Re: Introducing the "Debian's Automated Code Analysis" (DACA) project
Hi,
Javier Fernández-Sanguino Peña wrote:
> On Thu, Dec 16, 2010 at 12:00:21PM -0600, Raphael Geissert wrote:
>> = What is there for everyone? =
>>
>> At the moment there are only partial reports from two tools, but the list
>> of tools to be evaluated and possibly included goes over twenty.
>
> I would be glad if the tools included some security auditing tools such
> as:
>
> + Available as Debian packages
> - RATS: security auditing utility for C, C++, PHP, Perl, and Python
> code
> - Flawfinder: securty flaw search tool for C/C++ source code
To be honest, the results of both tools are usually just noise and it would
be better if the C/C++ checks that are not implemented by cppcheck were
contributed.
I'm not opposed to running them either, but they will be down on my To-Do
list. If anyone has a few minutes to come up with the right scripts and
tweaks to the web reports, please subscribe and email the daca-
devel@lists.alioth.d.o list.
> - Split: a tool for statically checking C programs for bugs
Splint has better results than rats and flawfinder, but the same arguments
apply.
> - Jlint: Tool to check Java code for bugs, inconsistencies and
> synchronization problems
>
> + There are some other static security analysis currently not available
> in Debian, such as:
> - FindBugs: a tool for static analysis of Java code
> http://findbugs.sourceforge.net/
> - JCSC: Java source code checker - http://jcsc.sourceforge.net/
> - PMD: Tool to review Java code for bugs - http://pmd.sourceforge.net/
>
> As Debian is getting more java code in now it would be worth it to have
> some Jave tools in the toolbox too.
Niels Thykier said he would look into the java stuff, so that's probably
covered (if more people want to join, they are of course welcome.)
Thanks for your email.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Reply to: