Provide a formal web request object #247
Labels
e-ballot
enhancement
future
impact-non-breaking-change
p2
Priority 2 issue to close
resolved-deferred
Comments
|
do we need to generalize inputs that lead to analysis? database queries for example. |
|
EBALLOT PROPOSAL We propose to mark this issue as |
michaelcfanning
changed the title
|
@michaelcfanning Per approved e-ballot, closing. |
ghost
closed this as This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have had a second request for a SARIF definition for a web request object. This standard is focused on static analysis and our goal is for a comprehensive format in this domain. We don't have a similar accountability/charter to comprehensively cover the dynamic analysis domain. We have added some useful constructs previously, however, that have some clear utility or overlap with static analysis domain.
Request data asked for:
method, protocol, protocol version, port, uri, query string, body, headers, parameters
The ambiguity here is that for some applications (such as web code), there is no program representation that's available in version control that's suited to static analysis. A common approach to overcome this is to produce a driver app that periodically captures the program/DOM representation and applies static analysis at that time. A tool that operates in this way might want to associate a web request object with a result (or with an embedded DOM representation in the files table) that resulted in the inspected target.
Conceptually, this is a bit similar to a second scenario we're wrestling with: how to accommodate tools that analyze data streams returned by a query at a specific point in time.
The text was updated successfully, but these errors were encountered: