I have spent quite a time analyzing logs of czech (a tool quite similar to flawfinder). From personal experience I can say that the "statical quality" of the JavaScript engine is very good so your bashing of the false positives is understandable, but totally bashing the use of such tools for other modules is wrong IMHO.
The fact is with the help of source analysis I have found an expploitable bug in Mailnews and another exploitable one which was hopefully #ifdef'ed.
In some cases with sprintf (and such) and pointer arithmetic I was unable to tell whether the warning is exploitable or a false positive - a person who is familiar with the source can tell and better yet use the safe function having in mind lengths.
As someone already pointed these warning though false positive, may have some educational effect on some developers - I suggest always use strncpy instead of strcpy - the overhead is minimal.
Also the following does not work - some one checks the source and in the same time some people continue to write insecure code.
I may be wrong, but practice shows that the more warnings tools give about a product, the more security bugs are discovered - good examples about this are qmail and apache.
I also disagree that buying an expensive auditing tool is a good solution.
Such an expensive tool may somewhat decrease the number of false positives, but it can't brove bugness of bugfreeness - this is a human decision still - there was a quote from Dejkstra IIRC:
"The testing for bugs can prove their presence, but not their absence" or something like this.
georgi
Brendan Eich wrote:
/In /http://bugzilla.mozilla.org/show_bug.cgi?id=173641#c12/, after much gnashing of teeth over the poor job done by /flawfinder | bugzilla/, I wrote:
/
Let's use a better tool before injecting a ton of noise and work into the bug system. Asking knowledgable Mozilla
community members may lead to an existing better tool: [EMAIL PROTECTED] <mailto:roc+moz@;cs.cmu.edu> and
[EMAIL PROTECTED] <mailto:tor@;cs.brown.edu> mentioned Dawson Engler's work at Stanford on the Stanford
Checker. So, google away, and let's take this exchange to the mozilla.security
newsgroup....
And here we are. Anyone have experience with the Stanford Checker or other static code analysis tools based on C/C++ compiler front ends?
/be
