[Cryptech Tech] Coverity Scan
Joachim Strömbergson
joachim at assured.se
Tue Oct 9 09:19:29 UTC 2018
Aloha!
I've been looking at Coverity Scan. Coverity supports open source
projects by scanning their source code using their static code analysis
tool. It seems that Coverity supports easy scanning for projects on
Github. As far as I can see, we don't have a mirror of the Github repo
on Github [1].
I've talked to Daniel "Curl" Stenberg. Curl are one of the projects that
is scanned by Coverity and get good feedback. The Curl project also run
the static code analysis tool scan-build on a daily basis [2].
Scan-build provides useful feedback and the reports are very readable.
But the feedback from the Coverity tool is better.
The Curl project don't use Coverity Scan on github, but run the tool
locally and submit results. Something we should be able to do to (unless
we want to create a mirror on github.)
According to Daniel, getting your project accepted for Coverity Scan is
easy.
https://scan.coverity.com/
Another scan-service for OSS is Google OSS-Fuzz:
https://github.com/google/oss-fuzz
According to Daniel, this service is really good at finding bugs. The
OSS-Fuzz is more elaborate to set up. And since Cryptech is both SW and
HW, fuzzing may be hard do well unless the real HW is present. Also,
Crypytech may not (yet) qualify:
"To be accepted to OSS-Fuzz, an open-source project must have a
significant user base and/or be critical to the global IT infrastructure."
I think we should try and get Coverity Scan up and running for Cryptech.
And scan-build. Should we also create a mirror repo at Github?
Yours
JoachimS
[1] The "cryptech" user name is taken since a few years back by someone
that has yet to commit anything. Names like "cryptech-project" are not
taken (yet). Also I found this weird fork of Cryptech:
https://github.com/cryptotronix/hsm-fpga
[2] scan-build. Part of clang/llvm. So far it only works on per-file
basis, which means that it can't catch function call misue, but also
that bad paths found can never trigger due to the way a function is in
fact used. So more fall positives.
https://clang-analyzer.llvm.org/
https://clang-analyzer.llvm.org/scan-build.html
I've used scan-build in other projects. The setup/usage is super easy.
--
Med vänlig hälsning, Yours
Joachim Strömbergson
========================================================================
Assured AB
========================================================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cryptech.is/archives/tech/attachments/20181009/a75f50e2/attachment.sig>
More information about the Tech
mailing list