[Daca-general] Introducing the "Debian's Automated Code Analysis" (DACA) project

[Raphael Geissert]

Hi,

Javier Fernández-Sanguino Peña wrote:

> On Thu, Dec 16, 2010 at 12:00:21PM -0600, Raphael Geissert wrote:
>> = What is there for everyone? =
>> 
>> At the moment there are only partial reports from two tools, but the list
>> of tools to be evaluated and possibly included goes over twenty.
> 
> I would be glad if the tools included some security auditing tools such
> as:
> 
>  + Available as Debian packages
>    - RATS: security auditing utility for C, C++, PHP, Perl, and Python
>    code
>    - Flawfinder: securty flaw search tool for  C/C++ source code

To be honest, the results of both tools are usually just noise and it would 
be better if the C/C++ checks that are not implemented by cppcheck were 
contributed.
I'm not opposed to running them either, but they will be down on my To-Do 
list. If anyone has a few minutes to come up with the right scripts and 
tweaks to the web reports, please subscribe and email the daca-
devel at lists.alioth.d.o list.

>    - Split: a tool for statically checking C programs for bugs

Splint has better results than rats and flawfinder, but the same arguments 
apply.

>    - Jlint: Tool to check Java code for  bugs, inconsistencies and
>      synchronization problems
> 
>  + There are some other static security analysis currently not available
>  in Debian, such as:
>    - FindBugs: a tool for static analysis of Java code
>         http://findbugs.sourceforge.net/
>    - JCSC: Java source code checker - http://jcsc.sourceforge.net/
>    - PMD: Tool to review Java code for bugs - http://pmd.sourceforge.net/
> 
>  As Debian is getting more java code in now it would be worth it to have
>  some Jave tools in the toolbox too.

Niels Thykier said he would look into the java stuff, so that's probably 
covered (if more people want to join, they are of course welcome.)

Thanks for your email.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net