Integration of the Static Analysis Results Interchange Format in CogniCrypt

by   Sriteja Kummita, et al.

Background - Software companies increasingly rely on static analysis tools to detect potential bugs and security vulnerabilities in their software products. In the past decade, more and more commercial and open-source static analysis tools have been developed and are maintained. Each tool comes with its own reporting format, preventing an easy integration of multiple analysis tools in a single interface, such as the Static Analysis Server Protocol (SASP). In 2017, a collaborative effort in industry, including Microsoft and GrammaTech, has proposed the Static Analysis Results Interchange Format (SARIF) to address this issue. SARIF is a standardized format in which static analysis warnings can be encoded, to allow the import and export of analysis reports between different tools. Purpose - This paper explains the SARIF format through examples and presents a proof of concept of the connector that allows the static analysis tool CogniCrypt to generate and export its results in SARIF format. Design/Approach - We conduct a cross-sectional study between the SARIF format and CogniCrypt's output format before detailing the implementation of the connector. The study aims to find the components of interest in CogniCrypt that the SARIF export module can complete. Originality/Value - The integration of SARIF into CogniCrypt described in this paper can be reused to integrate SARIF into other static analysis tools. Conclusion - After detailing the SARIF format, we present an initial implementation to integrate SARIF into CogniCrypt. After taking advantage of all the features provided by SARIF, CogniCrypt will be able to support SASP.


QChecker: Detecting Bugs in Quantum Programs via Static Analysis

Static analysis is the process of analyzing software code without execut...

Fidyll: A Compiler for Cross-Format Data Stories Explorable Explanations

Narrative visualization is a powerful communicative tool that can take o...

An Expert System for Learning Software Engineering Knowledge (with Case Studies in Understanding Static Code Warning)

Knowledge-based systems reason over some knowledge base. Hence, an impor...

Open Data Portal Germany (OPAL) Projektergebnisse

In the Open Data Portal Germany (OPAL) project, a pipeline of the follow...

Targeted Static Analysis for OCaml C Stubs: eliminating gremlins from the code

Migration to OCaml 5 requires updating a lot of C bindings due to the re...

Lifting Network Protocol Implementation to Precise Format Specification with Security Applications

Inferring protocol formats is critical for many security applications. H...

Btor2MLIR: A Format and Toolchain for Hardware Verification

Formats for representing and manipulating verification problems are extr...

Please sign up or login with your details

Forgot password? Click here to reset