diff --git a/meeting_minutes/241114_SARIF_TC_93.md b/meeting_minutes/241114_SARIF_TC_93.md new file mode 100644 index 00000000..5bb81afb --- /dev/null +++ b/meeting_minutes/241114_SARIF_TC_93.md @@ -0,0 +1,220 @@ +# 1. Opening Activities + +## 1.1 Opening comments (Co-Chair David) + +## 1.2 Introduction of participants/roll call (Co-Chair David) + +Quorum requires participation of five or more of the nine voting members. + +| First Name | Last Name | Company | Role(s) | Present | +|:-----------|:--------------|:------------------------|:---------------------------|:--------| +| Aditya | Sharad | Microsoft | Voting Member | YES | +| Alexandre | Dulaunoy | CIRCL | Member | NO | +| Andras | Iklody | CIRCL | Member | NO | +| Arjun | Gopalakrishna | Microsoft | Voting Member | YES | +| Charles | Wilson | Torc Robotics, Inc. | Member | NO | +| Chris | Meyer | Microsoft | Member | NO | +| David | Keaton | Individual | Co-Chair | YES | +| David | Malcolm | Red Hat | Voting Member | YES | +| Eddy | Nakamura | Microsoft | Member | NO | +| Kevin | Greene | Mitre Corporation | Member | NO | +| Luke | Cartey | Microsoft | Co-Chair | NO | +| Mary | Martin | Microsoft | Member | NO | +| Michael | Fanning | Microsoft | Member | NO | +| Michael | Omokoh | Microsoft | Voting Member | NO | +| Nathan | Baird | Microsoft | Voting Member | YES | +| Paul | Brookes | Microsoft | Member | NO | +| Paul | Seay | Northrop Grumman | Member | NO | +| Ross | Wollman | Microsoft | Member | NO | +| Stefan | Hagen | Individual | Secretary, taking notes ♬ | YES | +| Thanassis | Avgerinos | ForAllSecure Inc | Voting Member | YES | +| Tim | Hudson | Cryptsoft Pty Ltd. | Member | NO | +| Vadim | Okun | NIST | Observer | NO | + +Seven of the nine voting members present - quorum was reached. + +## 1.3 Procedures for this meeting (Co-Chair David) + +## 1.4 Approval of agenda (Co-Chair David) + +* [Agenda for November 14, 2024](https://www.oasis-open.org/committees/download.php/72357/) + +The agenda was approved. + +## 1.5 Approval of previous minutes (Co-Chair David) + +* [Minutes of 2024-10-10 Meeting #92](https://www.oasis-open.org/committees/download.php/72271/) + +The minutes were approved. + +## 1.6 Review of action items and resolutions (Secretary Stefan) + +* ACTION on David Malcolm to comment on #588 sketching a proposal for #line directives + * ONGOING +* ACTION on David Malcolm to update issue #588 (support of diagrams in SARIF) + * ONGOING +* ACTION on Stefan to provide prose explaining the use of `guid`s in another new issue and to provide an implementation per pull request + (cf. [Provide prose explaining the use of guids across all occurrences #648](https://github.com/oasis-tcs/sarif-spec/issues/648) + * ONGOING - still reading through all 92 locations of GUIDs in SARIF v2.1 to best derive claims associated with a top-level GUID +* ACTION on Stefan to research the history and status of + [Question: How to represent results from deep in revision control history? #564](https://github.com/oasis-tcs/sarif-spec/issues/564) + "Question: How to represent results from deep in revision control history?" + * The TC shall discuss the matter as unfortunately the issue has never been documented + as being discussed within the TC (Stefan assessed all minutes documents from + the proposed first meeting to discuss the matter onwards) + * DONE +* ACTION on Stefan to create an editor text for the proposal in + [Suggestions for more threadFlowLocation "kinds" property values #530](https://github.com/oasis-tcs/sarif-spec/issues/530) + * ONGOING - in queue +* ACTION on Stefan to try to propose text in context for + [Consider using the "relevant to understanding the result" wording also in notifications/relatedLocation #649](https://github.com/oasis-tcs/sarif-spec/issues/649) + * ONGOING - in queue +* ACTION on Stefan to try to add that informative statement to the issue and the text per + [Is any escaping of URIs within "3.11.6 Messages with embedded links" needed? #657](https://github.com/oasis-tcs/sarif-spec/issues/657) + * TL;DR; No - provided clarification (on [RFC choice](https://github.com/oasis-tcs/sarif-spec/issues/657#issuecomment-2475582112)) and + [proposal answering the question](https://github.com/oasis-tcs/sarif-spec/issues/657#issuecomment-2475620829) both in the ticket + * DONE +* ACTION on Thanassis to provide info on justificationTypes from SBOM initiatives (research) + * ONGOING - Suggests to present next meeting + +## 1.7 Identification of SARIF TC voting members (Co-Chair David) + +### 1.7.1 Prospective voting members attending their first meeting + +### 1.7.2 Members attaining voting rights at the end of this meeting + +### 1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends + +### 1.7.4 Members who previously lost voting rights who are attending this meeting + +### 1.7.5 Members who have declared a leave of absence + +# 2. Future Meetings + +## 2.1 Future meeting schedule (Co-Chair David) + +- Scheduled Teleconference (Thursday at 08:00 PT / 16:00 UTC for 1.5 hours) + ``` + December 12, 2024 + ``` + regrets: Stefan + - Proposed Teleconference (Thursday at 08:00 PT / 16:00 UTC for 1.5 hours) + ``` + January 9, 2025 + ``` + +# 3. Discussion + +## 3.1 Review current state of ecosystem ongoing work + +### 3.1.1 Related activities (OPENSSF, etc.) + +None + +### 3.1.2 Other Ecosystem Items + +* David Malcolm: SARIF support in GCC now supports text and SARIF as report formats + in parallel (before the selection was mutual exclusive) + +## 3.2 Review outcomes of subgroup discussions + +* No editor meeting and no new editor revision for this month +* No other subgroup discussions + +## 3.3 Discuss the list of small non-breaking changes for SARIF v2.2 + +### 3.3.1 Editor's report + +Working on actions to produce proposals. + +### 3.3.2 Approval of changes + +None + +### 3.3.3 Additional discussion + +* [Is any escaping of URIs within "3.11.6 Messages with embedded links" needed? #657](https://github.com/oasis-tcs/sarif-spec/issues/657) + * All discuss + * David Malcolm: GCC SARIF always produces messages in plain text format + * Aditya: Verified that the GitHub parser and browsers can deal with parentheses but + is in favor of adding some informative text suggesting to consider URL percent encoding + such characters + * Thanassis: confirms that unbalanced parentheses break the links +* [Question: How to represent results from deep in revision control history? #564](https://github.com/oasis-tcs/sarif-spec/issues/564) + * Stefan: Thinks this is a valid use case + * Aditya: Informs about the GitHub API to address blobs + * https://docs.github.com/en/rest/git/blobs?apiVersion=2022-11-28 + * Nathan: Suggests that maybe open ended version strings might help +* [UTF8 bytes count support as columnKind? #466](https://github.com/oasis-tcs/sarif-spec/issues/466) + * All discuss + * Proposal is to add other columnKinds (cf. ticket ) + * David Malcolm to propose a wording for the proposal (using bytes and maybe a unicode column number) +* [Suggestions for more threadFlowLocation "kinds" property values #530](https://github.com/oasis-tcs/sarif-spec/issues/530) + * All: remove the to be discussed as the design is already approved +* [location.id within a notification object #540](https://github.com/oasis-tcs/sarif-spec/issues/540) + * All discuss +* [Consider adding reportingDescriptor.uiLabel property #567](https://github.com/oasis-tcs/sarif-spec/issues/567) + * Aditya: Proposed to use a different element instead as noted in his [comment](https://github.com/oasis-tcs/sarif-spec/issues/567#issuecomment-2405513811) suggesting to close the issue +* [Clarify use (or extend design) of SARIF to express hierarchical diagnostics. #572](https://github.com/oasis-tcs/sarif-spec/issues/572) + * All discuss + * David Malcolm assumes there will still be some iterations before something can be proposed + * David Keaton explains two approaches of standardization, one where the standard goes first, then implementations follow + or alternatively the implementers go first (maybe each one differently) and then standardization tries to harmonize; + and he thinks this issues looks like the second strategy might match + * Stefan mentions JSON Path RFC as a very good and useful example for the second approach + * Nathan: This issue looks like a graph approach and although he has no use for that currently it may be useful + * All look forward to see examples from David Malcolms GCC extension + * David Malcolm shares (experimental quality): + * [Screenshot of text version of output](https://gcc.gnu.org/bugzilla/attachment.cgi?id=59580) + * [and a mockup](https://gcc.gnu.org/bugzilla/attachment.cgi?id=59598) + * [and a SARIF example](https://gcc.gnu.org/bugzilla/attachment.cgi?id=58852) + * [Consider adding bucketized 'justification' field for suppression object. #574](https://github.com/oasis-tcs/sarif-spec/issues/574) + * All discuss if the enumerations would be mutual exclusive and that the change would be non-breaking + * Stefan: Will provide a text + * Aditya: Here are the + [dismissal types GitHub currently provides in the UI](https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#dismissing-alerts) essentially 3 choices: Won't fix, FP, used in tests. + +## 3.4 Review Roadmap [Future.md](https://github.com/oasis-tcs/sarif-spec/blob/main/Future.md) + +Skipped + +## 3.5 Discuss SARIF's relationship to other relevant standards + +Skipped + +# 4. Other Business + +None + +# 5. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end) + +## 5.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair David) + +## 5.2 Review of Decisions Reached (Secretary Stefan) + +* DECISION to meet on January, 9 in 2025 as next meeting after the December 2024 meeting + +## 5.3 Review of Action Items (Secretary Stefan) + +* Ongoing ACTIONS (from former meetings): + * ACTION on David Malcolm to comment on #588 sketching a proposal for #line directives + * ACTION on David Malcolm to update issue #588 (support of diagrams in SARIF) + * ACTION on Stefan to create an editor text for the proposal in + [Suggestions for more threadFlowLocation "kinds" property values #530](https://github.com/oasis-tcs/sarif-spec/issues/530) + * ACTION on Stefan to try to propose text in context for + [Consider using the "relevant to understanding the result" wording also in notifications/relatedLocation #649](https://github.com/oasis-tcs/sarif-spec/issues/649) + * ACTION on Thanassis to provide info on justificationTypes from SBOM initiatives (research) +* ACTION on Aditya to provide an informal text to guide escaping of URIs +* ACTION on David to propose additional text on 3.14.27 columnKind property for issue [UTF8 bytes count support as columnKind? #466](https://github.com/oasis-tcs/sarif-spec/issues/466) +* ACTION on David to propose a text for issue [location.id within a notification object #540](https://github.com/oasis-tcs/sarif-spec/issues/540) +* ACTION on Stefan to provide a text for [Consider adding bucketized 'justification' field for suppression object. #574](https://github.com/oasis-tcs/sarif-spec/issues/574) + +# 7. Next Meeting + + ``` + December 12, 2024 + ``` + +# 8. Adjournment + +Meeting was adjourned.