Skip to content

Latest commit

 

History

History
154 lines (103 loc) · 6.27 KB

220407_SARIF_TC_56.md

File metadata and controls

154 lines (103 loc) · 6.27 KB
Raw

1. Opening Activities

1.1 Opening comments (Co-Chair David)

1.2 Introduction of participants/roll call (Co-Chair David)

First Name Last Name Company Role(s)
Aditya Sharad Microsoft Voting Member
Aharon Abadi WhiteSource Member
Chris Meyer Microsoft Voting Member
David Keaton Individual Chair
Jeff Williams Contrast Security Member
Michael Fanning Microsoft Voting member
Nathan Baird Microsoft Voting Member
Paul Anderson Grammatech, Inc. Voting member
Thanassis Avgerinos ForAllSecure Inc Voting member
Yekaterina O'Neil Micro Focus Voting member

1.3 Procedures for this meeting (Co-Chair David)

1.4 Approval of agenda (Co-Chair David)

1.5 Approval of previous minutes (Co-Chair David)

  • Minutes of 2022-03-24_Meeting #55

    David: correction to the minutes, we need to add 'links' not 'deletes' in the minutes, will create a PR. Minutes were approved as amended. Update after the meeting: PR has been created at #523

1.6 Review of action items and resolutions (Secretary Stefan)

  • ACTION on Chris to update readme/website
    • ONGOING
  • ACTION on Michael to create uses cases for discussion
    • DONE
  • ACTION on Michael to connect Thanassis with VS Code SARIF viewer project members
    • DONE

1.7 Identification of SARIF TC voting members (Co-Chair David)

1.7.1 Prospective members attending their first meeting

  • Jeff Williams CTO from Contrast Security: is an OASIS member and can participate fully, will be a voting member if he attends next meeting.

1.7.2 Members attaining voting rights at the end of this meeting

1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends

  • James Spoor loses voting rights at the end of this meeting if he does not attend, as will Stefan Hagen.

1.7.4 Members who previously lost voting rights who are attending this meeting

1.7.5 Members who have declared a leave of absence

2. Future Meetings

2.1 Future meeting schedule (Co-Chair Keaton)

  • Scheduled Teleconferences (Thursdays at 08:00 PDT / 15:00 UTC for 1.5 hours)

    On the following date, North America and Europe will be on Daylight Savings Time.

    April 21

  • Proposed Teleconferences (Thursdays at 08:00 PDT / 15:00 UTC for 1.5 hours)

    May  5
May 26

    Paul has a conflict with May 5 but won't block.

  • Possible face-to-face meeting when pandemic permits

3. Discussion

3.1 Review recruitment effort to complete the technical committee

  • We have accumulated new members, including WhiteSource today. OASIS has lined up additional discussions with Apiro. No other recruitment discussion.

3.1.1 Discuss difference in emphasis between static and dynamic analysis for potential future members (issue arose during recruitment).

  • Static analysis format is mostly fixed, we're moving onto end-to-end fixing/reporting here.
  • Dynamic analysis will entail new design work.
  • Metrics is a new common concern
  • The two domains have commonality in viewing but differences in literal bug-fixing.
  • CyberEO/compliance concerns. NIST has received a directive to provide new rules, etc. https://www.cisa.gov/executive-order-improving-nations-cybersecurity
  • Q: Aharon Abadi: the focus s/be eliminating the problem (and potentially prevention).
  • Katrina asks why aren't we pursuing dynamic analysis? David points out that we need to recharter the TC to pursue this. MF points out we're circling the problem, haven't concretely identified our first primary topic. Katrina isn't sure about MicroFocus involvement in the dynamic analysis topic.

3.2 Review status on finalizing SARIF 2.1 errata List of next steps - github issue #509

  • OASIS editors have completed their latest round of revisions, David will sanity check and pass on to the actual committee.

3.3 Review current state of ecosystem ongoing work

  • GHAS SARIF integration ongoing with VS and VS Code SARIF viewers.
  • We've pulled together our comprehensive list of SARIF exports.
  • We have finished ESLint, Clippy (Rust language), clj-watson (clojure language), clj-holmes (clojure language)
  • In progress, we're adding support for Speccy (open API, formerly known as swagger), ansible and puppet linters.
  • Moving on to LintR (for the R language).

3.4 Any continued report/discussion on metrics

  • Katrina and Paul have provided metrics for MF to use for schema design/validation.

3.5 Status of Wikipedia page

None noted.

3.6 Discuss end-to-end results management (including code insights protocol)

  • All review use cases.
  • Jeff:
    • We need positive evidence.
    • What about evidence of non-reporting (engine short-circuited, for example)?
    • How do we motivate tool vendors to provide it?
    • What do users do with this data?
  • Thanassis suggests using a code coverage model.
  • Michael notes that devs don't want to learn.
  • Jeff: there is a 'learning model', which leads to prevention.

4. Other Business

  • Aharon: incremental scanning is interesting, we should discuss at some point.

5. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)

5.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton)

5.2 Review of Decisions Reached (Secretary Hagen)

None noted.

5.3 Review of Action Items (Secretary Hagen)

  • ACTION on Paul to provide Grammatech search domains.
  • ACTION on Michael to reach out to Jeff on providing positive evidence.
  • ACTION on Michael to solicit/identify concrete next steps on schema/data.
  • ACTION on Michael to reach out to Aharon, who has background in fixing, previews, pull requests.

6. Next Meeting

April  14, 2022 / 08:00-09:30 PDT / 15:00-16:30 UTC

7. Adjournment

Meeting was adjourned.