incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: Static Analysis Tools
Date Fri, 07 Dec 2012 20:06:02 GMT
Yes.  https://my.fortifyondemand.com/login.jsp ;)

For those who want to become part of the ACS security team, contact the PPMC.  We don't have
a formal process to accept new members, but I do want to manage who has access in case of
sensitive info in the future.


Stratosec<http://stratosec.co/> - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

On Dec 4, 2012, at 10:34 AM, Demetrius Tsitrelis <Demetrius.Tsitrelis@citrix.com<mailto:Demetrius.Tsitrelis@citrix.com>>
wrote:

At the conference you showed a URL with the results.  Is that publicly available?

-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Tuesday, November 20, 2012 11:53 AM
To: cloudstack-dev@incubator.apache.org<mailto:cloudstack-dev@incubator.apache.org>
Subject: Re: Static Analysis Tools

Allow me to clarify my previous statement - Fortify has such a program, as well, and they've
given me a license to scan ACS for this purpose.

What you run into with this, is i don't think you want a security scanner as part of the build
process for several reasons:
* They're slow.
* Unless a human reviews the results, they're pretty much useless. So you've just burning
CPU cycles.
* If an issue is found, I don't think we want it publicly available on something like Jenkins,
but to be reviewed and handled by a security team (which for now is the PPMC) and then announce
it in a controlled manner.

Happy to discuss these points at any level of detail, or add people to the security team if
there's interest. :)

John
ps we've been meaning to have a security discussion on the list, I suspect this thread will
accelerate that...

On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi <animesh.chaturvedi@citrix.com<mailto:animesh.chaturvedi@citrix.com>>
wrote:

I have used Coverity in the past for commercial projects with very
good success.  I did a quick google search and looks like Coverity has
a program for open source software quality which can potentially
leveraged for CloudStack. Here is the link
http://scan.coverity.com/getting-started.html


-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Tuesday, November 20, 2012 11:12 AM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Static Analysis Tools

Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally I think
findbugs is a bit of a toy, but anything helps...

John

On Nov 20, 2012, at 10:44 AM, David Nalley <david@gnsa.us>
wrote:

On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
<animesh.chaturvedi@citrix.com> wrote:

Folks

I want to get your opinion on using static analysis tools like PMD
for CloudStack to catch some of the bugs early on. Maven has a
plugin for PMD  http://maven.apache.org/plugins/maven-pmd-plugin/

Thanks
Animesh

So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
we can't do something else, but this exists.
https://analysis.apache.org/dashboard/index/100206

--David


Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella



Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella




Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message