# 1. Opening Activities

## 1.1 Opening comments (Co-Chair David)

## 1.2 Introduction of participants/roll call (Co-Chair David)

| First Name | Last Name | Company          | Role(s)                 |
| :--------- | :-------- | :--------------- | :---------------------- |
| Aditya     | Sharad    | Github          |  Guest                   |
| David      | Keaton    | Individual       | Chair                   |
| Eddy       | Nakamura  | Microsoft        | Voting member           |
| Katrina    | O'Neil    | Micro Focus      | Voting member           |
| Michael    | Fanning   | Microsoft        | Voting member           |
| Paul       | Anderson  | Grammatech, Inc. | Voting member           |
| Stefan     | Hagen     | Individual       | Secretary, taking notes |

## 1.3 Procedures for this meeting (Co-Chair David)

## 1.4 Approval of agenda (Co-Chair David)

* https://www.oasis-open.org/committees/download.php/69234/agenda_20211028.html

  Agenda was approved

## 1.5 Approval of previous minutes (Co-Chair David)

* [Minutes of 2021-10-14 Meeting #46](https://www.oasis-open.org/committees/document.php?document_id=69230&wg_abbrev=sarif)

  Minutes were approved

## 1.6 Review of action items and resolutions (Secretary Stefan)

* ACTION Michael: Reach out to ParaSoft
  - ONGOING
* ACTION Paul: Provide some suggestions on metrics
  - ONGOING
 
## 1.7 Identification of SARIF TC voting members (Co-Chair David)

All voting members present.

### 1.7.1 Prospective members attending their first meeting

### 1.7.2 Members attaining voting rights at the end of this meeting

### 1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends

### 1.7.4 Members who previously lost voting rights who are attending this meeting

### 1.7.5 Members who have declared a leave of absence

# 2. Future Meetings

## 2.1 Future meeting schedule (Co-Chair David)

* Approved Teleconferences (Tuesdays at 08:00 PT / 16:00 UTC for 1.5 hours)
  ```
  November 11
  December 2
  ```
* Possible face-to-face meeting in 2022Q1

# 3. Discussion

## 3.1 Review recruitment effort to complete the technical committee

* Michael: New members in sight
* Michael: Reached out towards StackHawk, ForAllSecure, and NTT in the dynamic analyisa area
* Katrina: Contacted ex-colleague (now at salesforce) in dynamic analysis field and others

## 3.2 Review status on finalizing SARIF 2.1 errata

* Michael: DONE and would like to send the change bar documents out per a branch so interested reviewers can review there
* David: Suggests to directly create a branch and send an email with the URL
* Michael: Will store in microsoft OneDrive and manage access - so as to make comments visible (as the document is a Microsoft Word document no markdown)
* David: When this review is approved by the reviewers we should hold a full majority vote and hand over publication to OASIS TC administration.

## 3.3 Review current state of ecosystem ongoing work

* Michael: How about placing names in the chat.
* Eddy:
  - updated the [PR#2](https://github.com/dmk42/sarif-spec/pull/2) to add more tools to the wiki
  - finished the change to enable SARIF for [AttackSurfaceAnalyzer](http://github.com/microsoft/attackSurfaceAnalyzer)
  - Visual Studio support for suppressions management, will port this feature to VS Code as well.
  - Updated the VS Studio extension to 64-bit
  - working with BPA ([Template Analyzer](https://github.com/Azure/template-analyzer)) and TM7 (log file for the Microsoft Threat Modeling)
* David: Merged the [PR#2](https://github.com/dmk42/sarif-spec/pull/2)

## 3.4 Discuss metrics

* All discuss metrics representations
* Michael suggests for next meeting to 
  - keep agenda items 3.1, 3.2, and 3.3 and 
  - change the item 3.4 to "Discuss metrics specifically CodeQL, Metrics Investments, and General design approach"

## 3.5 Discuss dynamic analysis and how to address it

* David: Reminds everyone what was last time decided to proceed in that order:
  - publication of Errata for 2.1 
  - rechartering of TC to widen scope
  - there will be a specific list needed for the new charter
* Michael: Let us start a collection of domains
* David: Domain fuzzing
* Michael: Domain test execution and colocate with code coverage
* Paul: Domain crash dump analysis? Or too close to fuzzing?
* Michael: Supports adding the crash dump analysis explicit
* Katrina: Out of scope runtime analysis
* Stefan: Domain memory analysis (forensics of file less malware more observing)?
* Stefan: Out of scope dynamic effects on CPUs (think rowhammer)
* Michael: Out of scope Penetration Testing
* Michael: Out of scope Jupyter Notebooks/threat intelligence sharing
* Michael: Domain web scanning, client and server scanning (accessibility)
* Michael: Domain Compile time (address sanitizer) and run time insertion points (managed debug)
* Michael: Out of scope: license defect in repository or dependency on component that has a CVE
* Paul: These are mostly static analysis outcomes; question: If a dynamic feature has a correspondence to a static feature we do not include, should we include the dynamic feature?
* Michael: Verify that we include no general "suurounding" system analysis
* Michael: Code Insights - related to an MS effort to project crash info on a source code view
* Michael: Google and Uber have defined the Code Insight Protocol
* Michael: Where in the graph of all possible analysis types and tools we do see SARIF?
* Michael: Maybe include Tracing?

# 4. Other Business

* Michael: MicroFocus reached out and asked about a SARIF Java SDK - anyone else besides MicroFocus and Microsoft interested?
* Michael: Code Insights Protocol / SASP - Michael will reach out to Uber and Google

# 5. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)

## 5.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair David)

## 5.2 Review of Decisions Reached (Secretary Stefan)

* DECISION: None noted

## 5.3 Review of Action Items (Secretary Stefan)

* ACTION Michael: To send an email after the meeting to David suggesting the 3.4 agenda item for next meeting
* ACTION Stefan: Create PR for minutes so that Michael can insert the list he accumulated from the discussion
* ACTION Michael: Insert his collected list of possible in scope and out of scope domains for inclusion in the new charter after the meeting into the minutes
* ACTION Michael: Reach out to contacts at Google and Uber on the Code Insights Protocol topic 

# 6. Next Meeting

November 11, 2021 / 08:00-09:30 PT / 16:00-17:30 UTC

# 7. Adjournment

Meeting was adjourned.