On Wed, Jul 09, 2014 at 06:20:49PM +0100, Ben Laurie wrote:
> On 9 July 2014 14:38, Paul Morriss <paul.morr...@tokenbay.co.uk> wrote:
> > I am keen to get more involved in the development of OpenSSL, I am curious,
> > has the code been run through a static analysis tool (such as Coverity)?
>
> Coverity do run OpenSSL through their tool. The false positive rate is
> depressingly high (or was last I looked).
Once you mark a failure as being a false positive via their web
interface, they won't bother with you about it going forward. And
we've had some success with the kernel getting them to make their tool
smarter. (At least in theory they are supposed to take the false
positive reports to improve their tool.)
- Ted
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
