Re: Introducing the "Debian's Automated Code Analysis" (DACA) project
On Tuesday 21 December 2010, Raphael Geissert wrote:
> >> At the moment there are only partial reports from two tools, but
> >> the list of tools to be evaluated and possibly included goes
> >> over twenty.
> > I would be glad if the tools included some security auditing
> > tools such
> > as:
> > + Available as Debian packages
> > - RATS: security auditing utility for C, C++, PHP, Perl, and
> > Python code
> > - Flawfinder: securty flaw search tool for C/C++ source code
> To be honest, the results of both tools are usually just noise and
> it would be better if the C/C++ checks that are not implemented by
> cppcheck were contributed.
> I'm not opposed to running them either, but they will be down on my
> To-Do list. If anyone has a few minutes to come up with the right
> scripts and tweaks to the web reports, please subscribe and email
> the daca- email@example.com list.
> > - Split: a tool for statically checking C programs for bugs
> Splint has better results than rats and flawfinder, but the same
> arguments apply.
I fully agree with you WRT flawfinder and splint.
OTOH, I think that clang's scan-build has a reasonable signal-to-noise
ratio. It only does C, though.
For perl, perlcritic at a sufficiently high warning level may be worth
A question about hardware: How much memory/disk space is needed at the
minimum to be useful?