OASIS Static Analysis Results Interchange Format (SARIF) Technical Committee
The original Call For Participation for this TC may be found at https://lists.oasis-open.org/archives/sarif/201708/msg00000.html
-
Name of the TC
Static Analysis Results Interchange Format (SARIF) TC
-
Statement of Purpose
The purpose of the TC is to define a standard output format for static analysis tools, which will be called the Static Analysis Results Interchange Format (SARIF).
A static analysis tool is a program that examines programming artifacts in order to detect problems, without executing the program. Software developers use a variety of static analysis tools to assess the quality of their programs. To form an overall picture of program quality, developers must often aggregate the results produced by all of these tools. This aggregation is more difficult if each tool produces output in a different format. A standard output format would make it feasible for developers and teams to view, understand, interact with, and manage the results produced by all the tools that they use.
The goals of the format are:
- Comprehensively capture the range of data produced by commonly used static analysis tools.
- Be a useful format for analysis tools to emit directly, and also an effective interchange format into which the output of any analysis tool can be converted.
- Be suitable for use in a variety of scenarios related to analysis result management, and be extensible for use in new scenarios.
- Reduce the cost and complexity of aggregating the results of various analysis tools into common workflows.
- Capture information that is useful for assessing a project's compliance with corporate policy or conformance to certification standards.
- Adopt a widely used serialization format that can be parsed by readily available tools.
- Represent analysis results for all kinds of programming artifacts, including source code and object code.
-
Scope of Work
The scope of work of the TC is to produce a specification that defines the SARIF format.
Specifically, the SARIF specification will describe:
- Multiple "runs" of different analysis tools in a single log file.
- The analysis tool that performs each run, including:
- Tool name
- Tool version
- The invocation of the analysis tool, including:
- Command line
- Begin and end time
- The files that were analyzed, including:
- URI
- MIME type
- Nested files, such as files contained within a compressed archive such as a ZIP file.
- The analysis rules that were executed.
- Information about each analysis result that was produced, including:
- The location of the result.
- The rule that was violated.
- The severity of the violation.
- Execution paths through the code that are relevant to the result.
- Call stacks relative to the result.
- Possible fixes for the problem.
- Notifications produced by the analysis tool, including:
- Progress messages.
- Configuration information.
The following are not within the scope of work of the TC:
- The definition or implementation of any application programming interfaces (APIs) for accessing, manipulating, or managing the information contained in a SARIF file.
- The definition or implementation of any experiences for viewing or otherwise interacting with the information contained in a SARIF file.
-
Deliverables
The TC's primary deliverable is a specification that defines the SARIF format. Projected completion date is 9 months from the date of the first meeting of the TC.
The TC may also produce other such educational or explanatory non-normative materials as it judges useful to assist in adoption of the specification.
-
IPR Mode
This TC will operate under the RF on RAND IPR mode as defined in Section 10.2 of the OASIS IPR Policy document.
-
Audience
The SARIF specification will be used by the following classes of users:
- Developers and others who use static analysis tools to measure, assess, and track the quality of their software products.
- The developers of static analysis tools, who will use it to enable their tools to produce output in the SARIF format.
- The developers of conversion tools, who will use it to write tools that convert the output of existing static analysis tools to the SARIF format.
- The developers of "result management systems" who will use it to enable their systems to consume the output from any tool that can produce the SARIF format. (A results management system consumes the output of analysis tools, and produces reports that allow teams to assess the quality of their software products and to track it over time.)
- The developers of Integrated Development Environments (IDEs), who will use it to provide experiences for viewing, interacting with, and managing the results from any analysis tool that produces results in the SARIF format.
-
Language
The TC shall conduct business in English.