Cryptsoft, FireEye, GrammaTech, Micro Focus, Microsoft, and Others Advance Open Standard that Defines Common Output Format for Static Analysis Tools
4 June 2020 – The OASIS open standards consortium today announced that its members have approved the Static Analysis Results Interchange Format (SARIF) version 2.1.0 as an OASIS Standard, a status that signifies the highest level of ratification. SARIF defines a common output format for static analysis tools that detect software defects and vulnerabilities, making it feasible for developers and teams to aggregate results produced by multiple tools.
Software developers assess the quality of their programs using a variety of tools that report on validity, security, performance, and compliance with legal requirements. To form an overall picture of program quality, developers often need to aggregate the results produced by all of these tools, a task made difficult when each tool produces output in a different format. SARIF addresses this challenge by defining a standard format that enables developers to:
- Comprehensively capture the range of data produced by commonly used static analysis tools.
- Reduce the cost and complexity of aggregating the results of various analysis tools into common workflows.
- Represent analysis results for all kinds of programming artifacts, including source code and object code.
“Each static analysis tool contributes a different perspective on the code being analyzed,” said OASIS SARIF Technical Committee co-chair, David Keaton. “Combining the results of multiple tools in a common format provides a more complete understanding of the issues in the code that need to be addressed. It’s especially valuable with regard to safety and security.”
“With SARIF,” Keaton continued, “organizations can improve the quality and security of their systems while using standardized and interoperable static analysis solutions. SARIF gives them the ability to easily compare results and supports the development of products whose code spans languages and operating systems.”
The OASIS SARIF Technical Committee brings together major software companies, cybersecurity providers, government, security orchestration specialists, programmers, and consultants. Participation in the SARIF Technical Committee is open to all companies, nonprofit groups, governments, academic institutions, and individuals through membership in OASIS. As with all OASIS projects, archives of the Committee’s work are accessible to both members and non-members alike. OASIS also hosts an open mailing list for public comment.
Support for SARIF 2.1.0
“The benefits of CodeSonar embracing SARIF have really resonated with customers. In today’s ecosystem driven world where lots of different products are being used within a CI/CD pipeline, SARIF enables interoperability which is extremely important at increasing the effectiveness of static analysis tools, and consequently the quality of software in many safety and security-critical domains.”
— Paul Anderson, VP of Engineering, GrammaTech
“Software developers and security practitioners use a variety of solutions to form an overall picture of security and quality of their code, but the task is hindered by the need to process results in different formats. A standard output format allows organizations to more efficiently view, understand, manage, and ultimately address software flaws. As an industry leader, Micro Focus Fortify is proud to be a part of this effort.”
— Yekaterina Tsipenyuk O’Neil, Distinguished Technologist and Principal Security Researcher, Micro Focus
“Microsoft has found the SARIF standard invaluable to lower costs when creating cross-tool code authoring, build and work item filing experiences. The detailed, uniform cross-tool data produced by our SARIF-based engineering system is unlocking insights that weren’t previously available.”
— Michael C. Fanning, Principal Software Engineering Manager, Microsoft
OASIS SARIF Technical Committee: https://www.oasis-open.org/committees/sarif
One of the most respected, member-driven standards bodies in the world, OASIS offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement. OASIS members include major multinational companies, SMEs, government agencies, universities, research institutions, consulting groups, and individuals are represented.