In this discussion:
> | This is a perfect example of how a source code analysis tool failed,
> | because you let a developer tell it to NOT scan it. :) I wonder if
> | there are flags like that in Fortify?
> There are flags like that in *every* source code scanner I know of. The
> state of the art is just not at a point where you don't need a way to
> turn off warnings for false positives.
That's exactly right, unfortunately. To compensate for the problem of
people inserting bad ignore directives, many scanning tools _also_
include an "ignore the ignores" command. For example, flawfinder has a
--neverignore (-n) flag that "ignores the ignore command". I believe
that such an option ("ignore ignores") is critically necessary for any
tool that has "ignore" directives, to address this very problem.
If you couldn't insert "ignore" directives, many people wouldn't use
such tools at all, and would release code with vulnerabilities that
WOULD be found by such tools.
--- David A. Wheeler
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
