[Cryptech Tech] Coverity Scan

[Joachim Strömbergson]

Aloha!


On 2018-10-09 11:49, Peter Gutmann wrote:
> Getting set up for Coverity is actually pretty easy, you just sign up,
> download their scan tool to wherever your code is, run it, and upload the
> results to Coverity.  Their web-based dashboard is a bit painful to use, but
> apart from that the process is pretty straightforward.  I can provide notes on
> how to do it if it's useful.

I'm setting it up right now. If I fail, I'd be happy to look at the
notes. Based on the instructions it seems to be as you say, straightforward.


> Not sure how useful OSS-Fuzz is, there's a lot of initial config and setup you
> need to do and I found it easier to just run AFL directly on my code.  If it's
> a library, you can use libFuzzer and honggfuzz as well, the two are fairly
> easily interchangeable.

Start fuzzing at all is really what I think we should aim for at this
point. I've used AFL before and will look at using it for cryptech. The
big benifit of OSS-Fuzz as I see it is the significant amount of
non-artificial intelligence doing analysis of findings.


Good comments, thanks!

-- 
Med vänlig hälsning, Yours

Joachim Strömbergson
========================================================================
                               Assured AB
========================================================================

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cryptech.is/archives/tech/attachments/20181009/a60e3c45/attachment.sig>