Integration of the Static Analysis Results Interchange Format in CogniCrypt

Goran Piskachev; Sriteja Kummita

arxiv: 1907.02558 · v1 · pith:BRZZ7DWOnew · submitted 2019-07-04 · 💻 cs.PL · cs.SE

Integration of the Static Analysis Results Interchange Format in CogniCrypt

Sriteja Kummita , Goran Piskachev This is my paper

Pith reviewed 2026-05-25 08:57 UTC · model grok-4.3

classification 💻 cs.PL cs.SE

keywords SARIFstatic analysisCogniCryptresult interchangeinteroperabilityexport formatcryptographic analysis

0 comments

The pith

CogniCrypt can export its static analysis results in the SARIF format after a mapping study of its output fields.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Static analysis tools each produce warnings in their own formats, which blocks easy combination of results from multiple tools. SARIF was created as a common interchange format to solve this. The paper compares SARIF's structure with CogniCrypt's existing output, then builds a proof-of-concept export module that converts CogniCrypt warnings into SARIF. The authors state that the resulting connector can be reused by other analysis tools to achieve the same compatibility.

Core claim

After conducting a cross-sectional study between the SARIF format and CogniCrypt's output format, an initial implementation of a SARIF export module for CogniCrypt is presented, allowing the tool to generate and export its results in SARIF format so that it can support the Static Analysis Server Protocol once all SARIF features are used.

What carries the argument

The cross-sectional study that identifies the components of CogniCrypt's output the SARIF export module can complete without data loss.

If this is right

CogniCrypt will support the Static Analysis Server Protocol after taking advantage of all SARIF features.
The integration described in the paper can be reused to integrate SARIF into other static analysis tools.
Static analysis warnings can be imported and exported between different tools using the common SARIF format.
Multiple analysis tools can be integrated into a single interface such as SASP.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Unified dashboards could consume SARIF output from many different static analyzers without custom parsers for each tool.
The same mapping approach could be applied to other analysis tools to test how complete the current SARIF standard is for their specific warning types.
Real-world codebases could be analyzed to check whether the exported SARIF files preserve enough detail for downstream security review workflows.

Load-bearing premise

A cross-sectional study between the SARIF format and CogniCrypt's output format will identify all components of interest that the SARIF export module can complete without data loss or the need for SARIF extensions.

What would settle it

An exported CogniCrypt report that contains a warning type, location detail, or cryptographic context which cannot be represented in SARIF without custom extensions or loss of information.

Figures

Figures reproduced from arXiv: 1907.02558 by Goran Piskachev, Sriteja Kummita.

**Figure 1.** Figure 1: An illustration of Sasp integrated with static analysis clients. When a client (e.g., Eclipse), requests static analysis results from SASP (1), SASP requests results from all other clients (2a–c). It receives them (3a–c), and sends the aggregated report back to Eclipse (4). provide means to export general reports in XML or PDF format for example. As a result, software developers often experience a signif… view at source ↗

read the original abstract

Background - Software companies increasingly rely on static analysis tools to detect potential bugs and security vulnerabilities in their software products. In the past decade, more and more commercial and open-source static analysis tools have been developed and are maintained. Each tool comes with its own reporting format, preventing an easy integration of multiple analysis tools in a single interface, such as the Static Analysis Server Protocol (SASP). In 2017, a collaborative effort in industry, including Microsoft and GrammaTech, has proposed the Static Analysis Results Interchange Format (SARIF) to address this issue. SARIF is a standardized format in which static analysis warnings can be encoded, to allow the import and export of analysis reports between different tools. Purpose - This paper explains the SARIF format through examples and presents a proof of concept of the connector that allows the static analysis tool CogniCrypt to generate and export its results in SARIF format. Design/Approach - We conduct a cross-sectional study between the SARIF format and CogniCrypt's output format before detailing the implementation of the connector. The study aims to find the components of interest in CogniCrypt that the SARIF export module can complete. Originality/Value - The integration of SARIF into CogniCrypt described in this paper can be reused to integrate SARIF into other static analysis tools. Conclusion - After detailing the SARIF format, we present an initial implementation to integrate SARIF into CogniCrypt. After taking advantage of all the features provided by SARIF, CogniCrypt will be able to support SASP.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This is a narrow PoC that maps SARIF to CogniCrypt but offers no evidence the work transfers to other tools.

read the letter

The paper walks through SARIF with examples and builds a connector so CogniCrypt can emit that format. The comparison study identifies which CogniCrypt fields fit into SARIF and which need extensions or workarounds. That mapping is the actual output, and the implementation is presented as initial rather than complete. For anyone who needs to see one concrete case of SARIF adoption, the examples and the field-by-field breakdown are usable as reference material. The authors are straightforward about the scope and do not overclaim new theory or general methods. The reusability statement in the abstract is the part that does not hold up. The mapping is built directly on CogniCrypt's result structure, so any claim that the same connector or study can be reused for a tool with different nesting, metadata, or warning categories is an extrapolation without support. No second example, no abstraction layer, and no test results on completeness or data loss are described. The stress-test note is accurate on this point. The work stays inside routine engineering: take an existing 2017 standard, apply it to one more tool, and stop. Readers already maintaining static-analysis toolchains might save a few hours by looking at the mappings, but the paper does not change how interchange formats are designed or evaluated. It is not the kind of piece I would bring to a reading group or cite. A serious editor should desk-reject rather than send it for peer review.

Referee Report

2 major / 1 minor

Summary. The paper introduces the Static Analysis Results Interchange Format (SARIF) and presents a proof-of-concept implementation of a connector that allows the static analysis tool CogniCrypt to export its results in SARIF format. It conducts a cross-sectional study comparing SARIF to CogniCrypt's output format to identify mappable components, implements the export module, and claims that this integration can be reused to integrate SARIF into other static analysis tools, ultimately enabling support for the Static Analysis Server Protocol (SASP).

Significance. If the reusability claim holds, the work would contribute to standardizing static analysis result interchange, facilitating integration of multiple tools. However, the presented evidence is limited to a single-tool PoC without demonstrated generalization, completeness verification, or testing, so the significance is primarily as an initial engineering demonstration rather than a reusable framework.

major comments (2)

[Originality/Value (Abstract)] Originality/Value section (Abstract): The claim that 'The integration of SARIF into CogniCrypt described in this paper can be reused to integrate SARIF into other static analysis tools' is not supported by the presented work. The cross-sectional study and PoC are specific to CogniCrypt's result structure; no abstraction, second example, or argument for transferability to tools with different schemas is provided.
[Purpose and Design/Approach (Abstract)] Purpose and Design/Approach sections (Abstract): No evidence is provided on the completeness of the mapping, error handling during export, or test results for the connector implementation. The central claim of reusability therefore rests on an unverified assumption that the CogniCrypt-specific mapping generalizes.

minor comments (1)

The abstract could more clearly distinguish between the SARIF description, the study, the implementation, and the reusability claim.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed review and constructive criticism. We address the major comments below, acknowledging where the presented evidence is limited to a CogniCrypt-specific proof-of-concept and proposing targeted revisions to the abstract and manuscript.

read point-by-point responses

Referee: [Originality/Value (Abstract)] Originality/Value section (Abstract): The claim that 'The integration of SARIF into CogniCrypt described in this paper can be reused to integrate SARIF into other static analysis tools' is not supported by the presented work. The cross-sectional study and PoC are specific to CogniCrypt's result structure; no abstraction, second example, or argument for transferability to tools with different schemas is provided.

Authors: We agree that the reusability claim is overstated given the single-tool scope. The cross-sectional study identifies mappable components but provides no explicit abstraction layer, second tool example, or transferability argument. We will revise the Originality/Value section to state that the mapping methodology offers a template for future integrations rather than asserting direct reusability, and we will add a brief discussion of how the approach could be adapted to differing schemas. revision: yes
Referee: [Purpose and Design/Approach (Abstract)] Purpose and Design/Approach sections (Abstract): No evidence is provided on the completeness of the mapping, error handling during export, or test results for the connector implementation. The central claim of reusability therefore rests on an unverified assumption that the CogniCrypt-specific mapping generalizes.

Authors: The manuscript describes the mapping and PoC implementation but indeed omits explicit discussion of mapping completeness, error handling, and test results. This reflects the engineering focus of the work. We will revise the Purpose and Design/Approach sections to include a limitations paragraph addressing these points (e.g., partial mapping coverage, basic error cases handled, and absence of systematic testing), while qualifying the reusability assumption. revision: partial

Circularity Check

0 steps flagged

No circularity; direct engineering mapping with unsupported generalization claim

full rationale

The paper describes a cross-sectional comparison of SARIF and CogniCrypt output formats followed by a PoC connector implementation. No equations, fitted parameters, self-referential derivations, or load-bearing self-citations appear. The reusability claim for other tools is an extrapolation from the CogniCrypt-specific work rather than a derivation that reduces to its own inputs by construction. This is an ordinary engineering paper whose central steps are independent of the reusability assertion.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is an engineering integration paper. No free parameters, mathematical axioms, or invented entities are introduced or required.

pith-pipeline@v0.9.0 · 5815 in / 1024 out tokens · 34391 ms · 2026-05-25T08:57:54.275826+00:00 · methodology

discussion (0)

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

Can I Check What I Designed? Mapping Security Design DSLs to Code Analyzers
cs.CR 2026-05 unverdicted novelty 4.0

An empirical study of security DSLs and code analyzers finds few common concepts, overly general weakness descriptions, and that even experts are overwhelmed by the complexity of potential mappings.

Reference graph

Works this paper leans on

16 extracted references · 16 canonical work pages · cited by 1 Pith paper

[1]

[n. d.]. http://sarifweb.azurewebsites.net

work page
[2]

Inc. FireEye. [n. d.]. https://www.fireeye.com/ online, 12. April 2019

work page 2019
[3]

Micro Focus. [n. d.]. https://www.microfocus.com online, 12. April 2019

work page 2019
[4]

GrammaTech. 2018. Static Analysis Results: A Format and a Protocol: SARIF & SASP. https://blogs.grammatech.com/ static-analysis-results-a-format-and-a-protocol-sarif-sasp

work page 2018
[5]

GrammaTech

Inc. GrammaTech. [n. d.]. https://www.grammatech.com online, 12. April 2019

work page 2019
[6]

Hewlett Packard Enterprise (HPE). [n. d.]. https://www.hpe.com online, 12. April 2019

work page 2019
[7]

https://www.microsoft.com. [n. d.]. https://semmle.com online, 12. April 2019

work page 2019
[8]

Sriteja Kummita. [n. d.]. https://github.com/CROSSINGTUD/CryptoAnalysis/ pull/106 online, 25. January 2019

work page 2019
[9]

Cryptsoft Pty Ltd. [n. d.]. https://www.cryptsoft.com online, 12. April 2019

work page 2019
[10]

OASIS. 2018. Static Analysis Results Interchange Format (SARIF) Version 2.0. http://docs.oasis-open.org/sarif/sarif/v2.0/csprd01/sarif-v2.0-csprd01.html

work page 2018
[11]

Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, Ram Ka- math. 2016. Jumping Through Hoops: Why do Java Developers Struggle With Cryptography APIs? In International Conference for Software Engineering (2016), 935–946

work page 2016
[12]

Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, Ram Kamath

work page
[13]

CogniCrypt: Supporting Developers in using Cryptography.In International Conference on Automated Software Engineering (2017)

work page 2017
[14]

Semmle. [n. d.]. https://semmle.com online, 12. April 2019

work page 2019
[15]

CA Technologies. [n. d.]. https://www.ca.com online, 12. April 2019

work page 2019
[16]

AES " ,

D. Lazar, H. Chen, X. Wang and N. Zeldovich. [n. d.]. Why does cryptographic software fail?: a case study and open problems. In ACM Asia-Pacific Workshop on Systems ([n. d.]). 8 A CRYSL RULES A.1 KeyGenerator 378 SPEC javax . crypto . KeyGenerator 379 OBJECTS 380 int keySize ; 381 java . security . spec . A l g o r i t h m P a r a m e t e r S p e c params...

work page

[1] [1]

[n. d.]. http://sarifweb.azurewebsites.net

work page

[2] [2]

Inc. FireEye. [n. d.]. https://www.fireeye.com/ online, 12. April 2019

work page 2019

[3] [3]

Micro Focus. [n. d.]. https://www.microfocus.com online, 12. April 2019

work page 2019

[4] [4]

GrammaTech. 2018. Static Analysis Results: A Format and a Protocol: SARIF & SASP. https://blogs.grammatech.com/ static-analysis-results-a-format-and-a-protocol-sarif-sasp

work page 2018

[5] [5]

GrammaTech

Inc. GrammaTech. [n. d.]. https://www.grammatech.com online, 12. April 2019

work page 2019

[6] [6]

Hewlett Packard Enterprise (HPE). [n. d.]. https://www.hpe.com online, 12. April 2019

work page 2019

[7] [7]

https://www.microsoft.com. [n. d.]. https://semmle.com online, 12. April 2019

work page 2019

[8] [8]

Sriteja Kummita. [n. d.]. https://github.com/CROSSINGTUD/CryptoAnalysis/ pull/106 online, 25. January 2019

work page 2019

[9] [9]

Cryptsoft Pty Ltd. [n. d.]. https://www.cryptsoft.com online, 12. April 2019

work page 2019

[10] [10]

OASIS. 2018. Static Analysis Results Interchange Format (SARIF) Version 2.0. http://docs.oasis-open.org/sarif/sarif/v2.0/csprd01/sarif-v2.0-csprd01.html

work page 2018

[11] [11]

Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, Ram Ka- math. 2016. Jumping Through Hoops: Why do Java Developers Struggle With Cryptography APIs? In International Conference for Software Engineering (2016), 935–946

work page 2016

[12] [12]

Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, Ram Kamath

work page

[13] [13]

CogniCrypt: Supporting Developers in using Cryptography.In International Conference on Automated Software Engineering (2017)

work page 2017

[14] [14]

Semmle. [n. d.]. https://semmle.com online, 12. April 2019

work page 2019

[15] [15]

CA Technologies. [n. d.]. https://www.ca.com online, 12. April 2019

work page 2019

[16] [16]

AES " ,

D. Lazar, H. Chen, X. Wang and N. Zeldovich. [n. d.]. Why does cryptographic software fail?: a case study and open problems. In ACM Asia-Pacific Workshop on Systems ([n. d.]). 8 A CRYSL RULES A.1 KeyGenerator 378 SPEC javax . crypto . KeyGenerator 379 OBJECTS 380 int keySize ; 381 java . security . spec . A l g o r i t h m P a r a m e t e r S p e c params...

work page