OASIS Static Analysis Results Interchange Format (SARIF) TC Meeting #6 November 08, 2017

Acting chair: David

Chat transcript from room: sarif
From 2017-11-08 16:37 UTC until 18:25 UTC

1. Call to Order and Welcome

Chair: Called the meeting to order @ 16:37 UTC.

2. Roll call

All participants recorded their attendance on the OASIS meeting calendar - quorum was reached.

All participants were kindly encouraged to registrate themselves to optimize the use of the shared time during the meeting in one of two ways:
Either click the link with the text "Register my attendance" on the top of the event page or directly visit the per event direct "record my attendace link":
https://www.oasis-open.org/apps/org/workgroup/sarif/record_my_attendance.php?event_id=46133&confirmed=1, Thanks

Details cf. normative attendance sheet for this meeting (event_id=46133).

2.1 Participants

2.1.1 Voting Members present

David Keaton (Individual)
Douglas Smith (Kestrel Technology)
Henny Sipma (Kestrel Technology)
Jim Kupsch (SWAMP)
Larry Hines (Micro Focus)
Laurence Golding (Individual)
Luke Cartey (Semmle)
Mel Llaguno (Synopsys)
Michael Fanning (Microsoft)
Paul Anderson (GrammaTech, Inc.)
Stefan Hagen (Individual)
Sunny Chatterjee (Microsoft)
Vamshi Basupalli (SWAMP)
Yekaterina ONeil (Novell)

2.1.2 Members present

Note: Despite the (mis-)calculations of the tool in the TC workspace, it is sufficient to participate in two subsequent meetings of a TC to obtain voting rights after that meeting.

Duncan Sparrell (sFractal Consulting LLC)
Hendrik Buchwald (RIPS Technologies)
Pooya Mehregan (Security Compass)
Sean Barnum (FireEye, Inc.)

2.1.3 Observers present

Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.

Andrew Browne (Oracle)

2.2 Voting Right Changes Effective After The Roll call of this Meeting

2.2.1 Members who gained Voting Rights

Vamshi Basupalli (SWAMP)

2.2.2 Members who lost Voting Rights

Kevin Greene (DHS Office of Cybersecurity and Communication ...)

3. Review Agenda

Agenda draft published at https://www.oasis-open.org/committees/download.php/61949/agenda_20171108.html - content given below to support the reader:

1. Opening Activities
  1.1 Opening comments (Co-Chair Keaton)
  1.2 Introduction of participants/roll call (Co-Chair Cartey)
  1.3 Procedures for this meeting (Co-Chair Keaton)
  1.4 Approval of agenda (Co-Chair Keaton)
    URL = https://www.oasis-open.org/committees/download.php/61949/agenda_20171108.html
  1.5 Approval of previous minutes [Minutes of 2017-10-25 Meeting#5] (Co-Chair Keaton)
    URL = https://www.oasis-open.org/committees/download.php/61947/sarif-minutes-20171025-meeting-5.html
  1.6 Review of action items and resolutions (Secretary Hagen)
  1.7 Identification of SARIF TC voting members (Co-Chair Cartey)
    1.7.1 Prospective members attending their first meeting
    1.7.2 Members attaining voting rights at the end of this meeting
    1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends
    1.7.4 Members who previously lost voting rights who are attending this meeting
    1.7.5 Members who have declared a leave of absence
2. Future Meetings
  2.1 Future meeting schedule (Co-Chair Keaton)
  Teleconferences (Wednesdays at 09:30 Pacific):
    November 29
    December 13
    January 10
  Face-to-face meeting
    January 22-23 (tentative)
3. Introduction and presentation of Tools Output Integration Framework (TOIF) (Nick Mansourov)
4. Clarification of workflow for approving changes to spec language (Co-Editor Golding)
5. Resolution of github issues (Co-Editor Fanning)
  5.1 Announcements
    5.1.1 Rule help property [#27] is ready for spec langauge review
    5.1.2 Namespaced tags [#56] is ready for spec language review
  5.2 Resolve items discussed at previous meeting
    5.2.1 Should we allow formatting in messages? [#33, #57, #61]
    5.2.2 Consider adding 'rank' or 'probability' property [#58]
  5.3 Should the result object support graph information? [#46]
  5.4 Consider restructuring SARIF to be location, not results-focused [#55]
  5.5 Consider a tool validation or 'selectivity' annotation [#59]
6. Other Business
7. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)
  7.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton)
  7.2 Review of Decisions Reached (Secretary Hagen)
  7.3 Review of Action Items (Secretary Hagen)
8. Next Meeting
  November 29, 2017 / 09:30-11:30 PT / 17:30-19:30 UTC
9. Adjournment
Note: Issue URLs are constructed by appending the issue number (without the '#') to the base URL https://github.com/oasis-tcs/sarif-spec/issues/

Michael: I move to approve the agenda. Laurence seconds.

David: No discussion, no objections, agenda is adopted

4. Approval of previous minutes from 2017-10-25 Meeting #5

Minutes at https://www.oasis-open.org/committees/download.php/61947/sarif-minutes-20171025-meeting-5.html

Michael: I move to approve the minutes. Laurence seconds.

David: No discussion, no objections, the minutes are approved unchanged as published

5. Review of action items and resolutions

None

6. Future Meetings

6.1 Future meeting schedule (Teleconferences)

November 29 17:30-19:30 UTC 
December 13 17:30-19:30 UTC 
January  10 17:30-19:30 UTC 

6.2 Face-to-face meeting

David: Will send around a mail to accelerate the process, as January is approaching fast

January 22-23 (tentative)
i

7. Introduction and presentation of Tools Output Integration Framework (TOIF)

Nikolai Mansourov walks all through slides from the OMG archived at https://www.oasis-open.org/committees/download.php/61987/Introduction to the TOIF 20171107.pdf

All thank Nikolai

Action on Laurence, to: Look at the slide deck about SARIF that I presented at the first TC meeting. If necessary, enhance it so that it suffices to bring Nikolai up to speed on SARIF. Then send it to him.

8. Clarification of workflow for approving changes to spec language

Laurence:

https://github.com/oasis-tcs/sarif-spec/issues/67

https://github.com/oasis-tcs/sarif-spec/pull/68/files

All discuss these two items and if and how we shall vote or approve

Motion to change the process as requested in pull request by Laurence seconded by Michael

David: No discussion no objection is adopted

9. Resolution of github issues

9.1 Announcements

Michael: CWE as example motivate #27 and #56 proposals ready for spec language review

Laurence: Another issue fits nicely here, brought up by Laurence and welcomed by TC

Laurence: kindly asks for reviewing all there for next meeting

9.1.1 Rule help property #27 is ready for spec langauge review

https://github.com/oasis-tcs/sarif-spec/issues/27

Laurence: issue whose spec language will review next week:
Change draft: https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/sarif-v1.0-issue-27-rule-help.docx

9.1.2 Namespaced tags #56 is ready for spec language review

https://github.com/oasis-tcs/sarif-spec/issues/56

Laurence: issue whose spec language will review next week:
Change draft: https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/sarif-v1.0-issue-56-namespaced-tags-with-metadata.docx

9.1.3 One of result.{message,formattedRuleMessage} is required #25 is ready for spec language review

https://github.com/oasis-tcs/sarif-spec/issues/25

Laurence: issue whose spec language will review next week:
Please read the discussion thread in the issue.
Change draft: https://github.com/oasis-tcs/sarif-spec/blob/master/Documents/ChangeDrafts/sarif-v1.0-issue-25-message-formattedRuleMessage.docx

9.2 Resolve items discussed at previous meeting

9.2.1 Should we allow formatting in messages? #33, #57, and #61

  1. # 33 - https://github.com/oasis-tcs/sarif-spec/issues/33
  2. # 57 - https://github.com/oasis-tcs/sarif-spec/issues/57
  3. # 61 - https://github.com/oasis-tcs/sarif-spec/issues/61

Michael: now discussing issue #33

Laurence: suggests, he sends a mail to the group, that includes two sample fragments showing the competing suggestions clarifying which one was Jims suggestion

Paul: describes what their tool relies on w.r.t. formatting of messages / elements used etc.

Yekatarina: shortly describes her contribution to the discussion in the issue (a screenshot and a link where people can inspect online)

Michael: noted a strong similarity between the two samples posted

Michael: thinks some more regions of the structures possible, should additionally be documented in use - he knows of some sophisticated tools that do - so we have more coverage before deciding

Laurence: suggests to in any case focus on the restriction, as we already narrowed down in discussion on some restriction on markdown, but in any case implementers will require to create parsers for a custom format which will not be great for adoption, so are we all conscious of the possible impact on adoption?

Michael: welcomes the thought direction of first identifying a base among the group but then again think about impact on secondary dimensions. He suggests to continue, but then let the ecosystem decide how to proceed. If we only use a subset, anyone supporting markdown today, would they have to support a second parallel way to integrate SARIF?

Paul: notes, that we should conclude on what we expect from the consumers to rendered what in how far: is a newline rendered or ...? We have to describe the expectations, so that implementers can offer similar experiences / renderings

Michael: agrees with that and proposes we build a foundational consensus here from that concept

Laurence: on question on encoding, he thinks it is not a problem, as JSON is to be encoded in UTF-8 or another 16-bit Unicode variant.

Laurence: is in favour for mandating a format statement (markdown subset)

All discuss markdown and responsibility of input validation or constrained subset

Stefan: suggests that encoding of JSON files might need future discussion, esp. when read from disk (file) or received over wire.

Luke: asks about format

Michael is fully volunteering to collect the groups opinion snapshot via a straw man poll )mailing list)

10. Any Other Business

No other business

11. Resolutions and Decisions reached

11.1 Review of Decisions Reached

  1. A modification to the suggested workflow for comments on changed docs in specific folder by pull, edit, push cycle has been approved.

11.2 Review of Action Items

  1. Laurence to send a mail to the TC, providing SARIF fragments that illustrate the two candidate approaches to embedding links in messages.
  2. Laurence to look at the slide deck about SARIF that I presented at the first TC meeting. If necessary, enhance it so that it suffices to bring Nikolai up to speed on SARIF. Then send it to him.
  3. Michael to collect via mail to mailing list an opinion snapshot about format markdown - constrained or not

12. Next meeting

All: Next meeting will start 2017-NOV-29 17:30 UTC with a duration of 2 hours

13. Adjourn

The meeting was adjourned at 18:25 UTC.