NIST is preparing the fifth Static Analysis Tool Exposition (SATE V).
Briefly, participating tool makers run their static analyzer on a set
of programs. Researchers led by NIST analyze the tool reports and
present the results and experiences at a workshop. A detailed plan
is available at:
http://samate.nist.gov/SATE.html
We plan to provide test cases by June 3rd. Tool makers will have until
August 1st (if at all possible; September 1st at the latest) to run their
tool and return their tool outputs.
The main changes since SATE IV:
Virtual machines (VM) with the test cases will be hosted by the
Software Assurance Marketplace (SWAMP). We will ask tool makers to
install temporarily (for the duration of SATE V only) and run their tools
in the assigned VMs. SWAMP is described at: http://www.cosalab.org
We will ask teams to provide a Coverage Claims Representation (CCR)
of the weaknesses their tool can find. CCR is described at:
http://cwe.mitre.org/compatible/ccr.html
So as to encourage wider participation, NIST will not make tool outputs
publicly available, unless otherwise specified by the teams. In case a team
wants to release its own data, we can host them on the SATE website.
We will recognize and encourage sound static analyzers (tools that in
theory never report incorrect findings). We will publish our sound analysis
criteria shortly.
We invite tool makers to sign up. If you would like to participate in
the exposition, or if you have questions or suggestions, please email
Aurelien Delaitre (aure 'at' nist.govhttp://nist.gov).