[media-types] Notice of request for media-type registration: application/sarif-external-properties+json

Chet Ensign <chet.ensign@oasis-open.org> Thu, 18 March 2021 21:31 UTC

Return-Path: <chet.ensign@oasis-open.org>
X-Original-To: media-types@ietfa.amsl.com
Delivered-To: media-types@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E34CF3A08C0 for <media-types@ietfa.amsl.com>; Thu, 18 Mar 2021 14:31:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.232
X-Spam-Level:
X-Spam-Status: No, score=-1.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oasis-open-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3tJuKN2CAvOR for <media-types@ietfa.amsl.com>; Thu, 18 Mar 2021 14:30:59 -0700 (PDT)
Received: from pechora4.lax.icann.org (pechora4.icann.org [192.0.33.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0AA73A08A6 for <media-types@ietf.org>; Thu, 18 Mar 2021 14:30:58 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pechora4.lax.icann.org (Postfix) with ESMTPS id D4F2C7000C3D for <media-types@iana.org>; Thu, 18 Mar 2021 21:30:57 +0000 (UTC)
Received: by mail-ed1-x535.google.com with SMTP id h13so8457783eds.5 for <media-types@iana.org>; Thu, 18 Mar 2021 14:30:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oasis-open-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=oK9PrG0v8Tk38wdA6swVr2wO21sHGpNXyCtdDKmw/bY=; b=N64ih9UP9pZoqCmVTpEd+G3knnwnKgAxta0+wjIVgWv0GjGWyJsLtFgcmIn0UwNwU9 cr//La0ev8VWFwYkZx4mlxqMYsD1Rgcev+hJJ4d1WskiCjR9430HQFCnfOsnVPntD+jt 2n+azxvfsF91Vd+mkjwrNHY05+UPyGipkIwsBe0jR21YM1NAjWjSb35O0UY+OYU0qEOS NAV+89+c9YKyQIILDM6Zesb7udcd08QBwvpRS8xJRPRt8RZ9SffuIllP6KVHPzlhJlNr OJPDBRGlLDW+zbKd77H930eLNGOnagsJ8pUDHIErYuTWyNwsyol06z5GNE9kwJ4KdV8g DHJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=oK9PrG0v8Tk38wdA6swVr2wO21sHGpNXyCtdDKmw/bY=; b=VIe2ZQrGzVBh4D6OyuK3uZNX/PwJBlK+DbClaBkYlnQa9qz1tmD3LRRtmqOW0z/JYy gbSzL0dy99qZBalXyk0bDqb8/89Z0Bhlbv5vHTLi8jLRcvqP6NfPF9VfS49PuNnkTfC4 f99292oJYMAnCm8ynhubb70z7nxcsmDYMx2l+L7kQoiYaNm7M3UqqC0rbBBqJdd0KicF AtMDkpewcizz9wryk9hoW8xq32HQd9O5xlg42+E3oSIffLiE0PJeW8aiYzHEKCgXudeH qIPiCprIQlHOqauSPBlF8r2zqxallpveCFyyw8Qh2piRs2KO+gRCrQVxskbkBKsiCGb8 k+kQ==
X-Gm-Message-State: AOAM530IbqrIf8mVrgP0+sx+G5T1WXAtTh5x0S5OS2GsW/63fsIVgSIx 1DArlN1+lNv3B2ndbPX/5gJhJ2Y1T4KYvIAKrSLcvO3jyceP
X-Google-Smtp-Source: ABdhPJyCRm7+3yd+ep2zDl/Yqr5UiPIBAQXm+3nDKfTthnuEwj27RaIbmhgAzABjkX3NIzGycHH4OIsX3EGMNW/R0uo=
X-Received: by 2002:aa7:c5c4:: with SMTP id h4mr5811463eds.375.1616103035380; Thu, 18 Mar 2021 14:30:35 -0700 (PDT)
MIME-Version: 1.0
From: Chet Ensign <chet.ensign@oasis-open.org>
Date: Thu, 18 Mar 2021 17:30:24 -0400
Message-ID: <CAAwgnnNVxLFZCt-H=_-WoKxr1dyzo02UiYmUaXPAj+EaOLLZ6w@mail.gmail.com>
To: media-types@iana.org
Cc: mikefan@microsoft.com, David Keaton <dmk@dmk.com>, Luke Cartey <lcartey@github.com>, OASIS SARIF TC Discussion List <sarif@lists.oasis-open.org>, Paul Knight <paul.knight@oasis-open.org>
Content-Type: multipart/alternative; boundary="00000000000058377105bdd64f07"
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2 (pechora4.lax.icann.org [0.0.0.0]); Thu, 18 Mar 2021 21:30:58 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/media-types/eT9NGABn1w80xyLlvwofLC5MpZ4>
Subject: [media-types] Notice of request for media-type registration: application/sarif-external-properties+json
X-BeenThere: media-types@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IANA mailing list for reviewing Media Type \(MIME Type, Content Type\) registration requests." <media-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/media-types>, <mailto:media-types-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/media-types/>
List-Post: <mailto:media-types@ietf.org>
List-Help: <mailto:media-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/media-types>, <mailto:media-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 21:31:01 -0000

Members of the OASIS Static Analysis Results Interchange Format (SARIF)
Technical Committee wish to register a media type associated with the
recently-approved SARIF Version 2.1.0 OASIS Standard. We post the
registration request form here for review before submitting it to IANA.

I am the administrative contact for OASIS for IANA registration requests.
The technical contacts for this request are Michael Fanning (
mikefan@microsoft.com) and David Keaton (dmk@dmk.com) They are tasked by
the OASIS SARIF TC to provide any additional information or answers to
questions that you may have.

Thank you in advance for your comments and feedback.

/chet ensign
OASIS Open, Inc.

IETF RFC6838 Section 5.6. Registration Template
https://tools.ietf.org/html/rfc6838#section-5.6

---

Type name:  application

Subtype name:  sarif-external-properties+json

Required parameters:  N/A

Optional parameters:  N/A

Encoding considerations:  Binary: UTF8-encoded text only

Security considerations:

- Since SARIF external property files are serialized as JSON, they are
subject to the same security vulnerabilities as any JSON file.

- The SARIF external property file format captures results from static
analysis tools. Such analysis might disclose information about software
vulnerabilities. Therefore SARIF external property file contents can be
extremely sensitive, requiring external privacy and integrity protection.
Even when the analysis results themselves are not sensitive, SARIF external
property files can have other security issues:

   - SARIF external property files can embed the contents of the
programming artifacts (such as source or binary files) that were analyzed.
Such content can be of any type and may include compressed material, with
all their associated vulnerabilities.

   - SARIF external property files can refer to programming artifacts
through arbitrary URIs, with all their associated vulnerabilities.

   - SARIF external property files produced by web site analysis tools can
contain the full contents of the web requests sent by the tool, and the
resulting web responses. The contents of the requests and responses can be
of any type, with the associated vulnerabilities of those types.

   - The use of absolute paths in analysis result location URIs might
reveal sensitive information about the machine on which the scan was
performed.

   - The use of the hostname component in analysis result location URI
might reveal the network location of the machine on which the scan was
performed.

   - The use of raw HTML in message strings expressed in Markdown might
allow arbitrary code execution (for example, through javascript: links).

   - Any other vulnerabilities associated with Markdown can be leveraged to
attack a SARIF processor. For example, the use of deeply nested constructs
in Markdown message strings might lead to stack overflow in some Markdown
implementations.

   - Certain properties of the SARIF object model might reveal information
about the machine on which a scan was run. (The specification allows such
properties to be omitted or "redacted".)

   - SARIF external property files can contain information about how the
analysis tool was invoked, including the command line that was executed.
This can contain arbitrary commands which might damage a machine on which
they are run.

   - SARIF external property files can contain information about when the
analysis tool was invoked. An attacker might be able to deduce how
frequently scans are run, and therefore might be able to make a malicious
change and then revert it before the next scan detects the problem.

   - SARIF external property files can contain information about errors
encountered by the analysis tool, including its exit code. This can allow
an attacker to craft input to attack the analysis tool.

Interoperability considerations:  N/A

Published specification:

Static Analysis Results Interchange Format (SARIF) Version 2.1.0. Edited by
Michael C. Fanning and Laurence J. Golding. 27 March 2020. OASIS Standard.
https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html.
Latest stage:
https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html.

Applications that use this media type:

The following list is not exhaustive:

 - Static analysis tools
 - Static analysis results visualization tools (viewers)
 - Bug filing tools
 - Defect databases
 - Compliance systems

Fragment identifier considerations:  N/A

Additional information:

   Deprecated alias names for this type: N/A
   Magic number(s): N/A
   File extension(s): .sarif-external-properties,
                      .sarif-external-properties.json
   Macintosh file type code(s): N/A

Person & email address to contact for further information:

Michael C. Fanning (mikefan@microsoft.com) and David Keaton (dmk@dmk.com)

Intended usage: COMMON

Restrictions on usage: N/A

Author:

Static Analysis Results Interchange Format (SARIF) TC (
https://www.oasis-open.org/committees/sarif)

Change controller:

OASIS Open (https://www.oasis-open.org/)

-- 
Chet Ensign

Chief Technical Community Steward

OASIS Open

+1 201-341-1393 <+1+201-341-1393>
chet.ensign@oasis-open.org
www.oasis-open.org