-----Original Message----- >From: Crispin Cowan [mailto:[EMAIL PROTECTED] > >Gavin, Michael wrote: >> Yeah, statistics can allow you to say and "prove" just about anything. >> >> OK, showing my ignorance here, since I haven't checked out any of the >> LAMP source trees and reviewed the code: how much of the code making up >> those modules is written in scripting languages vs. how much of it is >> written in C, C++ (and how much, if any, is written in any other >> compiled languages)? >> > That doesn't matter; what matters is what fraction of disclosed > vulnerabilities is in each segment of the code? If 90% of the > vulnerabilities come from the PHP part, then the fact that 90% of the > lines of code are in C doesn't help.
[Gavin, Michael] Absolutely true! But from the perspective of improving static source code analysis tools, if 90% of the code is in C, which is one of the 2 languages supported by the Coverity product, then we now have one reasonable data point regarding how well that (moderate amount of) C code was written with respect to one vendor's notion/implementation of secure coding in C. Certainly not a huge win for anyone, but a potential starting point for comparing techniques and products. For example, I haven't been following the status of David Wheeler's flawfinder, but even if that hasn't been updated lately, it might be interesting to see which flaws it finds that Coverity found, which Coverity found that flawfinder doesn't, and which flawfinder finds that Coverity didn't. Unfortunately your comment below regarding the proprietary nature of Coverity makes such a comparison less useful for everyone but Coverity... >> If the LAMP source code itself is primarily C/C++, then arguably, the >> results are somewhat interesting, though I think they would be much more >> interesting if this DISA project was set up to test the open source code >> with a number of commercial scanners instead of just the Coverity >> scanner, then we could at least compare the merits of various scanning >> techniques and implementations. > The proprietary status of the Coverity scanner is a continuous pain. > That's why I tend to ignore it where possible :) > > Crispin > -- > Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ > Director of Software Engineering, Novell http://novell.com > Olympic Games: The Bi-Annual Festival of Corruption _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php