Skip to content
Permalink
main
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time
204 lines (144 sloc) 9.64 KB

1. Opening Activities

1.1 Opening comments (Co-Chair David)

1.2 Introduction of participants/roll call (Co-Chair David)

First Name Last Name Company Role(s)
Aharon Abadi WhiteSource Voting Member
Chris Meyer Microsoft Voting Member
David Keaton Individual Chair
Jeff Williams Contrast Security Voting Member
Jonathan Gilday Contrast Security Observer
Mary Mart Microsoft Guest
Michael Fanning Microsoft Voting member
Stefan Hagen Individual Secretary, taking notes
Thanassis Avgerinos ForAllSecure Inc Voting Member
Yekaterina O'Neil Micro Focus Voting member

1.3 Procedures for this meeting (Co-Chair David)

1.4 Approval of agenda (Co-Chair David)

Agenda was approved.

1.5 Approval of previous minutes (Co-Chair David)

Minutes were approved.

1.6 Review of action items and resolutions (Secretary Stefan)

  • ACTION on Chris to update readme/website:
    • COMPLETE
  • ACTION on Paul to provide Grammatech search domains:
    • ONGOING
  • ACTION on Michael to reach out to Jeff Williams on providing positive evidence:
    • ONGOING (meeting in planning, then a mail will go to the list with results)
  • ACTION on Michael to solicit/identify concrete next steps on schema/data:
    • ONGOING (errata done, schema changes pending)
  • ACTION on Michael to reach out to Aharon, who has background in fixing, previews, pull requests:
    • ONGOING (May 10 there will be a meeting with discussion, mail will be sent to the list; topics complex result list and auto fixes)
  • ACTION on Michael to manage the resulting changes from the errata draft to carry over to schema
    • ONGOING (comment on tracking issue)
  • ACTION on Chris to follow-up on the discussion on injection and parser addition caused complexity leading to possible security risks

1.7 Identification of SARIF TC voting members (Co-Chair David)

1.7.1 Prospective members attending their first meeting

1.7.2 Members attaining voting rights at the end of this meeting

  • Stefan will gain voting rights at the end of this meeting.

1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends

1.7.4 Members who previously lost voting rights who are attending this meeting

1.7.5 Members who have declared a leave of absence

2. Future Meetings

2.1 Future meeting schedule (Co-Chair Keaton)

  • Scheduled Teleconferences (Thursdays at 08:00 PDT / 15:00 UTC for 1.5 hours)

    May 26
    
  • Proposed Teleconferences (Thursdays at 08:00 PT / 15:00 UTC for 1.5 hours)

    June 16
    June 30
    
  • Possible face-to-face meeting when pandemic permits

3. Discussion

3.1 Review recruitment effort to complete the technical committee

  • David: Recruitement going well; another meeting with new prospective members upcoming
  • David: There will be an official OASIS news release announcing some of our new members

3.2 Review status on finalizing SARIF 2.1 errata List of next steps - github issue #509

  • All discuss the status of review and clarify the nature of the received feedback
  • David: Plans are to send out next week and conduct a one week email ballot to then trigger the public review process
  • David: In case the edits take longer we will vote on the next meeting

3.3 Review current state of ecosystem ongoing work

3.4 Any continued report/discussion on metrics

  • Awaiting discussion between Michael and Paul

3.5 Discussion of updates to SARIF web site https://sarifweb.azurewebsites.net/

  • Chris: Walks all through the sections of the SARIF web site / landing page at https://sarifweb.azurewebsites.net/
  • All discuss the scope of the website
  • Michael: Clarifies that Microsoft maintains the site, but the intent is to offer any available tool / resource
  • Chris: There are already non-microsoft resources present on the site
  • Michael: Suggests revisiting the approach / scope of the site offering - site was finished four years ago and new contributors to the TC might provide fresh ideas.
  • Chris: Encourages everyone to provide feedback
  • Michael: Provides https://reproducible-builds.org as food for thought
  • Jeff: Suggests there should be ideally a single info source for all things SARIF
  • Stefan: Mentions https://csaf.io as another example from the OASIS CSAF TC
  • Jonathan: Contarst Security OSS tools could be integrated like POJOs generated from the Static Analysis Results Interchange Format (SARIF) JSON schema.

3.6 Review outcomes of MSFT/ForAllSecure dynamic analysis discussion

  • Michael:
    • Report from the meeting / discussions
    • Walks all through his notes
      • Key principles for dynamic analysis
      • Problems for supporting data from dynamic results
  • Jeff:
    • Static vs. dynamic analysis results are just different perspectives focusing on the same finding (blending linear and hierarchical approaches)
    • There should be a way (ideally) to bring both perspectives together in SARIF - maybe the tools could bring in ideas
    • Great use case could be test / re-test - keeping maximal context (state) to be able to immediately share that information within the test case executing
      • Works best with end-to-end tests - but in general no need to exploit vulnerabilities to bring value to the developer
  • Thanassis:
    • embraces the sketched approaches to exploration of extending SARIF to dynamic analysis
    • additional complexity comes from combining test results from different scopes but if successful that may boost developers fixing velocity and increase coverage
    • what about reproducibility?
  • David:
    • (w.r.t.) naming to widen the scope as embraced by the members of the TC is possible no recharter is needed (only clarification)
    • Perspective is static transforming into software term
    • Acronym SARIF can stay
  • Michael: Provides link to debug assistance within the .Net context as example: Diagnose Errors with Managed Debugging Assistants - 2022-MAR-11
  • Stefan: The current plan from previous meetings is to explore the name evolution after the errata publication

3.7 Status of Wikipedia page

  • Ongoing

3.8 Discuss end-to-end results management (including code insights protocol)

  • Skipped

3.9 Vote on liaison with OpenSSF https://openssf.org

  • David:
    • Shortly summarizes the rationale for and modes of liaisons
    • OpenSSF has asked OASIS if there is interest inside the SARIF TC for entering a liaison
    • Suggests to vote on our side if there is sufficient interest, next OpenSSF will vote on their side
    • In case there is sufficient interest the TC should vote on who and how that liaison should be implemented.

Jeff moves to enter a liaison relationship with OpenSSF. Michael seconds. All discuss the motion. No further discussion, no objection, unanimous consent. The motion carries.

David: Vote for entering the liaison relationship. Result of vote: 8 in favor, 0 against, 0 abstain. Vote in favor of the relationship, so the SARIF TC will enter such a relationship.

Discussion on candiate for representing the liaison:

  • Michael:
    • Michael Scovetta is the Microsoft representative for the OpenSSF Alpha-Omega project.
    • Michael Fanning might be able to take on that role in case the OpenSSF meeting frequency would be feasible for him
  • David: Small liaison group may be positive (more robust) while a larg group may become counter productive.
  • Thanassis: ForAllSecure as company might be able to help

David: Next meeting we will vote on who this liaison shall be.

4. Other Business

None

5. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)

5.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton)

5.2 Review of Decisions Reached (Secretary Hagen)

  • DECISION to enter a liaison relationship with OpenSSF
  • DECISION to schedule meetings on June 16 and June 30

5.3 Review of Action Items (Secretary Hagen)

  • ACTION on Chris to prepare proposals for a domain name to host a future SARIF central information site.

6. Next Meeting

May  26, 2022 / 08:00-09:30 PDT / 15:00-16:30 UTC

7. Adjournment

Meeting was adjourned.