Aloha!
On 2018-10-09 11:49, Peter Gutmann wrote:
> Getting set up for Coverity is actually pretty easy, you just sign up,
> download their scan tool to wherever your code is, run it, and upload the
> results to Coverity. Their web-based dashboard is a bit painful to use, but
> apart from that the process is pretty straightforward. I can provide notes on
> how to do it if it's useful.
I'm setting it up right now. If I fail, I'd be happy to look at the
notes. Based on the instructions it seems to be as you say, straightforward.
> Not sure how useful OSS-Fuzz is, there's a lot of initial config and setup you
> need to do and I found it easier to just run AFL directly on my code. If it's
> a library, you can use libFuzzer and honggfuzz as well, the two are fairly
> easily interchangeable.
Start fuzzing at all is really what I think we should aim for at this
point. I've used AFL before and will look at using it for cryptech. The
big benifit of OSS-Fuzz as I see it is the significant amount of
non-artificial intelligence doing analysis of findings.
Good comments, thanks!
--
Med vänlig hälsning, Yours
Joachim Strömbergson
========================================================================
Assured AB
========================================================================
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Tech mailing list [email protected] https://lists.cryptech.is/listinfo/tech
