Gavin, Michael wrote: > Yeah, statistics can allow you to say and "prove" just about anything. > > OK, showing my ignorance here, since I haven't checked out any of the > LAMP source trees and reviewed the code: how much of the code making up > those modules is written in scripting languages vs. how much of it is > written in C, C++ (and how much, if any, is written in any other > compiled languages)? > That doesn't matter; what matters is what fraction of disclosed vulnerabilities is in each segment of the code? If 90% of the vulnerabilities come from the PHP part, then the fact that 90% of the lines of code are in C doesn't help.
> If the LAMP source code itself is primarily C/C++, then arguably, the > results are somewhat interesting, though I think they would be much more > interesting if this DISA project was set up to test the open source code > with a number of commercial scanners instead of just the Coverity > scanner, then we could at least compare the merits of various scanning > techniques and implementations. The proprietary status of the Coverity scanner is a continuous pain. That's why I tend to ignore it where possible :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Olympic Games: The Bi-Annual Festival of Corruption _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php