[Daca-general] Introducing the "Debian's Automated Code Analysis" (DACA) project
Stefan Fritsch
sf at sfritsch.de
Thu Dec 23 21:30:51 UTC 2010
On Tuesday 21 December 2010, Raphael Geissert wrote:
> >> At the moment there are only partial reports from two tools, but
> >> the list of tools to be evaluated and possibly included goes
> >> over twenty.
> >
> > I would be glad if the tools included some security auditing
> > tools such
> >
> > as:
> > + Available as Debian packages
> >
> > - RATS: security auditing utility for C, C++, PHP, Perl, and
> > Python code
> > - Flawfinder: securty flaw search tool for C/C++ source code
>
> To be honest, the results of both tools are usually just noise and
> it would be better if the C/C++ checks that are not implemented by
> cppcheck were contributed.
> I'm not opposed to running them either, but they will be down on my
> To-Do list. If anyone has a few minutes to come up with the right
> scripts and tweaks to the web reports, please subscribe and email
> the daca- devel at lists.alioth.d.o list.
>
> > - Split: a tool for statically checking C programs for bugs
>
> Splint has better results than rats and flawfinder, but the same
> arguments apply.
I fully agree with you WRT flawfinder and splint.
OTOH, I think that clang's scan-build has a reasonable signal-to-noise
ratio. It only does C, though.
For perl, perlcritic at a sufficiently high warning level may be worth
a thought.
A question about hardware: How much memory/disk space is needed at the
minimum to be useful?
Cheers,
Stefan
More information about the Daca-general
mailing list