James,
There is such an effort currently underway called the Software Assurance
Findings Expression Schema (SAFES). It is currently sponsored by the NSA Center
for Assured Software and aims to unify reporting not only of static analysis
findings but the broader set of software assurance analysis findings reporting
including dynamic analysis, web app scanning, data security analysis, etc.
There is a Review Candidate 1 release going out for review today to a limited
audience of the 20 or so tool and service vendors who acted as sources for this
initial effort. The first public release is targeted for sometime in January.
So far, the effort has received overwhelmingly positive reaction and
involvement from the community. I briefed on it week before last at the
Software Assurance Forum and at the NIST SAMATE Static Analysis Tool Exposition
(SATE).
Keep your eyes peeled and ears open. Hopefully, brighter days are ahead for all
of us in the software assurance community.
Sean
Message: 1
Date: Mon, 16 Nov 2009 09:16:57 -0500
From: "McGovern, James F. (eBusiness)"
<james.mcgov...@thehartford.com>
To: <sc-l@securecoding.org>
Subject: [SC-L] Static Analysis Findings
Message-ID:
<bfd50e79fbe23a4fb6be93572a6fe2870200a...@ad1hfdexc312.ad1.prod>
Content-Type: text/plain; charset="us-ascii"
I spent some time over the weekend looking at the Ounce Findings file
(OZASMT) and wonder if the community at large should push Ounce,
Fortify, Klocwork, Coverity, etc to come up with an interoperable
XML-based way of exchanging findings?
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you are
not the intended recipient, please notify the sender immediately by return
e-mail, delete this communication and destroy all copies.
************************************************************
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
