Call for Consent for Static Analysis Results Interchange Format (#SARIF) V2.1.0 as OASIS Standard

13 Mar 2020

The OASIS Static Analysis Results Interchange Format (SARIF) TC members [1] have approved submitting the following Candidate OASIS Standard to the OASIS Membership in a call for consent for OASIS Standard:

Static Analysis Results Interchange Format (SARIF) Version 2.1.0
Candidate OASIS Standard 02
12 March 2020

This is a call to the primary or alternate representatives of OASIS Organizational Members to consent or object to this approval. You are welcome to register your consent explicitly on the ballot; however, your consent is assumed unless you register an objection. To register an objection, you must:

1. Indicate your objection on this ballot, and

2. Provide a reason for your objection and/or a proposed remedy to the TC.

You may provide the reason in the comment box or by email to the Technical Committee on its comment mailing list or, if you are a member of the TC, to the TC’s mailing list [2]. If you provide your reason by email, please indicate in the subject line that this is in regard to the Call for Consent.

This Committee Specification was approved by the Technical Committee and was submitted for the required 60-day public review [3]. All requirements of the OASIS TC Process having been met [4][5], the Candidate OASIS Standard is now submitted to the voting representatives of OASIS Organizational Members.

— Details —

The Call for Consent opens at 14 March 2020 at 00:00 UTC and closes on 27 March 2020 at 23:59 UTC. You can access the ballot at:

Internal link for voting members: https://www.oasis-open.org/apps/org/workgroup/voting/ballot.php?id=3485

Publicly visible link: https://www.oasis-open.org/committees/ballot.php?id=3485

OASIS members should ensure that their organization’s voting representative responds according to the organization’s wishes. If you do not know the name of your organization’s voting representative is, go to the My Account page at

http://www.oasis-open.org/members/user_tools

then click the link for your Company (at the top of the page) and review the list of users for the name designated as “Primary”.

Software developers use a variety of tools to assess the quality of their programs. These tools can report results on qualities such as validity, security, performance, compliance with legal requirements, etc. To form an overall picture of program quality, developers often need to aggregate the results produced by all of these tools, a task made difficult when each tool produces output in a different format.

SARIF defines a standard format for the output of static analysis tools in order to:
– Comprehensively capture the range of data produced by commonly used static analysis tools.
– Reduce the cost and complexity of aggregating the results of various analysis tools into common workflows.
– Represent analysis results for all kinds of programming artifacts, including source code and object code.

Three Statements of Use were received from Software Assurance Marketplace (SWAMP) Project, GrammaTech Inc., and Microsoft [5].

URIs
The prose specification document and related files are available here:

Editable source (Authoritative):
https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/sarif-v2.1.0-cos02.docx

HTML:
https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/sarif-v2.1.0-cos02.html

PDF:
https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/sarif-v2.1.0-cos02.pdf

JSON schemas:
https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/

Distribution ZIP files:
 For your convenience, OASIS provides a complete package of the prose specifications and related files in a ZIP distribution file. You can download the ZIP file here:

https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/sarif-v2.1.0-cos02.zip

— Additional information —

[1] OASIS Static Analysis Results Interchange Format (SARIF) TC
https://www.oasis-open.org/committees/sarif/

TC IPR page
https://www.oasis-open.org/committees/sarif/ipr.php

[2] SARIF TC comment mailing list: sarif-comment@lists.oasis-open.org
(You must be subscribed to send to this list. To subscribe, see https://www.oasis-open.org/committees/comments/index.php?wg_abbrev=sarif.)

SARIF TC main mailing list: sarif@lists.oasis-open.org

(You must be a member of the SARIF Technical Committee to send to this list.)

[3] Candidate OASIS Standard Special Majority Vote:

https://www.oasis-open.org/committees/ballot.php?id=3457

[4] Public reviews:

* 30-day public review, 05 June 2019:
https://lists.oasis-open.org/archives/members/201906/msg00002.html
– Comment resolution log:
http://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01-comment-resolution-log.txt

* 60-day public review, 20 December 2019:
https://lists.oasis-open.org/archives/members/201912/msg00012.html
– Comment resolution log:
http://docs.oasis-open.org/sarif/sarif/v2.1.0/cos01/sarif-v2.1.0-cos01-comment-resolution-log.zip