So I did a bit of digging today and I found a few op <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my favourite is Coverity Scan <https://scan.coverity.com/travis_ci>. I've never used this product before, so I'm not exactly sure what to expect, but I guess anyone can kick off a scan of an open source project and get results within 48 hours. I was in the process of registering Metron to be scanned but I found some things in their scan user agreement which I wasn't sure everybody would be in line with (see below for the excerpts - note I did NOT read the entire document and IANAL).
Here's the TL;DR of what Coverity Scan is: Coverity Scan <http://scan.coverity.com/> is a free static code analysis tool for Java, C, C++, C# and JavaScript. This addon leverages the Travis-CI infrastructure to automatically run code analysis on your GitHub projects. Coverity Scan is a service by which Coverity provides the results of analysis on open source coding projects to open source code developers that have registered their products with Coverity Scan. Some examples of defects and vulnerabilities found by Coverity Quality Advisor include: - resources leaks - dereferences of NULL pointers - incorrect usage of APIs - use of uninitialized data - memory corruptions - buffer overruns - control flow issues - error handling issues - incorrect expressions - concurrency issues - insecure data handling - unsafe use of signed values - use of resources that have been freed Register your project with Coverity Scan by completing the project registration form found at scan.coverity.com. Upon your completion of project registration (including acceptance of the Scan User Agreement) and your receipt of confirmation of registration of your project, you will be able to download the Software required to submit a build of your code for analysis by Coverity Scan. You may then download the Software, complete a build and submit your Registered Project build for analysis and review in Coverity Scan. Coverity Scan is only available for use with open source projects that are registered with Coverity Scan. Here are some interesting snippets from their scan user agreement: Your use of our software is acceptance of our Terms <https://scan.coverity.com/policy> You will not disassemble, decompile, reverse engineer, modify or create derivative works of Our Service, software products or documentation nor permit any third party to do so, except to the extent such restrictions are prohibited by applicable mandatory local law You will not disclose to any third party any comparison of the results of operation of Our Service or software products with other services or products, except as expressly permitted by this Agreement You will not publish any findings regarding or resulting from use of the Service or the Software You agree that We may use Your name and logo (in a form approved by You) and Registered Product information to identify You and such project as a participant of Our Scan Program on Our website or in Our marketing or publicity materials or in any filings made in connection with state or federal securities laws. Additionally, upon execution of this Agreement, the parties will use commercially reasonable efforts to issue mutually agreed upon joint press releases or other public communications announcing Your entry into this Agreement. At Our written request, You will furnish Us with (a) a certification signed by an officer of Your company providing user or access information that identifies whether the Service and the Software is being used in accordance with the terms of this Agreement, and (b) log files from any License Manager. Upon at least thirty (30) days prior written notice, We may engage, at Our expense, an independent auditor to audit Your use of the Service and the Software to ensure that You are in compliance with the terms of this Agreement. ... You will provide the auditor with access to the relevant records and facilities. Jon On Fri, May 27, 2016 at 11:14 AM zeo...@gmail.com <zeo...@gmail.com> wrote: > There's nothing built-in with Travis, but we could install a tool to do > this as part of the installation of tools on the build box. I'm gonna > reach out to people in my local circle who specialize in secure code > analysis and see what all of the options are. > > Jon > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <n...@nickallen.org> wrote: > >> I completely agree that we will need some focus on this. >> >> What could Travis do for us? I wasn't aware that they offered security >> scanning. >> >> Are you aware of any security scan services that offer free support to >> open >> source projects? >> >> On Fri, May 27, 2016 at 9:42 AM, zeo...@gmail.com <zeo...@gmail.com> >> wrote: >> >> > So I've never done anything like this before in Travis but I have done >> IDE >> > plugins and pre prod scans in the past at large companies which worked >> > well. I floated the idea past a friend working at Travis and she said >> if >> > we go that route she would assist. >> > >> > I just think that if this is integrated from the beginning and fail >> builds >> > on critical issues (to start), this could be a big differentiator, >> > especially because we're talking about a security platform that >> centralizes >> > tons of sensitive information, tries to parse almost anything that's >> thrown >> > at it (think of what's been happening to AV products recently), and is >> open >> > source for bad guys to dig into much more easily. >> > >> > Jon >> > >> > On Fri, May 27, 2016, 09:34 Nick Allen <n...@nickallen.org> wrote: >> > >> > > I am not aware of any discussions around this, Jon. What are you >> > thinking? >> > > >> > > On Thu, May 26, 2016 at 4:35 PM, zeo...@gmail.com <zeo...@gmail.com> >> > > wrote: >> > > >> > > > I was just wondering if there is any sort of static (or even >> dynamic) >> > > code >> > > > analysis, or penetrating testing/vulnerability assessment, >> occurring at >> > > any >> > > > point on the metron code. Has there been any discussion of >> installing >> > > > something along those lines on the Travis build server (if it isn't >> > there >> > > > already)? Thanks, >> > > > >> > > > Jon >> > > > -- >> > > > >> > > > Jon >> > > > >> > > >> > > >> > > >> > > -- >> > > Nick Allen <n...@nickallen.org> >> > > >> > -- >> > >> > Jon >> > >> >> >> >> -- >> Nick Allen <n...@nickallen.org> >> > -- > > Jon > -- Jon
