# 1. Opening Activities

## 1.1 Opening comments (Co-Chair David)

## 1.2 Introduction of participants/roll call (Co-Chair David)

| First Name | Last Name | Company          | Role(s)                 |
| :--------- | :-------- | :--------------- | :---------------------- |
| David      | Keaton    | Individual       | Chair                   |
| Eddy       | Nakamura  | Microsoft        | Voting member           |
| Katrina    | O'Neil    | Micro Focus      | Voting member           |
| Michael    | Fanning   | Microsoft        | Voting member           |
| Paul       | Anderson  | Grammatech, Inc. | Voting member           |
| Stefan     | Hagen     | Individual       | Secretary, taking notes |

## 1.3 Procedures for this meeting (Co-Chair David)

## 1.4 Approval of agenda (Co-Chair David)

* https://www.oasis-open.org/committees/download.php/69280/agenda_20211111.html

  Agenda was approved

## 1.5 Approval of previous minutes (Co-Chair David)

* [Minutes of 2021-10-28 Meeting #47](https://www.oasis-open.org/committees/document.php?document_id=69276&wg_abbrev=sarif)

  Minutes were approved

## 1.6 Review of action items and resolutions (Secretary Stefan)

* ACTION Michael: To send an email after the meeting to David suggesting the 3.4 agenda item for next meeting
  - DONE
* ACTION Stefan: Create PR for minutes so that Michael can insert the list he accumulated from the discussion
  - DONE
* ACTION Michael: Insert his collected list of possible in scope and out of scope domains for inclusion in the new charter after the meeting into the minutes
  - DONE
* ACTION Michael: Reach out to contacts at Google and Uber on the Code Insights Protocol topic 
  - ONGOING
* ACTION Michael: Reach out to ParaSoft
  - ONGOING
* ACTION Paul: Provide some suggestions on metrics
  - DONE
 
## 1.7 Identification of SARIF TC voting members (Co-Chair David)

All voting members present.

### 1.7.1 Prospective members attending their first meeting

### 1.7.2 Members attaining voting rights at the end of this meeting

### 1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends

### 1.7.4 Members who previously lost voting rights who are attending this meeting

### 1.7.5 Members who have declared a leave of absence

# 2. Future Meetings

## 2.1 Future meeting schedule (Co-Chair David)

* Approved Teleconferences (Tuesdays at 08:00 PT / 16:00 UTC for 1.5 hours)
  ```
  December 2
  ```
* Proposed Teleconferences (Thursdays at 08:00 PT / 16:00 UTC for 1.5 hours)
  ```
  December 16
  January 6
  ```
* Possible face-to-face meeting in 2022Q1

# 3. Discussion
 
## 3.1 Review recruitment effort to complete the technical committee

* Michael: Two new participant candidates identified from Microsoft (focused for topics: protocols and persistence store)
* Paul: Facebook has analyzer in python (Pysa: An open source static analysis tool to detect and prevent security issues in Python code)
* Katrina: Identified candidates but no resources available from their side

## 3.2 Review status on finalizing SARIF 2.1 errata

* Michael: Sent [mail to the TC list requesting review before the meeting](https://lists.oasis-open.org/archives/sarif/202111/msg00004.html)
* All: Discuss how to formally proceed (use github TC repository or kavi document storage)
* Michael: Kindly requests timely feedback on the draft
* David: Summarizes that we agreed to all review the documents and plan to ballot on the errata during the next weeks 

## 3.3 Review current state of ecosystem ongoing work

* Eddy: Reported on activities and especially shared the information that Dot.net team also has a SARIF tool: the [Upgrade Assistant tool](https://github.com/dotnet/upgrade-assistant)
* Eddy: Many teams look out for tools to transform SARIF into HTML
* Michael: Any new OSS public SARIF extensions?
* Eddy: Will open a PR on Davids repository (for the Wikipedia page)
* Michael: Do not forget the Pysa tool mentioned by Paul
* Michael: Regarding HTML viewers mentions the link to [Viewers](https://sarifweb.azurewebsites.net/#Viewers) e.g. for supporting compliance reports
* Eddy: Mentions the [Heimdal tool](https://heimdall-lite.mitre.org) and will provide further info
* Michael: Github interested in connecting to the SARIF aggregated store (in use at Microsoft) via VSCode
* Michael: Any other tools where connections to any sort of collector store are useful (like to a Sonar Cube store)
* Michael: Suggests agenda item for next meeting like Connections to Result Management Systems
* David: Eddy has provided further input to the Wikipedia article and expects to have that ready for review by next meeting

## 3.4 Metrics: review CodeQL metrics design, and overall design strategy

* Michael: Trying to join forces with other mebers to start a combined concept in December
* All discuss on if metrics or metricDescriptors should be used as name and if a new table is needed for metrics 
* Paul: Some prefer measures over metrics as term (MISRA)
* All: Suggest to stick with metrics as term (no compelling case made against it)
* Michael: Walks the participants through the SARIF schema to inspect if the mappings in existence already might be a good fit
* Michael: Tool defined ruleTaxonomies might need adding
* Michael: Asks if we should look at the Object Management Group's (OMG) Structured Metrics Metamodel ([SMM](https://www.omg.org/spec/SMM/)), specifically [Structured Metrics Metamodel (SMM(tm)) Version 1.2](https://www.omg.org/spec/SMM/1.2/PDF)

## 3.5 Review proposal for what's in- and out-of-scope. General discussion

* Michael: Reviewing extensions that add to but do not break anything target version 2.2
* Michael: Metrics extension also not breaking
* Michael: There is a detailed list of topics / candidates but no complete clarity yet what of these ar in or out of scope
* Michael: Suggested strategy is to describe the areas and collaborate with subject matter experts to derive the scope decisions
* Michael: Code coverage and fuzzing may go well together, but both topics are "deep" and question will be where constraints are needed
* Michael: Results management is also requested by others (like GitHub)
* Michael: Java-SDK together with MicroFocus
* Michael: Revamping of CWE - how to interface / combine / support

## 3.6 Update on code insights protocol outreach

* Michael: What about Code Insights, Language Server Protocol (LSP), and SARIF
* Michael: Maybe fold this agenda item into Result Management Systems for next meeting

# 4. Other Business

* None

# 5. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)

## 5.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair David)

## 5.2 Review of Decisions Reached (Secretary Stefan)

* DECISION: Agreed on meeting for December 9, January 13, and January 27 instead of previously agreed meeting on December 2
* DECISION: New agenda item for next meeting: Connections to Result Management Systems

## 5.3 Review of Action Items (Secretary Stefan)

* ACTION David: Provide draft of Wikipedia article for review on next meeting
* ACTION Michael: Will author and check in the roadmap / list of in- and out-of-scope features

# 6. Next Meeting

December 09, 2021 / 08:00-09:30 PT / 16:00-17:30 UTC

# 7. Adjournment

Meeting was adjourned.