Coverity Scan

[Ted Husted <hu...@apache.org>]

There's a company that's been scanning open source project codebases
for static flaws. In November 2007, they announced that Java projects
are being added.

 * http://www.coverity.com/html/press_story51_11_20_07.html

There's been the odd email about using these projects foundation-wide,
possibly by running them locally. But, the core service descibed by
this press release seems to be external.

I couldn't find a list of Java projects on the website. The next step
seems to be to send an email to <sc...@coverity.com>.

If we are not already on the list, my question is whether we would
like to opt-in now or not?

My thought is that we might want to be proactive. In the alternative,
we are like to find one day that Coverity has started to scan us
unilaterally, and then be surprised by a lot of new fixes to make.
Since Struts is an approved framework for several government agencies
(DoD, VA, and so forth), I would think that we would be on the short
list anyway.

-Ted.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Coverity Scan

[Al Sutton <al...@alsutton.com>]

I always favour a "more eyes the better" approach.

If Coverity finds nothing we've lost nothing, but if it finds something we 
can avoid having to fix a release once it's in the wild.

Al.

----- Original Message ----- 
From: "Philip Luppens" <ph...@gmail.com>
To: "Struts Developers List" <de...@struts.apache.org>
Sent: Thursday, January 17, 2008 1:08 PM
Subject: Re: Coverity Scan


> On 1/17/08, Antonio Petrelli <an...@gmail.com> wrote:
>> 2008/1/17, Ted Husted <hu...@apache.org>:
>> >
>> > If we are not already on the list, my question is whether we would
>> > like to opt-in now or not?
>>
>>
>>
>> I think it is the case: in Struts 2 we had two major security problems, 
>> and
>> probably a new one is arised.
>
> I doubt their scanner would be able to identify such problems. But
> more analysis is always good (checkstyle, pmd, findbugs, ..), so +1
> from me.
>
> - Phil
>
>> Antonio
>>
>
>
> -- 
> Software Architect - Hydrodesk
> "Always code as if the guy who ends up maintaining your code will be a
> violent psychopath who knows where you live." - John F. Woods
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Coverity Scan

[Philip Luppens <ph...@gmail.com>]

On 1/17/08, Antonio Petrelli <an...@gmail.com> wrote:
> 2008/1/17, Ted Husted <hu...@apache.org>:
> >
> > If we are not already on the list, my question is whether we would
> > like to opt-in now or not?
>
>
>
> I think it is the case: in Struts 2 we had two major security problems, and
> probably a new one is arised.

I doubt their scanner would be able to identify such problems. But
more analysis is always good (checkstyle, pmd, findbugs, ..), so +1
from me.

- Phil

> Antonio
>


-- 
Software Architect - Hydrodesk
"Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live." - John F. Woods

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Coverity Scan

[Antonio Petrelli <an...@gmail.com>]

2008/1/17, Ted Husted <hu...@apache.org>:
>
> If we are not already on the list, my question is whether we would
> like to opt-in now or not?



I think it is the case: in Struts 2 we had two major security problems, and
probably a new one is arised.

Antonio

Re: Coverity Scan

[Martin Cooper <ma...@apache.org>]

On Jan 17, 2008 4:10 AM, Ted Husted <hu...@apache.org> wrote:

> There's a company that's been scanning open source project codebases
> for static flaws. In November 2007, they announced that Java projects
> are being added.
>
>  * http://www.coverity.com/html/press_story51_11_20_07.html
>
> There's been the odd email about using these projects foundation-wide,
> possibly by running them locally. But, the core service descibed by
> this press release seems to be external.
>
> I couldn't find a list of Java projects on the website. The next step
> seems to be to send an email to <sc...@coverity.com>.
>
> If we are not already on the list, my question is whether we would
> like to opt-in now or not?


It looks like it might be worth investigating further, at least. My two
concerns at this point are:

1) How, and how often, do they pull the source code? We've seen issues in
the past related to external organisations trying to be helpful but -
perhaps inadvertently - beating up rather heavily on the ASF infrastructure.

2) It appears that there are NDAs involved at higher "levels" of the
process. I'd want to be sure that either we are in a position to sign such
NDAs or that we wouldn't be stuck at some lower level because we can't, and
having the project look bad because we cannot reach the higher levels.

If we can reach a satisfactory resolution on these points, I'd be in favour
of giving it a go.

--
Martin Cooper


My thought is that we might want to be proactive. In the alternative,
> we are like to find one day that Coverity has started to scan us
> unilaterally, and then be surprised by a lot of new fixes to make.
> Since Struts is an approved framework for several government agencies
> (DoD, VA, and so forth), I would think that we would be on the short
> list anyway.
>
> -Ted.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Re: Coverity Scan

[Matt Raible <mr...@gmail.com>]

+1 - it certainly doesn't sound like a bad thing to do.

Matt

On Jan 17, 2008, at 4:10 AM, Ted Husted wrote:

> There's a company that's been scanning open source project codebases
> for static flaws. In November 2007, they announced that Java projects
> are being added.
>
>  * http://www.coverity.com/html/press_story51_11_20_07.html
>
> There's been the odd email about using these projects foundation-wide,
> possibly by running them locally. But, the core service descibed by
> this press release seems to be external.
>
> I couldn't find a list of Java projects on the website. The next step
> seems to be to send an email to <sc...@coverity.com>.
>
> If we are not already on the list, my question is whether we would
> like to opt-in now or not?
>
> My thought is that we might want to be proactive. In the alternative,
> we are like to find one day that Coverity has started to scan us
> unilaterally, and then be surprised by a lot of new fixes to make.
> Since Struts is an approved framework for several government agencies
> (DoD, VA, and so forth), I would think that we would be on the short
> list anyway.
>
> -Ted.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Coverity Scan

[Musachy Barroso <mu...@gmail.com>]

+1 sounds good.

musachy

On Jan 17, 2008 9:54 AM, Dave Newton <ne...@yahoo.com> wrote:
> +1; I'm a huge fan of various code analysis techniques, and I'd rather we
> controlled our own ignore-ance from a position of knowledge.
>
> d.
>
>
> --- Ted Husted <hu...@apache.org> wrote:
>
> > There's a company that's been scanning open source project codebases
> > for static flaws. In November 2007, they announced that Java projects
> > are being added.
> >
> >  * http://www.coverity.com/html/press_story51_11_20_07.html
> >
> > There's been the odd email about using these projects foundation-wide,
> > possibly by running them locally. But, the core service descibed by
> > this press release seems to be external.
> >
> > I couldn't find a list of Java projects on the website. The next step
> > seems to be to send an email to <sc...@coverity.com>.
> >
> > If we are not already on the list, my question is whether we would
> > like to opt-in now or not?
> >
> > My thought is that we might want to be proactive. In the alternative,
> > we are like to find one day that Coverity has started to scan us
> > unilaterally, and then be surprised by a lot of new fixes to make.
> > Since Struts is an approved framework for several government agencies
> > (DoD, VA, and so forth), I would think that we would be on the short
> > list anyway.
> >
> > -Ted.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>



-- 
"Hey you! Would you help me to carry the stone?" Pink Floyd

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Coverity Scan

[Dave Newton <ne...@yahoo.com>]

+1; I'm a huge fan of various code analysis techniques, and I'd rather we
controlled our own ignore-ance from a position of knowledge.

d.

--- Ted Husted <hu...@apache.org> wrote:

> There's a company that's been scanning open source project codebases
> for static flaws. In November 2007, they announced that Java projects
> are being added.
> 
>  * http://www.coverity.com/html/press_story51_11_20_07.html
> 
> There's been the odd email about using these projects foundation-wide,
> possibly by running them locally. But, the core service descibed by
> this press release seems to be external.
> 
> I couldn't find a list of Java projects on the website. The next step
> seems to be to send an email to <sc...@coverity.com>.
> 
> If we are not already on the list, my question is whether we would
> like to opt-in now or not?
> 
> My thought is that we might want to be proactive. In the alternative,
> we are like to find one day that Coverity has started to scan us
> unilaterally, and then be surprised by a lot of new fixes to make.
> Since Struts is an approved framework for several government agencies
> (DoD, VA, and so forth), I would think that we would be on the short
> list anyway.
> 
> -Ted.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org