cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Animesh Chaturvedi <animesh.chaturv...@citrix.com>
Subject RE: Static Analysis Tools
Date Tue, 20 Nov 2012 20:15:32 GMT
John

Agreed to your points on limiting exposure to security vulnerability but Coverity is not known
for security analysis. I am not advocating any tool in particular the intent is more to catch
bugs early on.

Thanks
Animesh

-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co] 
Sent: Tuesday, November 20, 2012 11:53 AM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Static Analysis Tools

Allow me to clarify my previous statement - Fortify has such a program, as well, and they've
given me a license to scan ACS for this purpose.

What you run into with this, is i don't think you want a security scanner as part of the build
process for several reasons:
 * They're slow.
 * Unless a human reviews the results, they're pretty much useless. So you've just burning
CPU cycles.
 * If an issue is found, I don't think we want it publicly available on something like Jenkins,
but to be reviewed and handled by a security team (which for now is the PPMC) and then announce
it in a controlled manner.

Happy to discuss these points at any level of detail, or add people to the security team if
there's interest. :)

John
ps we've been meaning to have a security discussion on the list, I suspect this thread will
accelerate that...

On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi <animesh.chaturvedi@citrix.com>
 wrote:

> I have used Coverity in the past for commercial projects with very 
> good success.  I did a quick google search and looks like Coverity has 
> a program for open source software quality which can potentially 
> leveraged for CloudStack. Here is the link 
> http://scan.coverity.com/getting-started.html
> 
> 
> -----Original Message-----
> From: John Kinsella [mailto:jlk@stratosec.co]
> Sent: Tuesday, November 20, 2012 11:12 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Static Analysis Tools
> 
> Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally
I think findbugs is a bit of a toy, but anything helps...
> 
> John
> 
> On Nov 20, 2012, at 10:44 AM, David Nalley <david@gnsa.us>
> wrote:
> 
>> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi 
>> <animesh.chaturvedi@citrix.com> wrote:
>>> 
>>> Folks
>>> 
>>> I want to get your opinion on using static analysis tools like PMD 
>>> for CloudStack to catch some of the bugs early on. Maven has a 
>>> plugin for PMD  http://maven.apache.org/plugins/maven-pmd-plugin/
>>> 
>>> Thanks
>>> Animesh
>> 
>> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean 
>> we can't do something else, but this exists.
>> https://analysis.apache.org/dashboard/index/100206
>> 
>> --David
>> 
> 
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
> 
> 

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella


Mime
View raw message