Small initial addition of Observability analysis for field compatibility

[ShiningMassXAcc]

Adding a row for observability. Will use this PR to discuss more with Charles behind the intent in this table.

[ShiningMassXAcc]

@Motional-Charles-Wilson - I have questions about this table and goals you have.

• Is the first row for "static analysis" meant to directly represent SARIF as its intended today?
• "Static Analysis" row for "Context" column was not a clear field to me. Can you point to terminology in the spec that you feel corresponds to your meaning of context? (https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10540847)
• Similarly, you put "checker" as the "test" for SARIF. Checker is not formal verbiage used in the SARIF spec (outside of examples).
• "Violation" is also not formal in SARIF. Suggest that gets changed to "Result" - https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10541076

Observability likely has two applications - one is listed further down in this doc, to provide context to other findings in the actual criticality/impact in the context of the live product. Observability can also stand on it's own - blending signals from the live product (and correct configuration and usage of those signals). Let me know how you think about having 1 or 2 rows to discuss that field comparison.

Generally, I think links to the comparable field definitions (even though they are likely to atrophy), helps the consumer be more concrete on the comparisons.

[ShiningMassXAcc]

@dmk42 - Is there a way that I can connect my github account to oasis so that TC members automatically sync to gh repos to have security access to the repo? It appears different sets of folks have to fork (charles), and others can commit directly (you, stephan, etc). Otherwise, is there a way to apply to get added - I didn't see any process there immediately. Thanks!

[Motional-Charles-Wilson]

You can create PRs directly in the web interface.

Charles Wilson Technical Fellow, Cybersecurity Engineering @.***

On Feb 8, 2024, at 1:41 PM, Nathan Baird @.***> wrote:

@dmk42 https://urldefense.com/v3/__https://github.com/dmk42__;!!OUh6yQBS5Rss!9mZTnRfiEzJaTj_wTHsAXxvku5xFgzobYonKzv_O-uzFMmnDM8bsjtJ7jlCgPm0uE0ATWgBuTX2caLdv8F_GIOi64hqoIw$ - Is there a way that I can connect my github account to oasis so that TC members automatically sync to gh repos to have security access to the repo? It appears different sets of folks have to fork (charles), and others can commit directly (you, stephan, etc). Otherwise, is there a way to apply to get added - I didn't see any process there immediately. Thanks!

— Reply to this email directly, view it on GitHub https://urldefense.com/v3/__https://github.com/oasis-tcs/sarif-spec/pull/626*issuecomment-1934725786__;Iw!!OUh6yQBS5Rss!9mZTnRfiEzJaTj_wTHsAXxvku5xFgzobYonKzv_O-uzFMmnDM8bsjtJ7jlCgPm0uE0ATWgBuTX2caLdv8F_GIOiK0s9-Gw$, or unsubscribe https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AUX5ZJ36QH6FP4Q2BSTEZEDYSUL45AVCNFSM6AAAAABDAG6BGCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZUG4ZDKNZYGY__;!!OUh6yQBS5Rss!9mZTnRfiEzJaTj_wTHsAXxvku5xFgzobYonKzv_O-uzFMmnDM8bsjtJ7jlCgPm0uE0ATWgBuTX2caLdv8F_GIOiko8y7hw$. You are receiving this because you were mentioned.

This email originated OUTSIDE the organization. Do not click any links or attachments unless you know the sender.

This email contains information belonging to Motional AD LLC or its affiliates and may contain confidential, proprietary, copyrighted and/or privileged information. Any unauthorized review, use, reliance, disclosure, distribution or copying is prohibited. If you are not the intended recipient, immediately destroy all copies of the original email and any attachments and contact the sender by reply email.