[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Introducing the "Debian's Automated Code Analysis" (DACA) project



On Tuesday 21 December 2010, Raphael Geissert wrote:
> >> At the moment there are only partial reports from two tools, but
> >> the list of tools to be evaluated and possibly included goes
> >> over twenty.
> > 
> > I would be glad if the tools included some security auditing
> > tools such
> > 
> > as:
> >  + Available as Debian packages
> >  
> >    - RATS: security auditing utility for C, C++, PHP, Perl, and
> >    Python code
> >    - Flawfinder: securty flaw search tool for  C/C++ source code
> 
> To be honest, the results of both tools are usually just noise and
> it would be better if the C/C++ checks that are not implemented by
> cppcheck were contributed.
> I'm not opposed to running them either, but they will be down on my
> To-Do list. If anyone has a few minutes to come up with the right
> scripts and tweaks to the web reports, please subscribe and email
> the daca- devel@lists.alioth.d.o list.
> 
> >    - Split: a tool for statically checking C programs for bugs
> 
> Splint has better results than rats and flawfinder, but the same
> arguments apply.

I fully agree with you WRT flawfinder and splint.

OTOH, I think that clang's scan-build has a reasonable signal-to-noise 
ratio. It only does C, though.

For perl, perlcritic at a sufficiently high warning level may be worth 
a thought.


A question about hardware: How much memory/disk space is needed at the 
minimum to be useful?

Cheers,
Stefan


Reply to: