Include a Static Code Analyzer to the SoftwareLifeCycle
22 views
Skip to first unread message
TheZero
Nov 5, 2016, 6:46:33 AM11/5/16
to KeePassX Reboot
Hello everbody.
I think that we need to include a Static Code Analyzer to the SoftwareLifeCycle.
What are the benefit of SCA?
They will analyze static code in search of flaws, security problems and other bugs.
When developing a security program like a Password Manager this is a (very) good thing to do.
This will not detect every vulnerability in your program but can help fix some.
The most known is flawfinder (http://www.dwheeler.com/flawfinder/ http://freecode.com/projects/flawfinder) and it's already in most of distro's repository
I attach the report of flawfinder on the current feature/autotype-delay-#76 branch
PS: some flaws are false positive and can be hidden with a comment in the code like the following so every "ignore" must be argued with a comment in the code specifying why can be ignored
How we can add it to the software life cycle?
Some Ideas:
- Maintainers and Contributors, when reviewing Pull Request, perform a scan and post the result in the review
- Developers that post Pull Request must add a link to a Gist or a Pastebin with result of the scan
- Maintainers before every release perform a scan and fix problems before the release (this will leave flaws in the develop code from a release to another)
Opinions?
I think that we need to include a Static Code Analyzer to the SoftwareLifeCycle.
What are the benefit of SCA?
They will analyze static code in search of flaws, security problems and other bugs.
When developing a security program like a Password Manager this is a (very) good thing to do.
This will not detect every vulnerability in your program but can help fix some.
The most known is flawfinder (http://www.dwheeler.com/flawfinder/ http://freecode.com/projects/flawfinder) and it's already in most of distro's repository
I attach the report of flawfinder on the current feature/autotype-delay-#76 branch
PS: some flaws are false positive and can be hidden with a comment in the code like the following so every "ignore" must be argued with a comment in the code specifying why can be ignored
/* Flawfinder: ignore */
How we can add it to the software life cycle?
Some Ideas:
- Maintainers and Contributors, when reviewing Pull Request, perform a scan and post the result in the review
- Developers that post Pull Request must add a link to a Gist or a Pastebin with result of the scan
- Maintainers before every release perform a scan and fix problems before the release (this will leave flaws in the develop code from a release to another)
Opinions?
droidmonkey
Nov 5, 2016, 4:20:56 PM11/5/16
to KeePassX Reboot
Great idea. We use HP Fortify at work and it cleaned up our C code tremendously. Luckily with Qt you don't have much opportunity to make rookie mistakes, but certainly not impossible.
TheZero
Nov 6, 2016, 11:46:43 AM11/6/16
to KeePassX Reboot
We should implement this with CMake like coverage tests!! https://github.com/keepassxreboot/keepassxc/wiki/Building-and-viewing-test-coverage-results
I think flawfinder is one of the best open source and is available in most of the distro repository. Anyways using more than one is good for me
I think flawfinder is one of the best open source and is available in most of the distro repository. Anyways using more than one is good for me
Reply all
Reply to author
Forward
0 new messages