[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] QEMU CII Best Practices record
|
From: |
Stefan Hajnoczi |
|
Subject: |
Re: [Qemu-devel] QEMU CII Best Practices record |
|
Date: |
Mon, 23 Oct 2017 19:31:52 +0200 |
|
User-agent: |
Mutt/1.9.1 (2017-09-22) |
On Fri, Oct 13, 2017 at 02:25:07PM +0100, Daniel P. Berrange wrote:
> Many projects these days are recording progress wrt CII best practices
> for FLOOS projects. I filled out a record for QEMU:
>
> https://bestpractices.coreinfrastructure.org/projects/1309
>
> I only looked at the 'Passing' criteria, not considered the 'Silver' and
> 'Gold' criteria. So if anyone else wants to contribute, register an
> account there and tell me the username whereupon I can add you as a
> collaborator.
>
> Two items I don't think QEMU achieves for the basic "Passing" criteria
>
> - The release notes MUST identify every publicly known vulnerability
> that is fixed in each new release.
>
> I don't see a list of CVEs mentioned in our release Changelogs or
> indeed a historic list of CVEs anywhere even outside the release
> notes ?
>
> - It is SUGGESTED that if the software produced by the project includes
> software written using a memory-unsafe language (e.g., C or C++), then
> at least one dynamic tool (e.g., a fuzzer or web application scanner)
> be routinely used in combination with a mechanism to detect memory
> safety problems such as buffer overwrites.
>
> NB this is not 'coverity' which falls under the 'static anlaysis'
> group. I'm unclear if anyone in the community does regular fuzzing
> or analysis with ASAN & equiv ?
I'm not aware of automated ASAN or Valgrind runs although developers
tend to run them in ad-hoc fashion during development.
Stefan