As Cristan reccomended: (Create a new thread)
As we are approacing 0.3 status, I wonder if now it the right time to submit the project to coverity for scan?
Or should that only be done after the audit is done?
We are already indirectly benifiting from the coverity project via wine, so I guess those code should be excluded.
For those that don't know what I am talking about:
http://scan.coverity.com/
and a description of what coverity does from wine's weekly news:
http://www.winehq.com/?issue=311#Coveri ... ans%20Wine
To my knowledge joining to the coverity project is a long-term (1-2 years?) relation, therefore it could help to avoid any exploitable regressions.
What say any of the developers?[/url]
scan . coverity . com
Moderator: Moderator Team
Now I'm not a developer, but I do try and audit the reactos source code for vulnerabilities. I currently use a few tools (pscan, flawfinder, rats etc. etc.) to help me but someone still has to audit the code by hand. This takes a lot of time (especially with a couple of hundred megs of source code to get through). Automated code checking can pick up the obvious flaws, but some of the more difficult / obscure ones remain hidden.
I'm just about to create some wiki pages for it, in case anyone would like to help me.
It's a good idea, and everything helps, but running a few tools on it won't suddenly make ReactOS secure.
I'm just about to create some wiki pages for it, in case anyone would like to help me.
It's a good idea, and everything helps, but running a few tools on it won't suddenly make ReactOS secure.
Who is online
Users browsing this forum: Google [Bot] and 63 guests