James, There is such an effort currently underway called the Software Assurance Findings Expression Schema (SAFES). It is currently sponsored by the NSA Center for Assured Software and aims to unify reporting not only of static analysis findings but the broader set of software assurance analysis findings reporting including dynamic analysis, web app scanning, data security analysis, etc. There is a Review Candidate 1 release going out for review today to a limited audience of the 20 or so tool and service vendors who acted as sources for this initial effort. The first public release is targeted for sometime in January. So far, the effort has received overwhelmingly positive reaction and involvement from the community. I briefed on it week before last at the Software Assurance Forum and at the NIST SAMATE Static Analysis Tool Exposition (SATE).
Keep your eyes peeled and ears open. Hopefully, brighter days are ahead for all of us in the software assurance community. Sean Message: 1 Date: Mon, 16 Nov 2009 09:16:57 -0500 From: "McGovern, James F. (eBusiness)" <james.mcgov...@thehartford.com> To: <sc-l@securecoding.org> Subject: [SC-L] Static Analysis Findings Message-ID: <bfd50e79fbe23a4fb6be93572a6fe2870200a...@ad1hfdexc312.ad1.prod> Content-Type: text/plain; charset="us-ascii" I spent some time over the weekend looking at the Ounce Findings file (OZASMT) and wonder if the community at large should push Ounce, Fortify, Klocwork, Coverity, etc to come up with an interoperable XML-based way of exchanging findings? ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________