l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2008 Apr 23 17:17

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] Coverity Scan tool for secure software dev
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] Coverity Scan tool for secure software dev

>>>>> On Tue, 22 Apr 2008 11:30:05 -0700, Alex Mandel <tech_dev@wildintellect.com> said:

AM> Anyone have any experience with Scan from Coverity?

AM> Basic idea as I read it, scan your source code for known common 
AM> programming errors that lead to security issues. They offer up results 
AM> for FOSS projects for free.
AM> http://scan.coverity.com/index.html

AM> Looks like it would be an interesting talk, anyone have a contact on 
AM> this project since it's associated with Stanford?

Actually, I've used it quite a bit.  Net-SNMP (a project I started) was
an early target as one of the initial projects they strapped into the

In real quick summary, I love Coverity's output and code browser and
error reporter.  It's quite good and pointing out "little tiny things".
However, because it reports everything under the sun as a potential
problem, 99% of the things it points out may be situations that would
never occur.  It does a great job of enforcing good practice coding
(even when you don't want to handle those "this'll never happen

That being said, Net-SNMP fell out of their scan system about the time
we switched from CVS to SVN and I've had a heck of a time contacting
them to get us reinstated.  (I can still log in and browse the output
from our last good run, but that was quite a while ago at this point).

I actually tried to get our DNSSEC-Tools project instated into the scan
system as well, but we (Coverity and us) fell into a problem of getting
it to compile on their older systems.  They use netbsd3 (I think) and
FC6 (might have been older) and if you're system doesn't compile on one
of those older releases you're out of luck.  Eventually they're supposed
to migrate their build system to something newer, but last I heard they
still hadn't.

"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett
vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.