, but it is embedded in the repo, as the converters themselves document this (cppcheck, ...)
Michael: Shortly names some (outside of microsoft tooling).
Laurence: Kindly asks for an action item on him, to contribute such a list to the TC
Hereby granted ;-)
Michael: Answers question from Paul on how the results management can be addressed best for enabling metadata exchange in the ecosystem
Laurence: Suggests, that he might propose at some time, to in any case not slow down publication of the format in it's current scope, but try adding the report format related aspects for some time
All: Discussion continues about the amount of programming languages and there intermix that will be covered presumably
Joseph: Asks, about considerations for cross domain support
Laurence: follows up with stating, that it is usual to run multiple tools with different strengths inside a single domain (like e.g. security or quality)
Kevin: Expects the multi tool integration support, as in the field multiple tools reduce false positive count and minimise the gaps
All: No further discussion
Laurence: Continues the presentation of the contribution
Kevin: Contributes another link. A link to NSA Center for Assured Software (CAS) Tool study: CAS 2012 Static Analysis Tool Study Methodology.pdf
Michael and Laurence: Emphasize, that the dynamic analysis tool or web scanning tool support is just thought of as an optional bonus, but they do not think, that the reports from those tools are not substantially different - thus if there is interest and support from the TC it might be possible
Chair: Asks, if there are any further contributions?
Paul: Comments, that he has seen several proposed formats, and thinks the one contributed here is in his opinion far superior.
Kevin: Contributes another link to one of his R&D programs underway now. The goal is to modernize open-source static analysis tools. He sees tremendous synergies with SARIF: https://www.fbo.gov/utils/view?id=4a1745db09f002f2609e5ada47b8a622 (CSD_BAA_Call_STAMP_Amend_00003.pdf)
Chair: Notes, that there are no further contributions this time
Chair: Hands over to Chet for OASIS presentation
Chet: Walks all through he slides https://www.oasis-open.org/committees/download.php/61441/SARIF-09-06-17.pptx
Chet: Hint for tracking requests to OASIS administration in TC Admin JIRA at https://issues.oasis-open.org/issues/?jql=project = TCADMIN AND status = Open ORDER BY priority DESC
Paul: Asks, if a proxy might be sent if not possible to attend some day
Chet: Answers, that no
Stefan: Mentions, that depending on the handling of the TC, and abiding with Robert's rules, one can register online and thus state, that all business conducted is in his sense
The TC already acknowledged and reviewed the sole contribution in section 6.3
David: Suggests to meet every other week
David: Suggests to meet already next week same weekday and time for the second meeting
Stefan: Regrets, as he will not be available next wednesday
Paul: Regrets, as he will also not be available on that day
Chair: Suggested is to meet two weeks from today and half an hour later than todays start
All: Next meeting will start 2017-09-20 16:30 UTC with a duration of 2 hours
No other business
Laurence moves to adjourn. Michael seconds.
The meeting was adjourned at 18:18 UTC.