Re: Secure code analysis
> > agreement > > > > > which > > > > > >> I > > > > > >> >> > wasn't > > > > > >> >> > > sure everybody would be in line with (see below for the > > > > > excerpts - > > > > > >> >> note I > > > > > >> >> > > did NOT read the entire document and IANAL). > > > > > >> >> > > > > > > > >> >> > > Here's the TL;DR of what Coverity Scan is: > > > > > >> >> > > > > > > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free > > static > > > > code > > > > > >> >> analysis > > > > > >> >> > > tool for Java, C, C++, C# and JavaScript. > > > > > >> >> > > > > > > > >> >> > > This addon leverages the Travis-CI infrastructure to > > > > > automatically > > > > > >> run > > > > > >> >> > code > > > > > >> >> > > analysis on your GitHub projects. > > > > > >> >> > > > > > > > >> >> > > Coverity Scan is a service by which Coverity provides > the > > > > > results > > > > > >> of > > > > > >> >> > > analysis on open source coding projects to open source > > code > > > > > >> developers > > > > > >> >> > that > > > > > >> >> > > have registered their products with Coverity Scan. > > > > > >> >> > > > > > > > >> >> > > Some examples of defects and vulnerabilities found by > > > Coverity > > > > > >> Quality > > > > > >> >> > > Advisor include: > > > > > >> >> > > > > > > > >> >> > > - resources leaks > > > > > >> >> > > - dereferences of NULL pointers > > > > > >> >> > > - incorrect usage of APIs > > > > > >> >> > > - use of uninitialized data > > > > > >> >> > > - memory corruptions > > > > > >> >> > > - buffer overruns > > > > > >> >> > > - control flow issues > > > > > >> >> > > - error handling issues > > > > > >> >> > > - incorrect expressions > > > > > >> >> > > - concurrency issues > > > > > >> >> > > - insecure data handling > > > > > >> >> > > - unsafe use of signed values > > > > > >> >> > > - use of resources that have been freed > > > > > >> >> > > > > > > > >> >> > > Register your project with Coverity Scan by completing > the > > > > > project > > > > > >> >> > > registration form found at scan.coverity.com. Upon your > > > > > >> completion of > > > > > >> >> > > project registration (including acceptance of the Scan > > User > > > > > >> Agreement) > > > > > >> >> > and > > > > > >> >> > > your receipt of confirmation of registration of your > > > project, > > > > > you > > > > > >> will > > > > > >> >> be > > > > > >> >> > > able to download the Software required to submit a build > > of > > > > your > > > > > >> code > > > > > >> >> for > > > > > >> >> > > analysis by Coverity Scan. You may then download the > > > Software, > > > > > >> >> complete a > > > > > >> >> > > build and submit your Registered Project build for > > analysis > > > > and > > > > > >> review > > > > > >> >> in > > > > > >> >> > > Coverity Scan. Coverity Scan is only available for use > > with > > > > open > > > > > >> source > > > > > >> >&g
Re: Secure code analysis
gt;> >> > > - buffer overruns > > > > >> >> > > - control flow issues > > > > >> >> > > - error handling issues > > > > >> >> > > - incorrect expressions > > > > >> >> > > - concurrency issues > > > > >> >> > > - insecure data handling > > > > >> >> > > - unsafe use of signed values > > > > >> >> > > - use of resources that have been freed > > > > >> >> > > > > > > >> >> > > Register your project with Coverity Scan by completing the > > > > project > > > > >> >> > > registration form found at scan.coverity.com. Upon your > > > > >> completion of > > > > >> >> > > project registration (including acceptance of the Scan > User > > > > >> Agreement) > > > > >> >> > and > > > > >> >> > > your receipt of confirmation of registration of your > > project, > > > > you > > > > >> will > > > > >> >> be > > > > >> >> > > able to download the Software required to submit a build > of > > > your > > > > >> code > > > > >> >> for > > > > >> >> > > analysis by Coverity Scan. You may then download the > > Software, > > > > >> >> complete a > > > > >> >> > > build and submit your Registered Project build for > analysis > > > and > > > > >> review > > > > >> >> in > > > > >> >> > > Coverity Scan. Coverity Scan is only available for use > with > > > open > > > > >> source > > > > >> >> > > projects that are registered with Coverity Scan. > > > > >> >> > > Here are some interesting snippets from their scan user > > > > agreement: > > > > >> >> > > > > > > >> >> > > Your use of our software is acceptance of our Terms > > > > >> >> > > <https://scan.coverity.com/policy> > > > > >> >> > > > > > > >> >> > > You will not disassemble, decompile, reverse engineer, > > modify > > > or > > > > >> create > > > > >> >> > > derivative works of Our Service, software products or > > > > >> documentation nor > > > > >> >> > > permit any third party to do so, except to the extent such > > > > >> restrictions > > > > >> >> > are > > > > >> >> > > prohibited by applicable mandatory local law > > > > >> >> > > > > > > >> >> > > You will not disclose to any third party any comparison of > > the > > > > >> results > > > > >> >> of > > > > >> >> > > operation of Our Service or software products with other > > > > services > > > > >> or > > > > >> >> > > products, except as expressly permitted by this Agreement > > > > >> >> > > > > > > >> >> > > You will not publish any findings regarding or resulting > > from > > > > use > > > > >> of > > > > >> >> the > > > > >> >> > > Service or the Software > > > > >> >> > > > > > > >> >> > > You agree that We may use Your name and logo (in a form > > > > approved by > > > > >> >> You) > > > > >> >> > > and Registered Product information to identify You and > such > > > > >> project as > > > > >> >> a > > > > >> >> > > participant of Our Scan Program on Our website or in Our > > > > marketing > > > > >> or > > > > >> >> > > publicity materials or in any filings made in connection > > with > > > > >> state or > > > > >> >> > > federal securities laws. > > &g
Re: Secure code analysis
i/PMD_(software)>tions, but so > > > far my > > > >> >> > > favourite is Coverity Scan <https://scan.coverity.com/ > > travis_ci > > > >. > > > >> >> I've > > > >> >> > > never used this product before, so I'm not exactly sure what > > to > > > >> expect, > > > >> >> > but > > > >> >> > > I guess anyone can kick off a scan of an open source project > > and > > > >> get > > > >> >> > > results within 48 hours. I was in the process of registering > > > >> Metron to > > > >> >> > be > > > >> >> > > scanned but I found some things in their scan user agreement > > > which > > > >> I > > > >> >> > wasn't > > > >> >> > > sure everybody would be in line with (see below for the > > > excerpts - > > > >> >> note I > > > >> >> > > did NOT read the entire document and IANAL). > > > >> >> > > > > > >> >> > > Here's the TL;DR of what Coverity Scan is: > > > >> >> > > > > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free static > > code > > > >> >> analysis > > > >> >> > > tool for Java, C, C++, C# and JavaScript. > > > >> >> > > > > > >> >> > > This addon leverages the Travis-CI infrastructure to > > > automatically > > > >> run > > > >> >> > code > > > >> >> > > analysis on your GitHub projects. > > > >> >> > > > > > >> >> > > Coverity Scan is a service by which Coverity provides the > > > results > > > >> of > > > >> >> > > analysis on open source coding projects to open source code > > > >> developers > > > >> >> > that > > > >> >> > > have registered their products with Coverity Scan. > > > >> >> > > > > > >> >> > > Some examples of defects and vulnerabilities found by > Coverity > > > >> Quality > > > >> >> > > Advisor include: > > > >> >> > > > > > >> >> > > - resources leaks > > > >> >> > > - dereferences of NULL pointers > > > >> >> > > - incorrect usage of APIs > > > >> >> > > - use of uninitialized data > > > >> >> > > - memory corruptions > > > >> >> > > - buffer overruns > > > >> >> > > - control flow issues > > > >> >> > > - error handling issues > > > >> >> > > - incorrect expressions > > > >> >> > > - concurrency issues > > > >> >> > > - insecure data handling > > > >> >> > > - unsafe use of signed values > > > >> >> > > - use of resources that have been freed > > > >> >> > > > > > >> >> > > Register your project with Coverity Scan by completing the > > > project > > > >> >> > > registration form found at scan.coverity.com. Upon your > > > >> completion of > > > >> >> > > project registration (including acceptance of the Scan User > > > >> Agreement) > > > >> >> > and > > > >> >> > > your receipt of confirmation of registration of your > project, > > > you > > > >> will > > > >> >> be > > > >> >> > > able to download the Software required to submit a build of > > your > > > >> code > > > >> >> for > > > >> >> > > analysis by Coverity Scan. You may then download the > Software, > > > >> >> complete a > > > >> >> > > build and submit your Registered Project build for analysis > > and > > > >> review > > > >> >> in > > > >> >> > > Coverity Scan. Coverity Scan is only available for use with > > o
Re: Secure code analysis
> >> > > - insecure data handling > > > > >> >> > > - unsafe use of signed values > > > > >> >> > > - use of resources that have been freed > > > > >> >> > > > > > > >> >> > > Register your project with Coverity Scan by completing the > > > > project > > > > >> >> > > registration form found at scan.coverity.com. Upon your > > > > >> completion of > > > > >> >> > > project registration (including acceptance of the Scan > User > > > > >> Agreement) > > > > >> >> > and > > > > >> >> > > your receipt of confirmation of registration of your > > project, > > > > you > > > > >> will > > > > >> >> be > > > > >> >> > > able to download the Software required to submit a build > of > > > your > > > > >> code > > > > >> >> for > > > > >> >> > > analysis by Coverity Scan. You may then download the > > Software, > > > > >> >> complete a > > > > >> >> > > build and submit your Registered Project build for > analysis > > > and > > > > >> review > > > > >> >> in > > > > >> >> > > Coverity Scan. Coverity Scan is only available for use > with > > > open > > > > >> source > > > > >> >> > > projects that are registered with Coverity Scan. > > > > >> >> > > Here are some interesting snippets from their scan user > > > > agreement: > > > > >> >> > > > > > > >> >> > > Your use of our software is acceptance of our Terms > > > > >> >> > > <https://scan.coverity.com/policy> > > > > >> >> > > > > > > >> >> > > You will not disassemble, decompile, reverse engineer, > > modify > > > or > > > > >> create > > > > >> >> > > derivative works of Our Service, software products or > > > > >> documentation nor > > > > >> >> > > permit any third party to do so, except to the extent such > > > > >> restrictions > > > > >> >> > are > > > > >> >> > > prohibited by applicable mandatory local law > > > > >> >> > > > > > > >> >> > > You will not disclose to any third party any comparison of > > the > > > > >> results > > > > >> >> of > > > > >> >> > > operation of Our Service or software products with other > > > > services > > > > >> or > > > > >> >> > > products, except as expressly permitted by this Agreement > > > > >> >> > > > > > > >> >> > > You will not publish any findings regarding or resulting > > from > > > > use > > > > >> of > > > > >> >> the > > > > >> >> > > Service or the Software > > > > >> >> > > > > > > >> >> > > You agree that We may use Your name and logo (in a form > > > > approved by > > > > >> >> You) > > > > >> >> > > and Registered Product information to identify You and > such > > > > >> project as > > > > >> >> a > > > > >> >> > > participant of Our Scan Program on Our website or in Our > > > > marketing > > > > >> or > > > > >> >> > > publicity materials or in any filings made in connection > > with > > > > >> state or > > > > >> >> > > federal securities laws. > > > > >> >> > > > > > > >> >> > > Additionally, upon execution of this Agreement, the > parties > > > will > > > > >> use > > > > >> >> > > commercially reasonable efforts to issue mutually agreed > > upon > > &g
Re: Secure code analysis
o > > > >> expect, > > > >> >> > but > > > >> >> > > I guess anyone can kick off a scan of an open source project > > and > > > >> get > > > >> >> > > results within 48 hours. I was in the process of registering > > > >> Metron to > > > >> >> > be > > > >> >> > > scanned but I found some things in their scan user agreement > > > which > > > >> I > > > >> >> > wasn't > > > >> >> > > sure everybody would be in line with (see below for the > > > excerpts - > > > >> >> note I > > > >> >> > > did NOT read the entire document and IANAL). > > > >> >> > > > > > >> >> > > Here's the TL;DR of what Coverity Scan is: > > > >> >> > > > > > >> >> > > Coverity Scan <http://scan.coverity.com/> is a free static > > code > > > >> >> analysis > > > >> >> > > tool for Java, C, C++, C# and JavaScript. > > > >> >> > > > > > >> >> > > This addon leverages the Travis-CI infrastructure to > > > automatically > > > >> run > > > >> >> > code > > > >> >> > > analysis on your GitHub projects. > > > >> >> > > > > > >> >> > > Coverity Scan is a service by which Coverity provides the > > > results > > > >> of > > > >> >> > > analysis on open source coding projects to open source code > > > >> developers > > > >> >> > that > > > >> >> > > have registered their products with Coverity Scan. > > > >> >> > > > > > >> >> > > Some examples of defects and vulnerabilities found by > Coverity > > > >> Quality > > > >> >> > > Advisor include: > > > >> >> > > > > > >> >> > > - resources leaks > > > >> >> > > - dereferences of NULL pointers > > > >> >> > > - incorrect usage of APIs > > > >> >> > > - use of uninitialized data > > > >> >> > > - memory corruptions > > > >> >> > > - buffer overruns > > > >> >> > > - control flow issues > > > >> >> > > - error handling issues > > > >> >> > > - incorrect expressions > > > >> >> > > - concurrency issues > > > >> >> > > - insecure data handling > > > >> >> > > - unsafe use of signed values > > > >> >> > > - use of resources that have been freed > > > >> >> > > > > > >> >> > > Register your project with Coverity Scan by completing the > > > project > > > >> >> > > registration form found at scan.coverity.com. Upon your > > > >> completion of > > > >> >> > > project registration (including acceptance of the Scan User > > > >> Agreement) > > > >> >> > and > > > >> >> > > your receipt of confirmation of registration of your > project, > > > you > > > >> will > > > >> >> be > > > >> >> > > able to download the Software required to submit a build of > > your > > > >> code > > > >> >> for > > > >> >> > > analysis by Coverity Scan. You may then download the > Software, > > > >> >> complete a > > > >> >> > > build and submit your Registered Project build for analysis > > and > > > >> review > > > >> >> in > > > >> >> > > Coverity Scan. Coverity Scan is only available for use with > > open > > > >> source > > > >> >> > > projects that are registered with Coverity Scan. > > > >> >> > > Here are some interesting snippets from their scan user > > > agreement: > > > >> >> > > > > > >> >> > > Your u
Re: Secure code analysis
signed values > > >> >> > > - use of resources that have been freed > > >> >> > > > > >> >> > > Register your project with Coverity Scan by completing the > > project > > >> >> > > registration form found at scan.coverity.com. Upon your > > >> completion of > > >> >> > > project registration (including acceptance of the Scan User > > >> Agreement) > > >> >> > and > > >> >> > > your receipt of confirmation of registration of your project, > > you > > >> will > > >> >> be > > >> >> > > able to download the Software required to submit a build of > your > > >> code > > >> >> for > > >> >> > > analysis by Coverity Scan. You may then download the Software, > > >> >> complete a > > >> >> > > build and submit your Registered Project build for analysis > and > > >> review > > >> >> in > > >> >> > > Coverity Scan. Coverity Scan is only available for use with > open > > >> source > > >> >> > > projects that are registered with Coverity Scan. > > >> >> > > Here are some interesting snippets from their scan user > > agreement: > > >> >> > > > > >> >> > > Your use of our software is acceptance of our Terms > > >> >> > > <https://scan.coverity.com/policy> > > >> >> > > > > >> >> > > You will not disassemble, decompile, reverse engineer, modify > or > > >> create > > >> >> > > derivative works of Our Service, software products or > > >> documentation nor > > >> >> > > permit any third party to do so, except to the extent such > > >> restrictions > > >> >> > are > > >> >> > > prohibited by applicable mandatory local law > > >> >> > > > > >> >> > > You will not disclose to any third party any comparison of the > > >> results > > >> >> of > > >> >> > > operation of Our Service or software products with other > > services > > >> or > > >> >> > > products, except as expressly permitted by this Agreement > > >> >> > > > > >> >> > > You will not publish any findings regarding or resulting from > > use > > >> of > > >> >> the > > >> >> > > Service or the Software > > >> >> > > > > >> >> > > You agree that We may use Your name and logo (in a form > > approved by > > >> >> You) > > >> >> > > and Registered Product information to identify You and such > > >> project as > > >> >> a > > >> >> > > participant of Our Scan Program on Our website or in Our > > marketing > > >> or > > >> >> > > publicity materials or in any filings made in connection with > > >> state or > > >> >> > > federal securities laws. > > >> >> > > > > >> >> > > Additionally, upon execution of this Agreement, the parties > will > > >> use > > >> >> > > commercially reasonable efforts to issue mutually agreed upon > > joint > > >> >> press > > >> >> > > releases or other public communications announcing Your entry > > into > > >> this > > >> >> > > Agreement. > > >> >> > > > > >> >> > > At Our written request, You will furnish Us with (a) a > > >> certification > > >> >> > signed > > >> >> > > by an officer of Your company providing user or access > > information > > >> that > > >> >> > > identifies whether the Service and the Software is being used > in > > >> >> > accordance > > >> >> > > with the terms of this Agreement, and (b) log files from any > > >> License > > >> >> > > Manager. Upon at least thirty (30) days prior written notice, > We > > >> may > > >> >
Re: Secure code analysis
e products or > >> documentation nor > >> >> > > permit any third party to do so, except to the extent such > >> restrictions > >> >> > are > >> >> > > prohibited by applicable mandatory local law > >> >> > > > >> >> > > You will not disclose to any third party any comparison of the > >> results > >> >> of > >> >> > > operation of Our Service or software products with other > services > >> or > >> >> > > products, except as expressly permitted by this Agreement > >> >> > > > >> >> > > You will not publish any findings regarding or resulting from > use > >> of > >> >> the > >> >> > > Service or the Software > >> >> > > > >> >> > > You agree that We may use Your name and logo (in a form > approved by > >> >> You) > >> >> > > and Registered Product information to identify You and such > >> project as > >> >> a > >> >> > > participant of Our Scan Program on Our website or in Our > marketing > >> or > >> >> > > publicity materials or in any filings made in connection with > >> state or > >> >> > > federal securities laws. > >> >> > > > >> >> > > Additionally, upon execution of this Agreement, the parties will > >> use > >> >> > > commercially reasonable efforts to issue mutually agreed upon > joint > >> >> press > >> >> > > releases or other public communications announcing Your entry > into > >> this > >> >> > > Agreement. > >> >> > > > >> >> > > At Our written request, You will furnish Us with (a) a > >> certification > >> >> > signed > >> >> > > by an officer of Your company providing user or access > information > >> that > >> >> > > identifies whether the Service and the Software is being used in > >> >> > accordance > >> >> > > with the terms of this Agreement, and (b) log files from any > >> License > >> >> > > Manager. Upon at least thirty (30) days prior written notice, We > >> may > >> >> > > engage, at Our expense, an independent auditor to audit Your use > >> of the > >> >> > > Service and the Software to ensure that You are in compliance > with > >> the > >> >> > > terms of this Agreement. ... You will provide the auditor with > >> access > >> >> to > >> >> > > the relevant records and facilities. > >> >> > > > >> >> > > Jon > >> >> > > > >> >> > > On Fri, May 27, 2016 at 11:14 AM zeo...@gmail.com < > >> zeo...@gmail.com> > >> >> > > wrote: > >> >> > > > >> >> > > > There's nothing built-in with Travis, but we could install a > >> tool to > >> >> do > >> >> > > > this as part of the installation of tools on the build box. > I'm > >> >> gonna > >> >> > > > reach out to people in my local circle who specialize in > secure > >> code > >> >> > > > analysis and see what all of the options are. > >> >> > > > > >> >> > > > Jon > >> >> > > > > >> >> > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen < > n...@nickallen.org> > >> >> wrote: > >> >> > > > > >> >> > > >> I completely agree that we will need some focus on this. > >> >> > > >> > >> >> > > >> What could Travis do for us? I wasn't aware that they offered > >> >> > security > >> >> > > >> scanning. > >> >> > > >> > >> >> > > >> Are you aware of any security scan services that offer free > >> support > >> >> to > >> >> > > >> open > >> >> > > >> source projects? > >> >> > > >> > >> >> > > >> On Fri, May 27, 2016 at 9:42 AM, zeo...@gmail.com < > >> zeo...@gmail.com > >> >> > > >> >> > > >> wrote: > >> >> > > >> > >> >> > > >> > So I've never done anything like this before in Travis but > I > >> have > >> >> > done > >> >> > > >> IDE > >> >> > > >> > plugins and pre prod scans in the past at large companies > >> which > >> >> > worked > >> >> > > >> > well. I floated the idea past a friend working at Travis > and > >> she > >> >> > said > >> >> > > >> if > >> >> > > >> > we go that route she would assist. > >> >> > > >> > > >> >> > > >> > I just think that if this is integrated from the beginning > and > >> >> fail > >> >> > > >> builds > >> >> > > >> > on critical issues (to start), this could be a big > >> differentiator, > >> >> > > >> > especially because we're talking about a security platform > >> that > >> >> > > >> centralizes > >> >> > > >> > tons of sensitive information, tries to parse almost > anything > >> >> that's > >> >> > > >> thrown > >> >> > > >> > at it (think of what's been happening to AV products > >> recently), > >> >> and > >> >> > is > >> >> > > >> open > >> >> > > >> > source for bad guys to dig into much more easily. > >> >> > > >> > > >> >> > > >> > Jon > >> >> > > >> > > >> >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen > > >> >> wrote: > >> >> > > >> > > >> >> > > >> > > I am not aware of any discussions around this, Jon. What > are > >> >> you > >> >> > > >> > thinking? > >> >> > > >> > > > >> >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, zeo...@gmail.com < > >> >> > zeo...@gmail.com > >> >> > > > > >> >> > > >> > > wrote: > >> >> > > >> > > > >> >> > > >> > > > I was just wondering if there is any sort of static (or > >> even > >> >> > > >> dynamic) > >> >> > > >> > > code > >> >> > > >> > > > analysis, or penetrating testing/vulnerability > assessment, > >> >> > > >> occurring at > >> >> > > >> > > any > >> >> > > >> > > > point on the metron code. Has there been any > discussion of > >> >> > > >> installing > >> >> > > >> > > > something along those lines on the Travis build server > >> (if it > >> >> > > isn't > >> >> > > >> > there > >> >> > > >> > > > already)? Thanks, > >> >> > > >> > > > > >> >> > > >> > > > Jon > >> >> > > >> > > > -- > >> >> > > >> > > > > >> >> > > >> > > > Jon > >> >> > > >> > > > > >> >> > > >> > > > >> >> > > >> > > > >> >> > > >> > > > >> >> > > >> > > -- > >> >> > > >> > > Nick Allen > >> >> > > >> > > > >> >> > > >> > -- > >> >> > > >> > > >> >> > > >> > Jon > >> >> > > >> > > >> >> > > >> > >> >> > > >> > >> >> > > >> > >> >> > > >> -- > >> >> > > >> Nick Allen > >> >> > > >> > >> >> > > > -- > >> >> > > > > >> >> > > > Jon > >> >> > > > > >> >> > > -- > >> >> > > > >> >> > > Jon > >> >> > > > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > Nick Allen > >> >> > > >> >> -- > >> >> > >> >> Jon > >> > > >> > -- > >> > Nick Allen > >> > >> --- > >> Thank you, > >> > >> James Sirota > >> PPMC- Apache Metron (Incubating) > >> jsirota AT apache DOT org > >> > >> -- > >> > >> Jon > > -- > > > > Jon > > > > Sent from my mobile device > > --- > Thank you, > > James Sirota > PPMC- Apache Metron (Incubating) > jsirota AT apache DOT org > -- Jon