[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: RFC: Performing code security audits before releases...
From:       Alex Zepeda <jazepeda () pacbell ! net>
Date:       2002-02-25 19:43:31
[Download RAW message or body]

On Mon, Feb 25, 2002 at 02:10:03AM -0500, Dawit Alemayehu wrote:

> For starters I generated and attached below a report for the entire 
> kdelibs directory using RATS (http://www.securesw.com/rats/).  Perhaps 
> using the lessons we learn from using tools like this we can write a 
> HOWTO article or create methods to avoid the pitfalls.

A quick check (dcopclient.cpp only) revealed lots of false positives, and
two (ln 1133, 1164).  Certainly, QCString.append or the << operator would
be a bit cleaner here.

What would be really valuable would be to have the tool realize when a
dynamic string class is being used (with say getenv), or when sprintf is
in an unsafe manner (say with a string and no "precision").  This would
eliminate lots of these warnings (for sure sprintf with a fixed size
format shouldn't really trigger any warnings -- at least medium or lower).

- alex
[prev in list] [next in list] [prev in thread] [next in thread]