scan . coverity . com

[grigi]

As Cristan reccomended: (Create a new thread)

As we are approacing 0.3 status, I wonder if now it the right time to submit the project to coverity for scan?

Or should that only be done after the audit is done?

We are already indirectly benifiting from the coverity project via wine, so I guess those code should be excluded.

For those that don't know what I am talking about:
http://scan.coverity.com/
and a description of what coverity does from wine's weekly news:
http://www.winehq.com/?issue=311#Coveri ... ans%20Wine

To my knowledge joining to the coverity project is a long-term (1-2 years?) relation, therefore it could help to avoid any exploitable regressions.

What say any of the developers?[/url]

[mxb]

Now I'm not a developer, but I do try and audit the reactos source code for vulnerabilities. I currently use a few tools (pscan, flawfinder, rats etc. etc.) to help me but someone still has to audit the code by hand. This takes a lot of time (especially with a couple of hundred megs of source code to get through). Automated code checking can pick up the obvious flaws, but some of the more difficult / obscure ones remain hidden.

I'm just about to create some wiki pages for it, in case anyone would like to help me.

It's a good idea, and everything helps, but running a few tools on it won't suddenly make ReactOS secure.

[fireball]

I already sent an email to Scan Coverity project regarding ReactOS. So I will let you know about their reply.