OASIS Static Analysis Results Interchange Format (SARIF) TC Meeting #10 February 14, 2018

Acting chair: David

Chat transcript from room: sarif
From 2018-02-14 17:31 UTC until 19:25 UTC

1. Call to Order and Welcome

Chair: Called the meeting to order @ 17:31 UTC.

2. Roll call

All participants recorded their attendance on the OASIS meeting calendar - quorum was reached.

All participants were kindly encouraged to registrate themselves to optimize the use of the shared time during the meeting in one of two ways:
Either click the link with the text "Register my attendance" on the top of the event page or directly visit the per event direct "record my attendace link":
https://www.oasis-open.org/apps/org/workgroup/sarif/record_my_attendance.php?event_id=46136&confirmed=1, Thanks

Details cf. normative attendance sheet for this meeting (event_id=46136).

2.1 Participants

2.1.1 Voting Members present

Chris Wysopal (CA Technologies)
David Keaton (Individual)
Jim Kupsch (SWAMP)
Luke Cartey (Semmle)
Mel Llaguno (Synopsys)
Michael Fanning (Microsoft)
Paul Anderson (GrammaTech, Inc.)
Pooya Mehregan (Security Compass)
Stefan Hagen (Individual)
Sunny Chatterjee (Microsoft)
Vamshi Basupalli (SWAMP)
Yekaterina ONeil (Micro Focus)

2.1.2 Members present

Note: Despite the (mis-)calculations of the tool in the TC workspace, it is sufficient to participate in two subsequent meetings of a TC to obtain voting rights after that meeting.

Nikolai Mansourov (Object Management Group)

2.1.3 Observers present

Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab.

None.

2.2 Voting Right Changes Effective After The Roll call of this Meeting

2.2.1 Members who gained Voting Rights

None.

2.2.2 Members who lost Voting Rights

Hendrik Buchwald (RIPS Technologies)
Larry Hines (Micro Focus)

3. Review Agenda

Agenda draft published at https://www.oasis-open.org/committees/download.php/62490/agenda_20180214.html - content given below to support the reader:

Agenda for February 14, 2018
MEETING OF OASIS SARIF TECHNICAL COMMITTEE
Time: 09:30-11:30 PST / 17:30-19:30 UTC
Meeting Chat Location: http://webconf.soaphub.org/conf/room/sarif
Meeting Audio: https://meet.lync.com/microsoft/mikefan/LN5GRKWV
1. Opening Activities
  1.1 Opening comments (Co-Chair Keaton)
  1.2 Introduction of participants/roll call (Co-Chair Cartey)
  1.3 Procedures for this meeting (Co-Chair Keaton)
  1.4 Approval of agenda (Co-Chair Keaton)
  1.5 Approval of previous minutes [Minutes of 2018-01-31/2018-02-01 Meeting#9] (Co-Chair Keaton)
  1.6 Review of action items and resolutions (Secretary Hagen)
  1.7 Identification of SARIF TC voting members (Co-Chair Cartey)
    1.7.1 Prospective members attending their first meeting
    1.7.2 Members attaining voting rights at the end of this meeting
    1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends
    1.7.4 Members who previously lost voting rights who are attending this meeting
    1.7.5 Members who have declared a leave of absence
2. Timeline Status
  2.1 Note where we are on the schedule [SARIF TC Timeline] (Co-Chair Keaton)
3. Future Meetings
  3.1 Future meeting schedule (Co-Chair Keaton)
    Scheduled teleconference (Wednesday at 09:30 US Pacific time)
      February 28 (standard time)
    Proposed teleconference (Wednesday at 09:30 US Pacific time)
      March 14 (US daylight / EU standard time)
4. Document Progress (Co-Editors Golding and Fanning)
  4.1 Editors' report
  4.2 Approval of changes
    4.2.1 Clarify that missing region indicates a reference to the complete file [#88]
    4.2.2 Write the conformance section of the spec [#74]
    4.2.3 Enable traceability from converted SARIF file to original analysis tool log file [#66]
    4.2.4 Add 'open' as an issue level [#81]
    4.2.5 Add instance id to result object [#82]
    4.2.6 Consider adding attachments property [#83]
    4.2.7 Date/time property issues with seconds [#89]
  4.3 Discussions
    4.3.1 Code flow enhancements [#80]
          - Principle that everything in a code flow is intended to support a viewer experience
    4.3.2 Consider localization as an issue for SARIF [#84]
5. Other Business
6. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)
  6.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton)
  6.2 Review of Decisions Reached (Secretary Hagen)
  6.3 Review of Action Items (Secretary Hagen)
7. Next Meeting
   February 28, 2018 / 09:30-11:30 PST / 17:30-19:30 UTC
8. Adjournment
Note: Issue URLs are constructed by appending the issue number (without the '#') to the base URL https://github.com/oasis-tcs/sarif-spec/issues/

Michael: David, I will propose to add issue #92 to the agenda

Michael: Also propose to add a general review of newly opened items for discussion, pending time

David: Proposal:

1. Add 4.2.8 #92
2. Add 4.3.3 Newly opened items

David: Agenda as amended is adopted

4. Approval of previous minutes from 2018-01-31/2018-02-01 Meeting #9 (Face to Face)

Minutes at https://www.oasis-open.org/committees/download.php/62480/combined_sarif_chat.txt

David: Minutes are approved unchanged as published

5. Review of action items and resolutions

David: From last time:

https://github.com/oasis-tcs/sarif-spec/issues/47
Outside scope
Laurence's drawing:
    runs: [
    {
    files: {
    "someURL": {
    mimeTYpe
    contents:
    hashes: {
    SHA-1: ...
That is where the hash would go in Laurence's proposal.

David: Above action item complete.

David: #75 - Ensure spec properly accounts for tools that emit line #'s only for code locations - #75 action item remains open

David: #64 - run.files keys can collide if specified by relative URLs - #64 action item remains open

David: #76 - Clarify encoding requirements for properties that contain text from source files - #76 done

David: Laurence and David to discuss citations for hash algorithms: remains open

6. Timeline Status

6.1 Note where we are on the schedule

David: Decision: Target CSD 1 for teleconference after next

7. Future Meetings

7.1 Future meeting schedule (Teleconferences)

February 28 (standard time)             17:30-19:30 UTC (scheduled)
March    14 (standard time)             16:30-18:30 UTC (proposed)

David: Decision: We will meet March 14.

8. Document Progress

8.1 Editors' report

Nothing noted

8.2 Approval of changes

David: 8.2.5 and 8.2.6 are not yet candidates for approval.

David: 8.2.7 also not yet a candidate for approval.

David: 8.2.8 #92 - Add stdin/stdout/stderr on invocation

David: Related to #92, #93 also mentions line endings.

David: General discussion. Suggestion is to refine #92 and resubmit next time, rather than approving right now.

David: Action: Michael will create an issue for synthesizing a single run from multiple tool invocations.

David: Motion: Accept changes for #88, #74, #66, #81 (8.2.1-8.2.4) only.

David: Decision: Motion carries. #88, #74, #66, #81 changes approved.

8.2.1 #88 - Clarify that missing region indicates a reference to the complete file

8.2.2 #74 - Write the "Conformance" section of the spec

8.2.3 #66 - Enable traceability from converted SARIF file to original analysis tool log file

8.2.4 #81 - Add 'open' as a result level

8.2.5 #82 - Add instance id to result object

8.2.6 #82 - Add instance id to result object

8.2.7 #83 - Consider adding attachments property

8.2.8 #92 - Add stdin/stdout/stderr on invocation

8.3 Discussions

8.3.1 #80 - Add stdin/stdout/stderr on invocation

David: - Principle that everything in a code flow is intended to support a viewer experience

Paul: What about threads?

Michael: Need a thread ID to distinguish distinct code flows.

Michael: Could make an array of executions in a code flow mean multiple threads.

David: Decision: A codeFlow property is in the "viewer" profile.

8.3.2 #84 - Consider localization as an issue for SARIF

David: Michael summarized for future discussion at next meeting.

8.3.3 newly opened issues and new content (including #63)

David: #93 - problems with regions

David: #94 - Add an invocation.arguments property

9. Any Other Business

No other business

10. Resolutions and Decisions reached

10.1 Review of Decisions Reached

Nothing noted here - for decisions see in sections above.

10.2 Review of Action Items

  1. Michael will consider specifying a limit on string size for new string properties (stdin, etc.) #92.
  2. David: Open an issue for line ending conventions.
  3. Nick: Open action item on ranking is going through internal review.

11. Next meeting

All: February 28, 2018 / 09:30-11:30 PST / 17:30-19:30 UTC

12. Adjourn

The meeting was adjourned at 19:25 UTC.