Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

futures addition #621

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

futures addition #621

Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
75482c2
corrected error in markdown / corrected grammar
Motional-Charles-Wilson Sep 11, 2023
5b13662
added SARIF Field Compatibility table
Motional-Charles-Wilson Sep 11, 2023
3060e35
Merge remote-tracking branch 'upstream/main'
Motional-Charles-Wilson Sep 15, 2023
0856c22
added section for acronym change / added section for domain-specific …
Motional-Charles-Wilson Jan 11, 2024
fbce4f4
Merge branch 'oasis-tcs:main' into main
Motional-Charles-Wilson Jan 11, 2024
3a54433
Update Future.md
Motional-Charles-Wilson Jan 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions Future.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ The SARIF project started with a relatively simple mission, define a standard fo

Ultimately, the SARIF standard would enable the automatic exchange of results from all types of software analysis tools. This page details some of the efforts and investigations that the SARIF team is planning in order to achieve that goal.

## Acronym Change

With an expanded scope the **SARIF** acronym's underlying expansion would change from **S**tatic **A**nalysis **R**esults **I**nterchange **F**ormat to **S**ystematic **A**nalysis **R**esults **I**nterchange **F**ormat.
Copy link
Contributor

@sthagen sthagen Jan 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please consider the discussion in #603 I propose to go with System Analysis Report Interchange Format if no majority is going for Software ...


## SARIF Field Compatibility

The following table shows mapping between current SARIF terminology as used for static analysis and that of other possible use cases.
Expand Down Expand Up @@ -65,3 +69,11 @@ Software doesn't exist in a vacuum. Modern software often runs in a complex ecos
One way to tackle this problem is to identify a way to link SARIF into a model of that ecosystem, such as what is generated by "observability" tools that leverage OpenTelemetry. Linking of this nature has benefits in both directions. People looking at the entire ecosystem can drill into SARIF details from the global picture. People more focused on individual software components can enrich SARIF results with an understanding of context.

For example, imagine that SARIF identifies a "critical" SQL injection problem in an application. Adding global context would enable adding risk factors that temper that result. The application might only contain read-only, public data. Or it might only be accessible by administrators. Or it might be protected by a runtime protection module. The contextual risk calculation may be only "low".

## Provide Domain-specific Schema Subsets

In order to reduce the overhead of working with the complete SARIF schema and also accommodate the diverse needs of automated software pipelines, domain-specific schema subsets would be created. These would be strict subsets in that they would conform to the master SARIF schema.

Schema subsetting would also allow for the adoption of SARIF in these new domains as the weight of the current schema acts as a barrier to entry.

Additionally, these schema subsets should accelerate the creation of SARIF data manipulation within the build pipeline.