Static Analysis Results Interchange Format

From HandWiki
Short description: Standard software analysis output format


The Static Analysis Results Interchange Format (SARIF) is a universal representation for the output of static analysis tools. It is standardized by the OASIS SARIF Technical Committee.

Purpose

SARIF creates one common format for representing the results of static analysis tools. This allows visualization tools to work with static analysis tools from multiple vendors. It also facilitates the aggregation of static analysis output from the tools of multiple vendors.

Each static analysis tool has a unique approach to discovering properties of computer program source code. Consequently, tools from different vendors find different sets of vulnerabilities. Combining the output of tools from multiple vendors can provide a more complete picture of vulnerabilities in source code.

By supporting SARIF, a low-cost tool provider gets access to a rich ecosystem of support.

Standard

The current version of the standard, v2.1.0, is publicly available from OASIS..[1]

How SARIF relates to other standards

The Object Management Group's Tools Output Integration Framework (TOIF)[2] is a standard that integrates diverse static analysis result formats into the lowest common denominator representation, as one form of evidence in a software assurance system. By contrast, SARIF accommodates deep, precise expression of static analysis results to provide full support for the capabilities of advanced static analysis systems, enabling the sharing of sophisticated visualization and processing components that previously were specific to individual static analysis tools.

The Structured Threat Information eXchange (STIX)[3] standardized by the OASIS Cyber Threat Intelligence (CTI) Technical Committee[4] expresses more general cyber threat information and is not specific to source code analysis. Since its focus is wider, it is not designed to include the full static analysis capabilities that SARIF provides.

History

Early work on SARIF began within Microsoft for use in their tools. It eventually became apparent that SARIF's value could be substantially enhanced by making it an industry-wide standard.

The OASIS SARIF Technical Committee was formed and had its first meeting in September, 2017. The first edition of the OASIS SARIF standard was published in March, 2020. It was called version 2.1.0 in recognition of the earlier efforts within Microsoft as well as intermediate pre-standard versions that were in use during the development of the standard. Following publication, the committee suspended its activities, resuming beginning in March, 2021, to begin discussing the direction for future editions of the standard.

Adoption

Direct support

  • AWS CloudFormation Linter[5] is a tool that validates AWS CloudFormation yaml/json templates against the AWS CloudFormation Resource Specification and performs additional checks.
  • Azure Resource Manager (ARM) Template Best Practice Analyzer[6] is a validator that scans ARM templates to ensure security and best practice checks are being followed before deployment.
  • BinSkim[7] is a binary-level security checker that validates Window, Mac and *nix binaries.
  • Brakeman[8] is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
  • Checkstyle[9] is a Java style guidelines checking.
  • Checkov[10] is a static code analysis tool for infrastructure-as-code.
  • Clang Analyzer[11], the LLVM C/C++ checker, has added SARIF export.
  • Contrast Scan[12] is a very fast, demand-driven static analysis tool supporting Java, .NET, and JavaScript.
  • CodeQL[13] is a multilanguage, intraprocedural checker with a large rule set.
  • CodeSonar[14] is a static analysis tool which identifies programming bugs that can result in system crashes, memory corruption, leaks, data races, and security vulnerabilities.
  • CredScan[15] is a file scanner that detects plaintext secrets.
  • DartAnalyzer[16] is a dart/flutter analyzer.
  • Detekt[17] is a static code analysis tool for the Kotlin programming language.
  • DevSkim[18] is a set of IDE checkers and language analyzers that provide inline security analysis.
  • Electronegativity[19] is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
  • ESLint SARIF Formatter[20] enables SARIF export for ESLint[21], a JavaScript static analyzer.
  • Flawfinder[22] is a C/C++ source code security checker.
  • Fortify Vulnerability Exporter[23] allows exporting vulnerabilities from Fortify on Demand and Fortify * Software Security Center to third-party products and output formats.
  • Fortify Ssc Parser[24] is a plugin that allows for importing SARIF files.
  • GCC has added SARIF output support for GCC 13 and later.[25]
  • GoSec[26] is a GoLang security checker.
  • Kubesec[27], backed by ControlPlane.io provides Security risk analysis for Kubernetes resources.
  • MobSF[28] is is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
  • NodeJSScan[29] is a Static security code scanner (SAST) for Node.js applications.
  • Psalm[30] is an open source tool for finding security vulnerabilities in PHP.
  • PMD[31] is a multilanguage source code analyzer.
  • PSScriptAnalyzer[32] is a static code checker for PowerShell modules and scripts
  • PREfast[33] is the C/C++ correctness checker behind the Microsoft compiler /analyze switch.
  • Roslyn[34] is a platform for analyzing and rewriting C#/VB.NET code.
  • SARIF Pattern Matcher[35] is a security-focused pattern matcher that detects (and in some cases authenticates) plaintext secrets, sensitive data, etc.
  • Security Code Scan[36] is a Vulnerability Patterns Detector for C# and VB.NET.
  • Semgrep[37], sponsored by R2C[38], supports a variety of languages[39]
  • Sobelow[40] is the security-focused static analyzer for the Elixir Phoenix Framework.
  • SpotBugs[41] is a Java code checker.
  • TerraScan[42] is a static code analysis tool for infrastructure-as-code.
  • TFSec[43] uses static analysis of your terraform templates to spot potential security issues.
  • Trivy[44] is a vulnerability scanner for containers and other artifacts.
  • Upgrade Assistant[45] is a project that enables automation of common tasks related to upgrading .NET Framework projects to the latest versions of .NET.

Converters (i.e. tool output to SARIF conversion code exists)

SDKs/Documentation

Viewers/SARIF development Support

See also

Static analysis

References

  1. "OASIS SARIF Standard v2.1.0". https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html. 
  2. "OMG Tools Output Integration Framework (TOIF)". https://www.omg.org/spec/TOIF. 
  3. "Structured Threat Information eXchange (STIX)". https://oasis-open.github.io/cti-documentation/stix/intro. 
  4. "OASIS Cyber Threat Intelligence (CTI) Technical Committee". https://www.oasis-open.org/committees/cti. 
  5. "AWS CloudFormation Linter". https://github.com/aws-cloudformation/cfn-lint. 
  6. "ARM Template Best Practice Analyzer". https://github.com/Azure/template-analyzer. 
  7. "BinSkim". https://github.com/microsoft/binskim. 
  8. "Brakeman". https://github.com/presidentbeef/brakeman. 
  9. "Checkstyle". https://github.com/checkstyle/checkstyle. 
  10. "Checkov". https://github.com/bridgecrewio/checkov. 
  11. "Clang Analyzer". https://clang-analyzer.llvm.org. 
  12. "Contrast Scan". https://www.contrastsecurity.com/contrast-scan. 
  13. "CodeQL". https://github.com/github/codeql. 
  14. "CodeSonar". https://www.grammatech.com/codesonar-cc. 
  15. "CredScan". https://secdevtools.azurewebsites.net/helpcredscan.html. 
  16. "DartAnalyzer". https://github.com/dart-lang/sdk/tree/master/pkg/analyzer_cli#dartanalyzer. 
  17. "Detekt". https://github.com/detekt/detekt. 
  18. "DevSkim". https://github.com/microsoft/devskim. 
  19. "Electronegativity". https://github.com/doyensec/electronegativity. 
  20. "ESLint SARIF Formatter". https://www.npmjs.com/package/eslint.formatter.sarif. 
  21. "ESLint". https://eslint.org. 
  22. "Flawfinder". https://github.com/david-a-wheeler/flawfinder. 
  23. "Fortify Vulnerability Exporter". https://github.com/fortify/FortifyVulnerabilityExporter#github-configuration. 
  24. "Fortify Ssc Parser". https://github.com/fortify-ps/fortify-ssc-parser-sarif. 
  25. "GCC SARIF announcement". https://github.com/oasis-tcs/sarif-spec/issues/531. 
  26. "GoSec". https://github.com/securego/gosec. 
  27. "Kubesec". https://github.com/controlplaneio/kubesec. 
  28. "MobSF". https://github.com/MobSF/Mobile-Security-Framework-MobSF. 
  29. "NodeJSScan". https://github.com/ajinabraham/nodejsscan. 
  30. "Psalm". https://github.com/vimeo/psalm. 
  31. "PMD". https://github.com/pmd/pmd/issues/2953. 
  32. "PSScriptAnalyzer". https://github.com/PowerShell/PSScriptAnalyzer. 
  33. "PREfast". https://docs.microsoft.com/cpp/build/reference/analyze-code-analysis?view=msvc-160. 
  34. "Roslyn". https://github.com/dotnet/roslyn-analyzers. 
  35. "SARIF Pattern Matcher". https://github.com/microsoft/sarif-pattern-matcher. 
  36. "Security Code Scan". https://github.com/security-code-scan/security-code-scan. 
  37. "Semgrep". https://github.com/returntocorp/semgrep. 
  38. "R2C". https://r2c.dev. 
  39. "Semgrep supported languages". https://semgrep.dev/docs/status. 
  40. "Sobelow". https://github.com/nccgroup/sobelow. 
  41. "SpotBugs". https://github.com/spotbugs/spotbugs. 
  42. "TerraScan". https://github.com/accurics/terrascan. 
  43. "TFSec". https://github.com/tfsec/tfsec. 
  44. "Trivy". https://github.com/aquasecurity/trivy. 
  45. "Upgrade Assistant". https://github.com/dotnet/upgrade-assistant. 
  46. "C# SARIF SDK". https://github.com/microsoft/sarif-sdk. 
  47. "Go-SARIF SDK". https://github.com/owenrumney/go-sarif. 
  48. "SARIF JS SDK". https://github.com/microsoft/sarif-js-sdk. 
  49. "SARIF PHP SDK". https://github.com/llaville/sarif-php-sdk. 
  50. "SARIF-om Python SDK". https://github.com/microsoft/sarif-python-om. 
  51. "SARIF Tutorials". https://github.com/microsoft/sarif-tutorials. 
  52. "SARIF Visual Studio Extension". https://github.com/microsoft/sarif-visualstudio-extension. 
  53. "SARIF Visual Studio Code Extension". https://github.com/microsoft/sarif-vscode-extension. 
  54. "SARIF Azure DevOps Extension". https://github.com/microsoft/sarif-azuredevops-extension. 
  55. "SARIF Viewer". https://microsoft.github.io/sarif-web-component. 
  56. "SARIF Validator". https://www.sarif.info/Validation. 
  57. "SARIF GitHub docs". https://docs.github.com/en/enterprise-server@3.0/code-security/secure-coding/integrating-with-code-scanning/sarif-support-for-code-scanning#about-sarif-support. 

External links