Static Analysis: proposed interchange format ("firehose")

Daniel Veillard veillard at redhat.com
Thu Jan 17 05:33:13 UTC 2013 

On Wed, Jan 16, 2013 at 03:53:56PM -0500, David Malcolm wrote:
> This is a followup to my proposal in
> http://lists.fedoraproject.org/pipermail/devel/2012-December/175232.html
> 
> I want a common output format for static analysis tools so that we can
> easily slurp the results from different tools into a database and have a
> common system for managing the results (marking false positives, having
> automated de-duplication, etc).
> 
> (I like the name "firehose" for the overall system since it describes
> the issue we'll have of managing the flood of data).
> 
> I came up with an XML format, which I've uploaded code to here:
> https://github.com/fedora-static-analysis/firehose
> 
> Does this look sane?  I think that it should be possible to write

  okay, taking the question from the XML side, so analysing the
firehose.rng schemas driving the format. Points and remarks as i go
through it:

 - the cwe attribute is a number or free form ? if a number add
   and explicit rule to check its type.
 - the sut content choice is a bit weird on one side you have text
   on the other you have <rpm>, I would  still allow a free form
   description but in an element at the same level of rpm
   something like
   <choice>
     <element name="description">
       <text/>
     </element>
     <element name="rpm">
       ...
     <element>
   For the sake of larger usage, i would also make some room for
   debian, and also expand that to be able to express a given file
   to give an example allowing extra details there, and make some
   if not all of the attributes optionals, for example to be able
   to express independance say on the arch:
   <sut>
     <file>/usr/bin/xmllint</file>
     <package type="rpm" name="libxml2" version="2.9.0" release="1.fc17">
   </sut>
   so optional file element, extra type attribute, use package to not
   feel tied to rpm, but use a type attribute to distinguish :-)

 - for notes i would separate them
   <notes>
     <note>...</note>
     <note>...</note>
   </notes>
   since they are likely to me entered manually, and you may want to
   track who entered them as you go.

 - I would use <where> instead of <point> myself but i understand your
   logic too

Long reply but overall that look mostly fine from my very narrow POV

Daniel


-- 
Daniel Veillard      | Open Source and Standards, Red Hat
veillard at redhat.com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | virtualization library  http://libvirt.org/

More information about the devel mailing list