# 1. Opening Activities

## 1.1 Opening comments (Co-Chair David)

## 1.2 Introduction of participants/roll call (Co-Chair David)

| First Name | Last Name | Company          | Role(s)                 |
|:-----------|:----------|:-----------------|:------------------------|
| Aditya     | Sharad    | GitHub           | Voting Member           |
| Chris      | Meyer     | Microsoft        | Voting Member           |
| David      | Keaton    | Individual       | Chair                   |
| Eddy       | Nakamura  | Microsoft        | Voting member           |
| Katrina    | O'Neil    | Micro Focus      | Voting member           |
| Michael    | Fanning   | Microsoft        | Voting member           |
| Nathan     | Baird     | Microsoft        | Voting Member           |
| Paul       | Anderson  | Grammatech, Inc. | Voting member           |
| Stefan     | Hagen     | Individual       | Secretary, taking notes |
| Thanassis  | Avgerinos | ForAllSecure Inc | Member                  |


## 1.3 Procedures for this meeting (Co-Chair David)

## 1.4 Approval of agenda (Co-Chair David)

* https://www.oasis-open.org/committees/download.php/69645/agenda_20220224.html

  Agenda was approved

## 1.5 Approval of previous minutes (Co-Chair David)

* [Minutes of 2022-02-10_Meeting #52](https://www.oasis-open.org/committees/document.php?document_id=69644&wg_abbrev=sarif)

  Minutes were approved 

## 1.6 Review of action items and resolutions (Secretary Stefan)

* ACTION David: Find out how to upload content to wikipedia (#507)
  * Ongoing - account granted
* ACTION Michael: to set up meeting information so interested parties can participate on CIP meeting next week
  * Completed
* ACTION Michael: to open an issue in the repo for the numerics problem, tag it as technical topic to be solved by committee.
  * Completed - issue is [Clarify integer (for properties such as location.id) size in spec #516](https://github.com/oasis-tcs/sarif-spec/issues/516)

## 1.7 Identification of SARIF TC voting members (Co-Chair David)

### 1.7.1 Prospective members attending their first meeting

### 1.7.2 Members attaining voting rights at the end of this meeting

### 1.7.3 Members losing voting rights if they have not joined this meeting by the time it ends

### 1.7.4 Members who previously lost voting rights who are attending this meeting

### 1.7.5 Members who have declared a leave of absence

# 2. Future Meetings

## 2.1 Future meeting schedule (Co-Chair Keaton)

- Scheduled Teleconferences (Thursdays at 08:00 PT / 16:00 UTC for 1.5 hours)
    ```
    March 10
    ```
- Scheduled Teleconferences (Thursdays at 08:00 PDT / 15:00 UTC for 1.5 hours)

    ***On the following date, North America will be on Daylight Savings Time and Europe will not.***
    ```
    March 24
    ```
- Possible face-to-face meeting when pandemic permits

# 3. Discussion

## 3.1 Review recruitment effort to complete the technical committee

* David: Good support from OASIS coming up

## 3.2 Review status on finalizing SARIF 2.1 errata [List of next steps - github issue #509](https://github.com/oasis-tcs/sarif-spec/issues/509)

* David: Courtney uploaded a new revision in the issue per https://github.com/oasis-tcs/sarif-spec/issues/509#issuecomment-1039350887 as https://github.com/oasis-tcs/sarif-spec/files/8062707/sarif-v2.1.0-errata01-csd01-Changes.docx
* David: Kindly asks the members to review the new revision before next meeting
* Michael: Should we add a revision history entry in the document?

## 3.3 Review current state of ecosystem ongoing work

* Eddy: 
  * GitHub provided most used languages and tools lists - that includes security and linters (anything that can produce results from users)
  * Integration of AzureDevOps/GitHub within the IDEs per SARIF - two proof of concepts.
  * Current PoC extension was successful and these changes will be added to the VS/VSCode extension.
* Michael: 
  * The GHAS (GitHub Advanced Security) is also including linters. Greatly extending the list of candidate projects to add SARIF export, author corresponding GitHub actions.
  * There are now fifty or more entries on that list.

## 3.4 Any continued report/discussion on metrics

* Michael:
  * Will provide a pull request for a schema extension
  * Kindly requests members to provide real world examples of any format today that packages metrics data
* Nathan: https://opentelemetry.io/docs/reference/specification/metrics/
* Paul: Will share some Code Sonar metrics reports
* Aditya: Provide comprehensive CodeQL metrics
* Thanassis: Does profiling or performance information also count as metrics?
* Michael: 
  * Domains are still under discussion
  * Heat map, flame graph data etc. may be out of scope
  * Summarizing information of call statistics may be in scope (all up to discussion)
  * Code Insights Protocol (CIP) might be a focus point for defining the extent of metrics scope
* Stefan: As long as we end up with domains that are numbers or categories i.e. leading to aggregates and trends and no free text

## 3.5 Review proposal for what's in- and out-of-scope - general discussion

None - but keep item for future discussions

## 3.6 Status of Wikipedia page

* David: Has been granted a Wikipedia account and can continue to upload.

## 3.7 Discuss end-to-end results management (including code insights protocol)

None

# 4. Other Business

* Michael: 
  * Suggests considering setting some specific gaols for the next steps of standard evolution
    * Initial simple candidate sources for dynamic analysis (scenarios):
      * Crash reports
      * Fuzzing
      * Telemetry
    * More scary sources
      * Web endpoint scanning
      * Accessibility
  * Example: Next two weeks try to tackle the above steps in order?
* Nathan:
  * Works with crash reports - typically more than a single stack how a specific crash or "class" of crash can occur
  * Many internal and external tools produce results in very similar form for the crash reports (related to CIP)
  * All stored in static location similar to typical SARIF (local) storage model
  * Interested in seeing how a remote storage approach would look like - alignment with source repository storage
  * Explains the current approach to telemetry exploration within his team
    * Broad brainstorming like approach and
    * Specifically guiding developers e.g. hinting at 
      * not only creating telemetry, but also 
      * monitoring and using the data (observability) 
* Michael: Plans to provide results from his, Nathan's, Eddy's team and others in two weeks time
* All discuss crash report and telemetry integrations
* All discuss how information of several crash reports is typically projected into buckets for guiding developers and that this is strongly tool dependant
* Michael: Reminds on how SARIF extended the use cases as interchange format across boundaries (between tools)
* Stefan: 
  * When we have the first content ideas / models for crash and telemetry data inclusion, then 
  * we should evaluate the following aspects:
    * composing (how can the diverse tools access elements for projecting and aggregating)
    * writing (latency and throughput)
    * remote storing and retrieving (discovery and addressing)
    * reading (latency and throughput)

# 5. Resolutions and Decisions reached (by 10 minutes prior to scheduled meeting end)

## 5.1 End debate of other issues by 10 minutes prior to scheduled meeting end and follow the agenda from this point (Co-Chair Keaton)

## 5.2 Review of Decisions Reached (Secretary Hagen)

None

## 5.3 Review of Action Items (Secretary Hagen)

* ACTION on David: To please include an agenda item on the reporting of the two week evaluation effort

# 6. Next Meeting
  ```
  March 10, 2022 / 08:00-09:30 PT / 16:00-17:30 UTC
  ```

# 7. Adjournment

Meeting was adjourned.