Agreed -----Original Message----- From: John Kinsella [mailto:j...@stratosec.co] Sent: Tuesday, November 20, 2012 2:01 PM To: cloudstack-dev@incubator.apache.org Subject: Re: Static Analysis Tools
My bad for misintrepertation. :) Coverity for a while actually did try to market themselves as a security product...yeah they still have their "Security Advisor" product. That said, I wouldn't say it's what they're known for, either. ;) Anyways - yeah if we can have a system that points out common software defects, I can't think of a reason not to use it. It'll help improve security as a side effect as well, as many security defects are related to some type of software defect... John On Nov 20, 2012, at 12:15 PM, Animesh Chaturvedi <animesh.chaturv...@citrix.com> wrote: > John > > Agreed to your points on limiting exposure to security vulnerability but > Coverity is not known for security analysis. I am not advocating any tool in > particular the intent is more to catch bugs early on. > > Thanks > Animesh > > -----Original Message----- > From: John Kinsella [mailto:j...@stratosec.co] > Sent: Tuesday, November 20, 2012 11:53 AM > To: cloudstack-dev@incubator.apache.org > Subject: Re: Static Analysis Tools > > Allow me to clarify my previous statement - Fortify has such a program, as > well, and they've given me a license to scan ACS for this purpose. > > What you run into with this, is i don't think you want a security scanner as > part of the build process for several reasons: > * They're slow. > * Unless a human reviews the results, they're pretty much useless. So you've > just burning CPU cycles. > * If an issue is found, I don't think we want it publicly available on > something like Jenkins, but to be reviewed and handled by a security team > (which for now is the PPMC) and then announce it in a controlled manner. > > Happy to discuss these points at any level of detail, or add people to > the security team if there's interest. :) > > John > ps we've been meaning to have a security discussion on the list, I suspect > this thread will accelerate that... > > On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi > <animesh.chaturv...@citrix.com> > wrote: > >> I have used Coverity in the past for commercial projects with very >> good success. I did a quick google search and looks like Coverity >> has a program for open source software quality which can potentially >> leveraged for CloudStack. Here is the link >> http://scan.coverity.com/getting-started.html >> >> >> -----Original Message----- >> From: John Kinsella [mailto:j...@stratosec.co] >> Sent: Tuesday, November 20, 2012 11:12 AM >> To: cloudstack-dev@incubator.apache.org >> Subject: Re: Static Analysis Tools >> >> Additionally I (and others) run ACS through Fortify Source Code Analyzer. >> Personally I think findbugs is a bit of a toy, but anything helps... >> >> John >> >> On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us> >> wrote: >> >>> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi >>> <animesh.chaturv...@citrix.com> wrote: >>>> >>>> Folks >>>> >>>> I want to get your opinion on using static analysis tools like PMD >>>> for CloudStack to catch some of the bugs early on. Maven has a >>>> plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/ >>>> >>>> Thanks >>>> Animesh >>> >>> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean >>> we can't do something else, but this exists. >>> https://analysis.apache.org/dashboard/index/100206 >>> >>> --David >>> >> >> Stratosec - Secure Infrastructure as a Service >> o: 415.315.9385 >> @johnlkinsella >> >> > > Stratosec - Secure Infrastructure as a Service > o: 415.315.9385 > @johnlkinsella > > Stratosec - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella
