Aloha! I've been looking at Coverity Scan. Coverity supports open source projects by scanning their source code using their static code analysis tool. It seems that Coverity supports easy scanning for projects on Github. As far as I can see, we don't have a mirror of the Github repo on Github [1].
I've talked to Daniel "Curl" Stenberg. Curl are one of the projects that is scanned by Coverity and get good feedback. The Curl project also run the static code analysis tool scan-build on a daily basis [2]. Scan-build provides useful feedback and the reports are very readable. But the feedback from the Coverity tool is better. The Curl project don't use Coverity Scan on github, but run the tool locally and submit results. Something we should be able to do to (unless we want to create a mirror on github.) According to Daniel, getting your project accepted for Coverity Scan is easy. https://scan.coverity.com/ Another scan-service for OSS is Google OSS-Fuzz: https://github.com/google/oss-fuzz According to Daniel, this service is really good at finding bugs. The OSS-Fuzz is more elaborate to set up. And since Cryptech is both SW and HW, fuzzing may be hard do well unless the real HW is present. Also, Crypytech may not (yet) qualify: "To be accepted to OSS-Fuzz, an open-source project must have a significant user base and/or be critical to the global IT infrastructure." I think we should try and get Coverity Scan up and running for Cryptech. And scan-build. Should we also create a mirror repo at Github? Yours JoachimS [1] The "cryptech" user name is taken since a few years back by someone that has yet to commit anything. Names like "cryptech-project" are not taken (yet). Also I found this weird fork of Cryptech: https://github.com/cryptotronix/hsm-fpga [2] scan-build. Part of clang/llvm. So far it only works on per-file basis, which means that it can't catch function call misue, but also that bad paths found can never trigger due to the way a function is in fact used. So more fall positives. https://clang-analyzer.llvm.org/ https://clang-analyzer.llvm.org/scan-build.html I've used scan-build in other projects. The setup/usage is super easy. -- Med vänlig hälsning, Yours Joachim Strömbergson ======================================================================== Assured AB ========================================================================
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
