First Name | Last Name | Company | Role(s) |
---|---|---|---|
Aditya | Sharad | Microsoft | Voting Member |
Aharon | Abadi | WhiteSource | Member |
Chris | Meyer | Microsoft | Voting Member |
David | Keaton | Individual | Chair |
Jeff | Williams | Contrast Security | Member |
Michael | Fanning | Microsoft | Voting member |
Nathan | Baird | Microsoft | Voting Member |
Paul | Anderson | Grammatech, Inc. | Voting member |
Thanassis | Avgerinos | ForAllSecure Inc | Voting member |
Yekaterina | O'Neil | Micro Focus | Voting member |
- https://www.oasis-open.org/committees/download.php/69805/agenda_20220407.html Agenda was approved
-
Minutes of 2022-03-24_Meeting #55
David: correction to the minutes, we need to add 'links' not 'deletes' in the minutes, will create a PR. Minutes were approved as amended. Update after the meeting: PR has been created at #523
- ACTION on Chris to update readme/website
- ONGOING
- ACTION on Michael to create uses cases for discussion
- DONE
- ACTION on Michael to connect Thanassis with VS Code SARIF viewer project members
- DONE
- Jeff Williams CTO from Contrast Security: is an OASIS member and can participate fully, will be a voting member if he attends next meeting.
- James Spoor loses voting rights at the end of this meeting if he does not attend, as will Stefan Hagen.
-
Scheduled Teleconferences (Thursdays at 08:00 PDT / 15:00 UTC for 1.5 hours)
On the following date, North America and Europe will be on Daylight Savings Time.
April 21
-
Proposed Teleconferences (Thursdays at 08:00 PDT / 15:00 UTC for 1.5 hours)
May 5 May 26
Paul has a conflict with May 5 but won't block.
-
Possible face-to-face meeting when pandemic permits
- We have accumulated new members, including WhiteSource today. OASIS has lined up additional discussions with Apiro. No other recruitment discussion.
3.1.1 Discuss difference in emphasis between static and dynamic analysis for potential future members (issue arose during recruitment).
- Static analysis format is mostly fixed, we're moving onto end-to-end fixing/reporting here.
- Dynamic analysis will entail new design work.
- Metrics is a new common concern
- The two domains have commonality in viewing but differences in literal bug-fixing.
- CyberEO/compliance concerns. NIST has received a directive to provide new rules, etc. https://www.cisa.gov/executive-order-improving-nations-cybersecurity
- Q: Aharon Abadi: the focus s/be eliminating the problem (and potentially prevention).
- Katrina asks why aren't we pursuing dynamic analysis? David points out that we need to recharter the TC to pursue this. MF points out we're circling the problem, haven't concretely identified our first primary topic. Katrina isn't sure about MicroFocus involvement in the dynamic analysis topic.
3.2 Review status on finalizing SARIF 2.1 errata List of next steps - github issue #509
- OASIS editors have completed their latest round of revisions, David will sanity check and pass on to the actual committee.
- GHAS SARIF integration ongoing with VS and VS Code SARIF viewers.
- We've pulled together our comprehensive list of SARIF exports.
- We have finished ESLint, Clippy (Rust language), clj-watson (clojure language), clj-holmes (clojure language)
- In progress, we're adding support for Speccy (open API, formerly known as swagger), ansible and puppet linters.
- Moving on to LintR (for the R language).
- Katrina and Paul have provided metrics for MF to use for schema design/validation.
None noted.
- All review use cases.
- Jeff:
- We need positive evidence.
- What about evidence of non-reporting (engine short-circuited, for example)?
- How do we motivate tool vendors to provide it?
- What do users do with this data?
- Thanassis suggests using a code coverage model.
- Michael notes that devs don't want to learn.
- Jeff: there is a 'learning model', which leads to prevention.
- Aharon: incremental scanning is interesting, we should discuss at some point.
5.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton)
None noted.
- ACTION on Paul to provide Grammatech search domains.
- ACTION on Michael to reach out to Jeff on providing positive evidence.
- ACTION on Michael to solicit/identify concrete next steps on schema/data.
- ACTION on Michael to reach out to Aharon, who has background in fixing, previews, pull requests.
April 14, 2022 / 08:00-09:30 PDT / 15:00-16:30 UTC
Meeting was adjourned.