[vox] Coverity Scan tool for secure software dev

[Wes Hardaker]

>>>>> On Tue, 22 Apr 2008 11:30:05 -0700, Alex Mandel <tech_dev at wildintellect.com> said:

AM> Anyone have any experience with Scan from Coverity?

AM> Basic idea as I read it, scan your source code for known common 
AM> programming errors that lead to security issues. They offer up results 
AM> for FOSS projects for free.
AM> http://scan.coverity.com/index.html

AM> Looks like it would be an interesting talk, anyone have a contact on 
AM> this project since it's associated with Stanford?

Actually, I've used it quite a bit.  Net-SNMP (a project I started) was
an early target as one of the initial projects they strapped into the
system.

In real quick summary, I love Coverity's output and code browser and
error reporter.  It's quite good and pointing out "little tiny things".
However, because it reports everything under the sun as a potential
problem, 99% of the things it points out may be situations that would
never occur.  It does a great job of enforcing good practice coding
(even when you don't want to handle those "this'll never happen
situations).

That being said, Net-SNMP fell out of their scan system about the time
we switched from CVS to SVN and I've had a heck of a time contacting
them to get us reinstated.  (I can still log in and browse the output
from our last good run, but that was quite a while ago at this point).

I actually tried to get our DNSSEC-Tools project instated into the scan
system as well, but we (Coverity and us) fell into a problem of getting
it to compile on their older systems.  They use netbsd3 (I think) and
FC6 (might have been older) and if you're system doesn't compile on one
of those older releases you're out of luck.  Eventually they're supposed
to migrate their build system to something newer, but last I heard they
still hadn't.

-- 
"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett