I was wondering if Google runs automated static analysis tools and or vulnerability scanners on native (C/C++) code?
I assume FindBugs is run against Java code.
Does anyone know if Coverity is still scanning open source ( http://www.coverity.com/html/press_story54_01_08_08.html)? A few of the projects were also external projects for Android, but I don't have a feel for how many might have benefited the system on target devices directly.
I just learned about static code analysis in school and am interested to hear if anyone has any details on how it is being used with the Android OS, and how it is being used with apps before, or after, they go to market.
On Wed, Aug 18, 2010 at 8:48 AM, Dan Hein <dhein1...@gmail.com> wrote: > I was wondering if Google runs automated static analysis tools and or > vulnerability scanners on native (C/C++) code?
> I assume FindBugs is run against Java code.
> Does anyone know if Coverity is still scanning open source > (http://www.coverity.com/html/press_story54_01_08_08.html)? A few of the > projects were also external projects for Android, but I don't have a feel > for how many might have benefited the system on target devices directly.
> Thanks, > Dan
> -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > android-security-discuss@googlegroups.com. > To unsubscribe from this group, send email to > android-security-discuss+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en.
On Wed, Aug 18, 2010 at 8:48 AM, Dan Hein <dhein1...@gmail.com> wrote: > I was wondering if Google runs automated static analysis tools and or > vulnerability scanners on native (C/C++) code?
> I assume FindBugs is run against Java code.
> Does anyone know if Coverity is still scanning open source > (http://www.coverity.com/html/press_story54_01_08_08.html)? A few of the > projects were also external projects for Android, but I don't have a feel > for how many might have benefited the system on target devices directly.
> Thanks, > Dan
> -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > android-security-discuss@googlegroups.com. > To unsubscribe from this group, send email to > android-security-discuss+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en.
If you look inside the build configuration, you will see make targets for findbugs. All you have to do is put findbugs in the correct directory, then do a 'make findbugs'
I was more interested in scanning tools for C and C++ as there does not seem to be a FOSS alternative.
On Wed, Aug 18, 2010 at 12:00 PM, Manfred Moser <mosa...@gmail.com> wrote: > Good question. I would love to have access to a Findbugs configuration > that is suitable for scanning Android app code.
> On Wed, Aug 18, 2010 at 8:48 AM, Dan Hein <dhein1...@gmail.com> wrote: >> I was wondering if Google runs automated static analysis tools and or >> vulnerability scanners on native (C/C++) code?
>> I assume FindBugs is run against Java code.
>> Does anyone know if Coverity is still scanning open source >> (http://www.coverity.com/html/press_story54_01_08_08.html)? A few of the >> projects were also external projects for Android, but I don't have a feel >> for how many might have benefited the system on target devices directly.
>> Thanks, >> Dan
>> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To post to this group, send email to >> android-security-discuss@googlegroups.com. >> To unsubscribe from this group, send email to >> android-security-discuss+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en.
> -- > You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. > To post to this group, send email to android-security-discuss@googlegroups.com. > To unsubscribe from this group, send email to android-security-discuss+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
> If you look inside the build configuration, you will see make targets > for findbugs. All you have to do is put findbugs in the correct > directory, then do a 'make findbugs'
^-- Findbugs is an excellent tool for Java bytecode static analysis. However, Java source code analysers are great addition, too. We successfully combine findbugs and checkstyle (checkstyle.sf.net); the JChord seems to be promissing - read "distinctive enough" - but it seems to be far from useful deployment yet.
Btw, how findbugs is used, when Android does not have java bytecode, only sourcecode? :-)
> I was more interested in scanning tools for C and C++ as there does > not seem to be a FOSS alternative.
^-- Well, the root cause is that it is _much_ easier to analyse Java code than C code - only macros and preproprocesor options [working on textual level] make any semantic analysis impossible. Anyhow, we find 'flawfinder' tool to be useful for C code.
