TOIF Comments (AB review email March 9th 2018)
Need to define Generator in beginning of document, as equivalent to TOIF producer. Unify language around Generator, it is confusing to use different terms in different places for the same thing.
Please note who decides criticality and confidence measure values. Note at beginning of document.
Make clear what is difference between ‘designation’ and ‘actual category’, Note is not clear without previous understanding. For example ‘Weakness Type Identifier’ on p12, CWE Identifier p 13 says ‘This is not a designation, but the actual category. The suffix Identifier is added for consistency with “CWE Identifier” and SFP Identifier”, to avoid possible confusion between “CWE” as the entire catalog, “CWE” as a specific category of weakness in the CWE catalog.’
Does this mean it is a category of weakness?
Source and Sink are not meaningful terms to unfamiliar reader. Source means a weakness which has no effect unless another weakness exists which makes it apparent (a sink). An explanation in the introduction would be helpful. More meaningful names would be even better but that may be hard.
Add introductory overview of Software Fault Patterns.
Perhaps the RFC should mention the relationship to OASIS Sarif
Please use spell checker.
In addition to editorial comments, some additional comments follow specific to the sections:
s/of the TOIF XMI/of the domain/
S/tools, is addressed/tools. This is addressed/
#3 s/on SFP and CWE./on SFP and CWE when capturing findings./
“SFP Cluster-i is the SFP Cluster that describes the broad and non-overlapping set of faults to which the weakness type belongs.”
Maybe add who does this clustering
ITU standard: ITU X.1524 Common Weakness Enumeration
Cannot access this this
Is there a non-ITU variant available to look at, can provide reference?
Is there a URL for AFRL-RY-WP-TR-2012-0111, V2 - DoD document approved for public release, distribution unlimited?
Para 4 s/fact define/facts define/
Figure 1 - assume text on right of this diagram does not need to be legible, consider to possibly remove.
s/producers ro/producers of/
“the System Assurance Ecosystem, by the Object Management Group (OMG)” Where is this defined? Is there a reference to a document?
S/tools is made/tools be made/
s/verb nad/verb and/
s/normalize these report (both/normalize these reports (both/
“Phase 3 involves consuming the integrated TOIF weakness finding facts for the purposes of presenting them to human analysts (browsing), analyzing them as the software assurance, entering them as evidence for risk assessment or RMF security control assessment, as well as any other purposes.”
‘as the software assurance’ - for what?
RMF - what is this? Expand the acronym.
SCA Tool - add at end “SCA tools are also known as Generators.”
TOIF Adaptor tool -
s/TOIF specification uses/The TOIF specification uses/
KDM tool -
s/provides capability/provides the capability/
Code Linker -
Figure 2, p8
Replace “TOIF producers” with “TOIF Generators” in figure
Add analytics tool to Figure 2.
s/woth multiple example/with multiple examples/
s/discenrable/discernible/ 2 times
The following does not make sense, and is not clear:
“This is a stronger form of the fact type Data element is involved in Finding, and is usually related to the Source and Sink of the Finding.“
Same form? Stronger form? In what way stronger? How related?
First time audit information mentioned. Mention it in conceptual model section? Be consistent - housekeeping or audit? Audit seems better term.
s/unrelated TOIF Segment/unrelated TOIF Segments/
s/to reduce the possibility of errors caused by merging TOIF Segment with the unrelated KDM model/to reduce the possibility of errors caused by merging a TOIF Segment with an unrelated KDM model/
Explain formalized 3-level hierarchical system of weakness types that involve a combination of the Software Fault Patterns (SFP) catalog and the Common Weakness Enumeration (CWE) in introduction, add diagram.
s/Any capability to consumes one or more TOIF segments and produces one or more TOIF segments./Any capability to consume one or more TOIF segments and produce one or more TOIF segments./
Is Build description correct? Seems wrong. Isn’t it a description of the build? Existing is “Definition: Text of the weakness description”
Why offer synonym for Build - TOIFBuild? Is it necessary to have both?
s/Evidential Records). Finally, we will keep distinguishing the Attributes, as few special verb concepts/Evidential Records, for example). Finally, we will distinguish Attributes with a few special verb concepts/
Use uniform expression throughout - replace Evidential Record with Audit Record? eg p21
“4. Each Finding instance must the the subject of at least one FindingIsProducedByAdaptor clause”
What if no adaptor is needed since generator does it all?
s/is provides/is provided/
CWE 561 is dead code
Use 886 for SFP instead, which is for unused entities, so it is consistent
Change cluster name accordingly, not Authentication
Not sure I understand FIgure 5
Isn’t Finding related to code location and hence navigatable that way
Does diagram match concept? Not sure why fining and code location aren’t connected and shown together as navigable.
s/used for the/used for/
Should file type be recorded explicitly rather than relying on file name extension or magic number for type?
Assume xml indentation is meaningless. Re-indent.
Can a build span two dates, e.g. overnight build?
Is build date start time, end time?
For automated nightly build, who is this? Presume role assigned in system.
Aren’t more than one phone or email possible for a contact?
There are 7 categories if we add date, person, organization and role.
Say more on these as well?
P87 compiler record
What about linker, custom pre-processing scripts, custom tools, etc