DHS Funding Transitioning into Real World Collaboration through SARIF

ITHACA, NY & BETHESDA, MD

March 2020

With funding from the Department of Homeland Security (DHS), GrammaTech has worked to enable open source static analysis tools to generate and consume results in the open SARIF format. Building on this work, GrammaTech has now released a tool to support SARIF-based integration of static analysis results with GitHub.

Currently, open source and commercial static analysis tools use proprietary formats to display and store their results. This makes it hard to integrate results from a static analysis tool into an Integrated Development Environment (IDE), code review tool, or a source code management and version control platform such as GitHub.

SARIF (pronounced SA-rif), which stands for Static Analysis Results Interchange Format, is a standard developed and managed by the OASIS group. SARIF makes it easier for tools to collaborate in a unified software development environment around the topic of static analysis. For more information on SARIF, you can visit the OASIS website and view the SARIF specification.

GrammaTech, with funding provided by the DHS Science & Technology Directorate Static Analysis Tools Modernization Project (STAMP) program, has previously implemented SARIF support for open-source static analyzers such as Clang Static Analyzer, Pylint, and several others. Broad SARIF support allows software development teams to pick and choose the tools that they want and integrate them into a best-of-breed DevOps environment.

In order to further support the SARIF ecosystem, GrammaTech has now released a tool that allows developers to view static analysis results as part of their code review workflow, within GitHub pull requests. Evidence from real-world industry practice indicates that such an integration significantly increases the adoption of static analysis, contributing to improved code quality and safety. The tool is available as open-source software, and was featured in a publication at the TechDebt ’19 conference.

“GrammaTech strongly believes in collaboration using open standards,” says Vince Arneja, Chief Product Officer at GrammaTech. “GrammaTech CodeSonar imports and exports SARIF, and through that, can collaborate with Microsoft’s IDEs, GitHub, Clang Static Analyzer, Pylint, ESlint and other tools that support SARIF.”

This work is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate (contract numbers  HHSP233201600062C  70RSAT19C00000056).  The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security.

About GrammaTech:

GrammaTech’s advanced static analysis tools are used by software developers worldwide, spanning a myriad of embedded software industries including avionics, government, medical, military, industrial control, automotive and other applications where reliability and security are paramount. Originally developed within Cornell University, GrammaTech is now a leading research center for software security and a commercial vendor of software-assurance tools and advanced cyber-security solutions. With both static and dynamic analysis tools that analyze source code as well as binary executables, GrammaTech continues to advance the science of superior software analysis, providing technology for developers to produce safer software. For more information, visit www.grammatech.com or follow GrammaTech on LinkedIn.