gnustep-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Coverity Scan for GNUstep?


From: Richard Frith-Macdonald
Subject: Re: Coverity Scan for GNUstep?
Date: Mon, 15 Jan 2018 11:24:51 +0000


> On 14 Jan 2018, at 18:54, Fred Kiefer <address@hidden> wrote:
> 
> I remember we talked about this before, maybe at the Dublin meeting. There is 
> the option to set up GNUstep on scan.coverity.com to have the code 
> automatically checked for known vulnerabilities. At the time we did discuss 
> this there wasn’t support for Objective-C but this seems to have been added: 
> 
> https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/CWE-CC-Objective-C.pdf
> 
> What are your opinions on this? In the beginning it will require some extra 
> effort to fix the found weaknesses and somehow to flag the false positives. 
> And who should be in charge of getting the reports? The idea here is that 
> only the person registered for the project will get the report to prevent 
> 0-day issues becoming public too soon.

I don't know anything about coverty (I'd forgotten that we talked about it), 
but I'm in favour of any automated checks/testing in principle.  It must be 
worth trying ... as long as we don't get so many false positives that it's just 
too much work.  Presumably the only way to know is to try.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]