oasis-tcs · sthagen · Nov 13, 2024 · Nov 13, 2024 · Nov 14, 2024 · Nov 14, 2024
diff --git a/meeting_minutes/241114_SARIF_TC_93.md b/meeting_minutes/241114_SARIF_TC_93.md
@@ -0,0 +1,220 @@
+# 1. Opening Activities
+
+## 1.1 Opening comments (Co-Chair David)
+
+## 1.2 Introduction of participants/roll call (Co-Chair David)
+
+Quorum requires participation of five or more of the nine voting members.
+
+| First Name | Last Name     | Company                 | Role(s)                    | Present |
+|:-----------|:--------------|:------------------------|:---------------------------|:--------|
+| Aditya     | Sharad        | Microsoft               | Voting Member              | YES     |
+| Alexandre  | Dulaunoy      | CIRCL                   | Member                     | NO      |
+| Andras     | Iklody        | CIRCL                   | Member                     | NO      |
+| Arjun      | Gopalakrishna | Microsoft               | Voting Member              | YES     |
+| Charles    | Wilson        | Torc Robotics, Inc.     | Member                     | NO      |
+| Chris      | Meyer         | Microsoft               | Member                     | NO      |
+| David      | Keaton        | Individual              | Co-Chair                   | YES     |
+| David      | Malcolm       | Red Hat                 | Voting Member              | YES     |
+| Eddy       | Nakamura      | Microsoft               | Member                     | NO      |
+| Kevin      | Greene        | Mitre Corporation       | Member                     | NO      |
+| Luke       | Cartey        | Microsoft               | Co-Chair                   | NO      |
+| Mary       | Martin        | Microsoft               | Member                     | NO      |
+| Michael    | Fanning       | Microsoft               | Member                     | NO      |
+| Michael    | Omokoh        | Microsoft               | Voting Member              | NO      |
+| Nathan     | Baird         | Microsoft               | Voting Member              | YES     |
+| Paul       | Brookes       | Microsoft               | Member                     | NO      |
+| Paul       | Seay          | Northrop Grumman        | Member                     | NO      |
+| Ross       | Wollman       | Microsoft               | Member                     | NO      |
+| Stefan     | Hagen         | Individual              | Secretary, taking notes ♬ | YES     |
+| Thanassis  | Avgerinos     | ForAllSecure Inc        | Voting Member              | YES     |
+| Tim        | Hudson        | Cryptsoft Pty Ltd.      | Member                     | NO      |
+| Vadim      | Okun          | NIST                    | Observer                   | NO      |
+
+Seven of the nine voting members present - quorum was reached.
+
+## 1.3 Procedures for this meeting (Co-Chair David)
+
+## 1.4 Approval of agenda (Co-Chair David)
+
+* [Agenda for November 14, 2024](https://www.oasis-open.org/committees/download.php/72357/)
+
+The agenda was approved.
+
+## 1.5 Approval of previous minutes (Co-Chair David)
+
+* [Minutes of 2024-10-10 Meeting #92](https://www.oasis-open.org/committees/download.php/72271/)
+
+The minutes were approved.
+
+## 1.6 Review of action items and resolutions (Secretary Stefan)
+
+* ACTION on David Malcolm to comment on #588 sketching a proposal for #line directives
+  * ONGOING
+* ACTION on David Malcolm to update issue #588 (support of diagrams in SARIF)
+  * ONGOING
+* ACTION on Stefan to provide prose explaining the use of `guid`s in another new issue and to provide an implementation per pull request
+  (cf. [Provide prose explaining the use of guids across all occurrences #648](https://github.com/oasis-tcs/sarif-spec/issues/648)
+  * ONGOING - still reading through all 92 locations of GUIDs in SARIF v2.1 to best derive claims associated with a top-level GUID
+* ACTION on Stefan to research the history and status of 
+  [Question: How to represent results from deep in revision control history? #564](https://github.com/oasis-tcs/sarif-spec/issues/564)
+  "Question: How to represent results from deep in revision control history?"
+  * The TC shall discuss the matter as unfortunately the issue has never been documented
+    as being discussed within the TC (Stefan assessed all minutes documents from
+    the proposed first meeting to discuss the matter onwards)
+  * DONE
+* ACTION on Stefan to create an editor text for the proposal in 
+  [Suggestions for more threadFlowLocation "kinds" property values #530](https://github.com/oasis-tcs/sarif-spec/issues/530)
+  * ONGOING - in queue
+* ACTION on Stefan to try to propose text in context for 
+  [Consider using the "relevant to understanding the result" wording also in notifications/relatedLocation #649](https://github.com/oasis-tcs/sarif-spec/issues/649)
+  * ONGOING - in queue
+* ACTION on Stefan to try to add that informative statement to the issue and the text per  
+  [Is any escaping of URIs within "3.11.6 Messages with embedded links" needed? #657](https://github.com/oasis-tcs/sarif-spec/issues/657)
+  * TL;DR; No - provided clarification (on [RFC choice](https://github.com/oasis-tcs/sarif-spec/issues/657#issuecomment-2475582112)) and
+    [proposal answering the question](https://github.com/oasis-tcs/sarif-spec/issues/657#issuecomment-2475620829) both in the ticket
+  * DONE
+* ACTION on Thanassis to provide info on justificationTypes from SBOM initiatives (research)
+  * ONGOING - Suggests to present next meeting
+
+## 1.7 Identification of SARIF TC voting members (Co-Chair David)
+
+### 1.7.1 Prospective voting members attending their first meeting
+
+### 1.7.2 Members attaining voting rights at the end of this meeting
+
+### 1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends
+
+### 1.7.4 Members who previously lost voting rights who are attending this meeting
+
+### 1.7.5 Members who have declared a leave of absence
+
+# 2. Future Meetings
+
+## 2.1 Future meeting schedule (Co-Chair David)
+
+- Scheduled Teleconference (Thursday at 08:00 PT / 16:00 UTC for 1.5 hours)
+    ```
+    December 12, 2024
+    ```
+    regrets: Stefan
+ - Proposed Teleconference (Thursday at 08:00 PT / 16:00 UTC for 1.5 hours)
+    ```
+    January 9, 2025
+    ```
+
+# 3. Discussion
+
+## 3.1 Review current state of ecosystem ongoing work
+
+### 3.1.1 Related activities (OPENSSF, etc.)
+
+None
+
+### 3.1.2 Other Ecosystem Items
+
+* David Malcolm: SARIF support in GCC now supports text and SARIF as report formats
+  in parallel (before the selection was mutual exclusive) <https://gcc.gnu.org/wiki/SARIF>
+
+## 3.2 Review outcomes of subgroup discussions
+
+* No editor meeting and no new editor revision for this month
+* No other subgroup discussions
+
+## 3.3 Discuss the list of small non-breaking changes for SARIF v2.2
+
+### 3.3.1 Editor's report
+
+Working on actions to produce proposals.
+
+### 3.3.2 Approval of changes
+
+None
+
+### 3.3.3 Additional discussion
+
+* [Is any escaping of URIs within "3.11.6 Messages with embedded links" needed? #657](https://github.com/oasis-tcs/sarif-spec/issues/657)
+  * All discuss
+  * David Malcolm: GCC SARIF always produces messages in plain text format
+  * Aditya: Verified that the GitHub parser and browsers can deal with parentheses but
+    is in favor of adding some informative text suggesting to consider URL percent encoding
+    such characters
+  * Thanassis: confirms that unbalanced parentheses break the links  
+* [Question: How to represent results from deep in revision control history? #564](https://github.com/oasis-tcs/sarif-spec/issues/564)
+  * Stefan: Thinks this is a valid use case 
+  * Aditya: Informs about the GitHub API to address blobs 
+    * https://docs.github.com/en/rest/git/blobs?apiVersion=2022-11-28  
+  * Nathan: Suggests that maybe open ended version strings might help
+* [UTF8 bytes count support as columnKind? #466](https://github.com/oasis-tcs/sarif-spec/issues/466)
+  * All discuss
+  * Proposal is to add other columnKinds (cf. ticket <https://github.com/oasis-tcs/sarif-spec/issues/466#issuecomment-1672200923>)
+  * David Malcolm to propose a wording for the proposal (using bytes and maybe a unicode column number)
+* [Suggestions for more threadFlowLocation "kinds" property values #530](https://github.com/oasis-tcs/sarif-spec/issues/530)
+  * All: remove the to be discussed as the design is already approved
+* [location.id within a notification object #540](https://github.com/oasis-tcs/sarif-spec/issues/540) 
+  * All discuss
+* [Consider adding reportingDescriptor.uiLabel property #567](https://github.com/oasis-tcs/sarif-spec/issues/567)
+  * Aditya: Proposed to use a different element instead as noted in his [comment](https://github.com/oasis-tcs/sarif-spec/issues/567#issuecomment-2405513811) suggesting to close the issue 
+* [Clarify use (or extend design) of SARIF to express hierarchical diagnostics. #572](https://github.com/oasis-tcs/sarif-spec/issues/572)
+  * All discuss
+  * David Malcolm assumes there will still be some iterations before something can be proposed
+  * David Keaton explains two approaches of standardization, one where the standard goes first, then implementations follow
+    or alternatively the implementers go first (maybe each one differently) and then standardization tries to harmonize;
+    and he thinks this issues looks like the second strategy might match
+  * Stefan mentions JSON Path RFC as a very good and useful example for the second approach  
+  * Nathan: This issue looks like a graph approach and although he has no use for that currently it may be useful
+  * All look forward to see examples from David Malcolms GCC extension
+  * David Malcolm shares (experimental quality):
+    * [Screenshot of text version of output](https://gcc.gnu.org/bugzilla/attachment.cgi?id=59580)
+    * [and a mockup](https://gcc.gnu.org/bugzilla/attachment.cgi?id=59598)
+    * [and a SARIF example](https://gcc.gnu.org/bugzilla/attachment.cgi?id=58852)
+  * [Consider adding bucketized 'justification' field for suppression object. #574](https://github.com/oasis-tcs/sarif-spec/issues/574)
+    * All discuss if the enumerations would be mutual exclusive and that the change would be non-breaking
+    * Stefan: Will provide a text
+    * Aditya: Here are the 
+      [dismissal types GitHub currently provides in the UI](https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts#dismissing-alerts) essentially 3 choices: Won't fix, FP, used in tests.
+
+## 3.4 Review Roadmap [Future.md](https://github.com/oasis-tcs/sarif-spec/blob/main/Future.md)
+
+Skipped
+
+## 3.5 Discuss SARIF's relationship to other relevant standards
+
+Skipped
+
+# 4. Other Business
+
+None
+
+# 5. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)
+
+## 5.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair David)
+
+## 5.2 Review of Decisions Reached (Secretary Stefan)
+
+* DECISION to meet on January, 9 in 2025 as next meeting after the December 2024 meeting
+
+## 5.3 Review of Action Items (Secretary Stefan)
+
+* Ongoing ACTIONS (from former meetings):
+  * ACTION on David Malcolm to comment on #588 sketching a proposal for #line directives
+  * ACTION on David Malcolm to update issue #588 (support of diagrams in SARIF)
+  * ACTION on Stefan to create an editor text for the proposal in 
+    [Suggestions for more threadFlowLocation "kinds" property values #530](https://github.com/oasis-tcs/sarif-spec/issues/530)
+  * ACTION on Stefan to try to propose text in context for 
+    [Consider using the "relevant to understanding the result" wording also in notifications/relatedLocation #649](https://github.com/oasis-tcs/sarif-spec/issues/649)
+  * ACTION on Thanassis to provide info on justificationTypes from SBOM initiatives (research)
+* ACTION on Aditya to provide an informal text to guide escaping of URIs
+* ACTION on David to propose additional text on 3.14.27 columnKind property for issue [UTF8 bytes count support as columnKind? #466](https://github.com/oasis-tcs/sarif-spec/issues/466)
+* ACTION on David to propose a text for issue [location.id within a notification object #540](https://github.com/oasis-tcs/sarif-spec/issues/540) 
+* ACTION on Stefan to provide a text for [Consider adding bucketized 'justification' field for suppression object. #574](https://github.com/oasis-tcs/sarif-spec/issues/574)
+
+# 7. Next Meeting
+
+  ```
+  December 12, 2024
+  ```
+
+# 8. Adjournment
+
+Meeting was adjourned.