> -----Original Message----- > From: Jon A. Cruz [mailto:jonc at osg.samsung.com] > Sent: Wednesday, July 15, 2015 3:15 PM > To: Dieter, William R; iotivity-dev at lists.iotivity.org > Subject: Re: [dev] Static Analysis > > > > On 07/14/2015 07:51 AM, Dieter, William R wrote: > > One of the original plans for the Linux Foundation infrastructure was to use > Sonar to run the SonarQube C++ plug-in. We have run into a few problems > using the commercial plug-in, however there are several community plug-ins > for C/C++ code: > > > > * vera++ (for checking style) > > * cppcheck (static analysis checking for buffer overflows, memory, and > > other problems) > > * RATS (checking for security problems, including buffer overflows) > > [... deleted ...] On 07/15/2015 3:15 PM Jon A. Cruz wrote: > It would be interesting to see how this compares with output from Coverity. > > For security, though, there is some rationale to avoid publishing full > information immediately to the general public. If some actual security issues > are spotted it might be good to have a review process to address them, etc. > Of course, for pure open source code this is perhaps less of a factor, but > there should be some thought given to what might be the appropriate > responsible disclosure policies.
I can see the argument for not wanting to advertise existing security flaws. OTOH, the tools are all the open source community versions, so an attacker could run them just as easily as us. We would just be saving the attacker the effort of setting up the tools for themselves. Hopefully, in the long run, we would make all the recommended fixes or analyze them, determine them not to be a problem, and flag them as such. At that point, the only things being flagged would be new problems. If they get flagged as part of the verification build in the code review process, they will be exposed before the code is committed to the repo. That is, we would be advertising potential security issues, but only in code that is under code review and not yet merged with the repo. Reviewers could decide whether or not a threat exists and +1 or -1 accordingly. Does this sound reasonable? Bill. > -- > Jon A. Cruz - Senior Open Source Developer Samsung Open Source Group > jonc at osg.samsung.com
