1. OMG Mailing List
  2. Tools Output Integration Framework (TOIF) 1.0 Finalization Task Force

Open Issues

  • Issues not resolved
  • Name: toif-ftf
  • Issues Count: 9

Issues Descriptions

Use shall/should for TOIF clauses

  • Key: TOIF-9
  • Status: open  
  • Source: KDM Analytics ( Nikolai Mansourov)
  • Summary:

    TOIF shall use the verb "shall" to represent mandatory clauses in the compliance point. TOIF shall use the verb "should" to represent optional clauses in the compliance point.

  • Reported: TOIF 1.2 — Tue, 21 Aug 2018 01:41 GMT
  • Updated: Sat, 25 Aug 2018 00:28 GMT

Clarify unique TOIF objectives

  • Key: TOIF-8
  • Status: open  
  • Source: KDM Analytics ( Nikolai Mansourov)
  • Summary:

    Phrase objectives more clearly, provide a bulleted-list instead of text paragraphs, focus on the unique objectives of the TOIF framework.

  • Reported: TOIF 1.2 — Tue, 21 Aug 2018 01:38 GMT
  • Updated: Sat, 25 Aug 2018 00:28 GMT

Clarify TOIF compliance to distinguish generators and consumers of TOIF

  • Key: TOIF-7
  • Status: open  
  • Source: KDM Analytics ( Nikolai Mansourov)
  • Summary:

    TOIF defines a single compliance point. Define 3 distinct compliance points for TOIF generator, TOIF consumer and TOIF analytics, as they have distinct inputs and outputs.

  • Reported: TOIF 1.2 — Tue, 21 Aug 2018 01:35 GMT
  • Updated: Sat, 25 Aug 2018 00:28 GMT


Replace EvidentialRecord with AuditRecord

  • Key: TOIF-5
  • Status: open  
  • Source: KDM Analytics ( Nikolai Mansourov)
  • Summary:

    s/Evidential Records). Finally, we will keep distinguishing the Attributes, as few special verb concepts/Evidential Records, for example). Finally, we will distinguish Attributes with a few special verb concepts/

    Use uniform expression throughout - replace Evidential Record with Audit Record? eg p21

  • Reported: TOIF 1.2 — Tue, 21 Aug 2018 01:30 GMT
  • Updated: Sat, 25 Aug 2018 00:28 GMT

References to SFP in TOIF

  • Key: TOIF-4
  • Status: open  
  • Source: KDM Analytics ( Nikolai Mansourov)
  • Summary:

    p31
    CWE 561 is dead code
    Use 886 for SFP instead, which is for unused entities, so it is consistent
    Change cluster name accordingly, not Authentication

  • Reported: TOIF 1.2 — Tue, 21 Aug 2018 01:28 GMT
  • Updated: Sat, 25 Aug 2018 00:28 GMT

Expand compiler record

  • Key: TOIF-3
  • Status: open  
  • Source: KDM Analytics ( Nikolai Mansourov)
  • Summary:

    P87 compiler record
    What about linker, custom pre-processing scripts, custom tools, etc

  • Reported: TOIF 1.2 — Tue, 21 Aug 2018 01:27 GMT
  • Updated: Sat, 25 Aug 2018 00:28 GMT

Add explicit file type attribute

  • Key: TOIF-2
  • Status: open  
  • Source: KDM Analytics ( Nikolai Mansourov)
  • Summary:

    P39, p41
    Should file type be recorded explicitly rather than relying on file name extension or magic number for type?

  • Reported: TOIF 1.2 — Tue, 21 Aug 2018 01:26 GMT
  • Updated: Sat, 25 Aug 2018 00:28 GMT

Editorial changes based on AB review

  • Key: TOIF-1
  • Status: open  
  • Source: KDM Analytics ( Nikolai Mansourov)
  • Summary:

    TOIF Comments (AB review email March 9th 2018)

    General

    Need to define Generator in beginning of document, as equivalent to TOIF producer. Unify language around Generator, it is confusing to use different terms in different places for the same thing.

    Please note who decides criticality and confidence measure values. Note at beginning of document.

    Make clear what is difference between ‘designation’ and ‘actual category’, Note is not clear without previous understanding. For example ‘Weakness Type Identifier’ on p12, CWE Identifier p 13 says ‘This is not a designation, but the actual category. The suffix Identifier is added for consistency with “CWE Identifier” and SFP Identifier”, to avoid possible confusion between “CWE” as the entire catalog, “CWE” as a specific category of weakness in the CWE catalog.’

    Does this mean it is a category of weakness?

    Source and Sink are not meaningful terms to unfamiliar reader. Source means a weakness which has no effect unless another weakness exists which makes it apparent (a sink). An explanation in the introduction would be helpful. More meaningful names would be even better but that may be hard.

    Add introductory overview of Software Fault Patterns.

    Perhaps the RFC should mention the relationship to OASIS Sarif

    Please use spell checker.

    In addition to editorial comments, some additional comments follow specific to the sections:

    s/proprietaty/proprietary/

    Section 2
    s/of the TOIF XMI/of the domain/

    S/tools, is addressed/tools. This is addressed/

    Section 3

    #3 s/on SFP and CWE./on SFP and CWE when capturing findings./

    For
    “SFP Cluster-i is the SFP Cluster that describes the broad and non-overlapping set of faults to which the weakness type belongs.”
    Maybe add who does this clustering

    Section 4.2

    ITU standard: ITU X.1524 Common Weakness Enumeration
    Cannot access this this
    https://www.itu.int/rec/T-RECX.1524-201203-I/en

    Is there a non-ITU variant available to look at, can provide reference?

    Is there a URL for AFRL-RY-WP-TR-2012-0111, V2 - DoD document approved for public release, distribution unlimited?

    Section 7.1

    Para 4 s/fact define/facts define/

    Figure 1 - assume text on right of this diagram does not need to be legible, consider to possibly remove.

    Section 8.1

    s/producers ro/producers of/

    “the System Assurance Ecosystem, by the Object Management Group (OMG)” Where is this defined? Is there a reference to a document?

    S/tools is made/tools be made/

    s/Compilance/Compliance/

    s/verb nad/verb and/

    8.2

    s/normalize these report (both/normalize these reports (both/

    “Phase 3 involves consuming the integrated TOIF weakness finding facts for the purposes of presenting them to human analysts (browsing), analyzing them as the software assurance, entering them as evidence for risk assessment or RMF security control assessment, as well as any other purposes.”

    ‘as the software assurance’ - for what?

    RMF - what is this? Expand the acronym.

    p7
    SCA Tool - add at end “SCA tools are also known as Generators.”

    TOIF Adaptor tool -
    s/TOIF specification uses/The TOIF specification uses/

    KDM tool -
    s/provides capability/provides the capability/

    Code Linker -
    S. s/execulatble/executable/

    Figure 2, p8
    Replace “TOIF producers” with “TOIF Generators” in figure

    Add analytics tool to Figure 2.

    Section 9

    s/woth multiple example/with multiple examples/

    p15 Statement
    s/identifieable/identifiable/

    s/discenrable/discernible/ 2 times

    p16 s/identifieable/identifiable/

    The following does not make sense, and is not clear:
    “This is a stronger form of the fact type Data element is involved in Finding, and is usually related to the Source and Sink of the Finding.“

    Same form? Stronger form? In what way stronger? How related?

    9.2 p17

    First time audit information mentioned. Mention it in conceptual model section? Be consistent - housekeeping or audit? Audit seems better term.

    s/unrelated TOIF Segment/unrelated TOIF Segments/

    s/to reduce the possibility of errors caused by merging TOIF Segment with the unrelated KDM model/to reduce the possibility of errors caused by merging a TOIF Segment with an unrelated KDM model/

    Adaptor:
    s/wat/way/

    s/weakneds/weakness/

    Explain formalized 3-level hierarchical system of weakness types that involve a combination of the Software Fault Patterns (SFP) catalog and the Common Weakness Enumeration (CWE) in introduction, add diagram.

    P18
    s/Any capability to consumes one or more TOIF segments and produces one or more TOIF segments./Any capability to consume one or more TOIF segments and produce one or more TOIF segments./

    p20
    Is Build description correct? Seems wrong. Isn’t it a description of the build? Existing is “Definition: Text of the weakness description”

    Why offer synonym for Build - TOIFBuild? Is it necessary to have both?

    s/Evidential Records). Finally, we will keep distinguishing the Attributes, as few special verb concepts/Evidential Records, for example). Finally, we will distinguish Attributes with a few special verb concepts/

    Use uniform expression throughout - replace Evidential Record with Audit Record? eg p21

    p24
    “4. Each Finding instance must the the subject of at least one FindingIsProducedByAdaptor clause”

    What if no adaptor is needed since generator does it all?

    s/is provides/is provided/

    p31
    CWE 561 is dead code
    Use 886 for SFP instead, which is for unused entities, so it is consistent
    Change cluster name accordingly, not Authentication

    P33
    Not sure I understand FIgure 5
    Isn’t Finding related to code location and hence navigatable that way
    Does diagram match concept? Not sure why fining and code location aren’t connected and shown together as navigable.

    P36
    s/used for the/used for/

    P39, p41
    Should file type be recorded explicitly rather than relying on file name extension or magic number for type?

    p51
    S/Thid/This/

    P52
    Assume xml indentation is meaningless. Re-indent.

    P53
    Can a build span two dates, e.g. overnight build?

    Is build date start time, end time?

    P56
    BuildIsGeneratedByPerson
    For automated nightly build, who is this? Presume role assigned in system.

    P68
    Aren’t more than one phone or email possible for a contact?

    P78
    S/nad/and/

    P82
    There are 7 categories if we add date, person, organization and role.
    Say more on these as well?

    P87 compiler record
    What about linker, custom pre-processing scripts, custom tools, etc

    • end -
  • Reported: TOIF 1.2 — Tue, 21 Aug 2018 01:25 GMT
  • Updated: Sat, 25 Aug 2018 00:28 GMT