On Wed, Jan 16, 2013 at 03:53:56PM -0500, David Malcolm wrote: > This is a followup to my proposal in > http://lists.fedoraproject.org/pipermail/devel/2012-December/175232.html > > I want a common output format for static analysis tools so that we can > easily slurp the results from different tools into a database and have a > common system for managing the results (marking false positives, having > automated de-duplication, etc). > > (I like the name "firehose" for the overall system since it describes > the issue we'll have of managing the flood of data). > > I came up with an XML format, which I've uploaded code to here: > https://github.com/fedora-static-analysis/firehose > > Does this look sane? I think that it should be possible to write okay, taking the question from the XML side, so analysing the firehose.rng schemas driving the format. Points and remarks as i go through it: - the cwe attribute is a number or free form ? if a number add and explicit rule to check its type. - the sut content choice is a bit weird on one side you have text on the other you have <rpm>, I would still allow a free form description but in an element at the same level of rpm something like <choice> <element name="description"> <text/> </element> <element name="rpm"> ... <element> For the sake of larger usage, i would also make some room for debian, and also expand that to be able to express a given file to give an example allowing extra details there, and make some if not all of the attributes optionals, for example to be able to express independance say on the arch: <sut> <file>/usr/bin/xmllint</file> <package type="rpm" name="libxml2" version="2.9.0" release="1.fc17"> </sut> so optional file element, extra type attribute, use package to not feel tied to rpm, but use a type attribute to distinguish :-) - for notes i would separate them <notes> <note>...</note> <note>...</note> </notes> since they are likely to me entered manually, and you may want to track who entered them as you go. - I would use <where> instead of <point> myself but i understand your logic too Long reply but overall that look mostly fine from my very narrow POV Daniel -- Daniel Veillard | Open Source and Standards, Red Hat veillard@xxxxxxxxxx | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | virtualization library http://libvirt.org/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
