Software Fault Pattern Metamodel (SFPM) RFC

Status: The FAX Vote has completed.


One of the key steps in preventing cyber attacks is to collect, analyze and efficiently manage knowledge about exploitable weaknesses in such a way that this knowledge can be utilized by the community to build more comprehensive prevention, detection and mitigation solutions. Several classifications of weaknesses have been developed by the community; however, it has been observed that all existing approaches resist automation. The primary objective of the Software Fault Pattern (SFP) Catalog is to bring clarity and precision to the study of weaknesses by building a systematic machine-consumable catalog of software faults, and to enable analytics and automation of various workflows involving the knowledge of software faults. To this end, the SFP approach brings together several successful model-based techniques:
- ISO/OMG Knowledge Discovery Metamodel (KDM) as a language-neutral, vendor-independent vocabulary for describing software facts;
- community best practices for machine-consumable descriptions of software faults as data flows; - ISO/OMG Semantics of Business Vocabularies and Rules (SBVR) as a logical foundation for formal definitions of logical propositions on top of vocabularies such as KDM, and
- Meta-Object Facility (MOF) as the foundation for building technology-neutral representations. The resulting apparatus allows structured definitions of semantics of software faults, accumulation of reusable content, analytics, and development of new capabilities. SFP XML (XMI) is a common interoperable format for representing machine-consumable content related to software faults, their formal semantics and their mappings to the elements of the Common Weakness Enumeration (CWE) catalog. SFP XMI is the foundation for the OMG Catalog of Software Fault Patterns (SFP) that will over time accumulate formal machine-consumable definitions of individual software faults and other structured content related to software faults. SFP XMI supports a larger ecosystem of capabilities that need to exchange formal definitions of weaknesses, including but not limited to test generation tools, static code analysis tools, data repositories, machine learning tools, visualization tools, training tools. XML stands for eXtended Markup Language. The acronym XMI stands for XML Metadata Interchange format. XMI is a specific form of XML that is associated with the Model Driven Development approach. XMI has been developed for the purpose of exchanging metadata such as models. XMI is standardized by OMG (current specification is identified as MOF 2.4.2 / XMI Mapping Specification, v2.5.1, document formal/15-06-07) and ISO (19503:2005).

RFC Issued March 27, 2020
Relevant documents:
sysa/20-03-04 (Software Fault Pattern Metamodel (SFPM) RFC clean UML file)
sysa/20-03-03 (Software Fault Pattern Metamodel (SFPM) XSD file)
sysa/20-03-02 (Software Fault Pattern Metamodel (SFPM) Inventory file)
sysa/20-03-01 (Software Fault Pattern Metamodel (SFPM) RFC)
sysa/20-02-08 (Software Fault Pattern Metamodel (SFPM) cover letter)
sysa/20-02-07 (Software Fault Pattern Metamodel (SFPM) EMF file)
sysa/20-02-04 (Software Fault Pattern Metamodel (SFPM) MagicDraw)
sysa/20-02-03 (Software Fault Pattern Metamodel (SFPM) EMOF file)
RFC Public Comment Deadline May 25, 2020