John Agreed to your points on limiting exposure to security vulnerability but Coverity is not known for security analysis. I am not advocating any tool in particular the intent is more to catch bugs early on.
Thanks Animesh -----Original Message----- From: John Kinsella [mailto:j...@stratosec.co] Sent: Tuesday, November 20, 2012 11:53 AM To: cloudstack-dev@incubator.apache.org Subject: Re: Static Analysis Tools Allow me to clarify my previous statement - Fortify has such a program, as well, and they've given me a license to scan ACS for this purpose. What you run into with this, is i don't think you want a security scanner as part of the build process for several reasons: * They're slow. * Unless a human reviews the results, they're pretty much useless. So you've just burning CPU cycles. * If an issue is found, I don't think we want it publicly available on something like Jenkins, but to be reviewed and handled by a security team (which for now is the PPMC) and then announce it in a controlled manner. Happy to discuss these points at any level of detail, or add people to the security team if there's interest. :) John ps we've been meaning to have a security discussion on the list, I suspect this thread will accelerate that... On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi <animesh.chaturv...@citrix.com> wrote: > I have used Coverity in the past for commercial projects with very > good success. I did a quick google search and looks like Coverity has > a program for open source software quality which can potentially > leveraged for CloudStack. Here is the link > http://scan.coverity.com/getting-started.html > > > -----Original Message----- > From: John Kinsella [mailto:j...@stratosec.co] > Sent: Tuesday, November 20, 2012 11:12 AM > To: cloudstack-dev@incubator.apache.org > Subject: Re: Static Analysis Tools > > Additionally I (and others) run ACS through Fortify Source Code Analyzer. > Personally I think findbugs is a bit of a toy, but anything helps... > > John > > On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us> > wrote: > >> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi >> <animesh.chaturv...@citrix.com> wrote: >>> >>> Folks >>> >>> I want to get your opinion on using static analysis tools like PMD >>> for CloudStack to catch some of the bugs early on. Maven has a >>> plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/ >>> >>> Thanks >>> Animesh >> >> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean >> we can't do something else, but this exists. >> https://analysis.apache.org/dashboard/index/100206 >> >> --David >> > > Stratosec - Secure Infrastructure as a Service > o: 415.315.9385 > @johnlkinsella > > Stratosec - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella
