You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Animesh Chaturvedi <an...@citrix.com> on 2012/11/20 19:36:53 UTC
Static Analysis Tools
Folks
I want to get your opinion on using static analysis tools like PMD for CloudStack to catch some of the bugs early on. Maven has a plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
Thanks
Animesh
Re: Static Analysis Tools
Posted by Sebastien Goasguen <ru...@gmail.com>.
Sonar analysis of Cloudstack is also available via nemo portal at:
http://nemo.sonarsource.org/dashboard/index/org.apache.cloudstack:cloudstack
-sebastien
On Nov 20, 2012, at 7:44 PM, David Nalley <da...@gnsa.us> wrote:
> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
> <an...@citrix.com> wrote:
>>
>> Folks
>>
>> I want to get your opinion on using static analysis tools like PMD for CloudStack to catch some of the bugs early on. Maven has a plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
>>
>> Thanks
>> Animesh
>
> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
> we can't do something else, but this exists.
> https://analysis.apache.org/dashboard/index/100206
>
> --David
RE: Static Analysis Tools
Posted by Animesh Chaturvedi <an...@citrix.com>.
David
Thanks for the link. Sonar is more of a platform and uses PMD, FindBugs, CheckStyle etc. as plugins. Looks like in this installation it is using FindBugs. Can you or someone confirm?
Thanks
Animesh
-----Original Message-----
From: David Nalley [mailto:david@gnsa.us]
Sent: Tuesday, November 20, 2012 10:45 AM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Static Analysis Tools
On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi <an...@citrix.com> wrote:
>
> Folks
>
> I want to get your opinion on using static analysis tools like PMD for
> CloudStack to catch some of the bugs early on. Maven has a plugin for
> PMD http://maven.apache.org/plugins/maven-pmd-plugin/
>
> Thanks
> Animesh
So we have Sonar (analysis.apache.org) sorta in place - doesn't mean we can't do something else, but this exists.
https://analysis.apache.org/dashboard/index/100206
--David
Re: Static Analysis Tools
Posted by John Kinsella <jl...@stratosec.co>.
Yes. https://my.fortifyondemand.com/login.jsp ;)
For those who want to become part of the ACS security team, contact the PPMC. We don't have a formal process to accept new members, but I do want to manage who has access in case of sensitive info in the future.
Stratosec<http://stratosec.co/> - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>
On Dec 4, 2012, at 10:34 AM, Demetrius Tsitrelis <De...@citrix.com>> wrote:
At the conference you showed a URL with the results. Is that publicly available?
-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Tuesday, November 20, 2012 11:53 AM
To: cloudstack-dev@incubator.apache.org<ma...@incubator.apache.org>
Subject: Re: Static Analysis Tools
Allow me to clarify my previous statement - Fortify has such a program, as well, and they've given me a license to scan ACS for this purpose.
What you run into with this, is i don't think you want a security scanner as part of the build process for several reasons:
* They're slow.
* Unless a human reviews the results, they're pretty much useless. So you've just burning CPU cycles.
* If an issue is found, I don't think we want it publicly available on something like Jenkins, but to be reviewed and handled by a security team (which for now is the PPMC) and then announce it in a controlled manner.
Happy to discuss these points at any level of detail, or add people to the security team if there's interest. :)
John
ps we've been meaning to have a security discussion on the list, I suspect this thread will accelerate that...
On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi <an...@citrix.com>>
wrote:
I have used Coverity in the past for commercial projects with very
good success. I did a quick google search and looks like Coverity has
a program for open source software quality which can potentially
leveraged for CloudStack. Here is the link
http://scan.coverity.com/getting-started.html
-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Tuesday, November 20, 2012 11:12 AM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Static Analysis Tools
Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally I think findbugs is a bit of a toy, but anything helps...
John
On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us>
wrote:
On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
<an...@citrix.com> wrote:
Folks
I want to get your opinion on using static analysis tools like PMD
for CloudStack to catch some of the bugs early on. Maven has a
plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
Thanks
Animesh
So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
we can't do something else, but this exists.
https://analysis.apache.org/dashboard/index/100206
--David
Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella
Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella
RE: Static Analysis Tools
Posted by Demetrius Tsitrelis <De...@citrix.com>.
At the conference you showed a URL with the results. Is that publicly available?
-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Tuesday, November 20, 2012 11:53 AM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Static Analysis Tools
Allow me to clarify my previous statement - Fortify has such a program, as well, and they've given me a license to scan ACS for this purpose.
What you run into with this, is i don't think you want a security scanner as part of the build process for several reasons:
* They're slow.
* Unless a human reviews the results, they're pretty much useless. So you've just burning CPU cycles.
* If an issue is found, I don't think we want it publicly available on something like Jenkins, but to be reviewed and handled by a security team (which for now is the PPMC) and then announce it in a controlled manner.
Happy to discuss these points at any level of detail, or add people to the security team if there's interest. :)
John
ps we've been meaning to have a security discussion on the list, I suspect this thread will accelerate that...
On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi <an...@citrix.com>
wrote:
> I have used Coverity in the past for commercial projects with very
> good success. I did a quick google search and looks like Coverity has
> a program for open source software quality which can potentially
> leveraged for CloudStack. Here is the link
> http://scan.coverity.com/getting-started.html
>
>
> -----Original Message-----
> From: John Kinsella [mailto:jlk@stratosec.co]
> Sent: Tuesday, November 20, 2012 11:12 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Static Analysis Tools
>
> Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally I think findbugs is a bit of a toy, but anything helps...
>
> John
>
> On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us>
> wrote:
>
>> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
>> <an...@citrix.com> wrote:
>>>
>>> Folks
>>>
>>> I want to get your opinion on using static analysis tools like PMD
>>> for CloudStack to catch some of the bugs early on. Maven has a
>>> plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
>>>
>>> Thanks
>>> Animesh
>>
>> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
>> we can't do something else, but this exists.
>> https://analysis.apache.org/dashboard/index/100206
>>
>> --David
>>
>
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
>
>
Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella
RE: Static Analysis Tools
Posted by Animesh Chaturvedi <an...@citrix.com>.
Agreed
-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Tuesday, November 20, 2012 2:01 PM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Static Analysis Tools
My bad for misintrepertation. :) Coverity for a while actually did try to market themselves as a security product...yeah they still have their "Security Advisor" product. That said, I wouldn't say it's what they're known for, either. ;)
Anyways - yeah if we can have a system that points out common software defects, I can't think of a reason not to use it.
It'll help improve security as a side effect as well, as many security defects are related to some type of software defect...
John
On Nov 20, 2012, at 12:15 PM, Animesh Chaturvedi <an...@citrix.com>
wrote:
> John
>
> Agreed to your points on limiting exposure to security vulnerability but Coverity is not known for security analysis. I am not advocating any tool in particular the intent is more to catch bugs early on.
>
> Thanks
> Animesh
>
> -----Original Message-----
> From: John Kinsella [mailto:jlk@stratosec.co]
> Sent: Tuesday, November 20, 2012 11:53 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Static Analysis Tools
>
> Allow me to clarify my previous statement - Fortify has such a program, as well, and they've given me a license to scan ACS for this purpose.
>
> What you run into with this, is i don't think you want a security scanner as part of the build process for several reasons:
> * They're slow.
> * Unless a human reviews the results, they're pretty much useless. So you've just burning CPU cycles.
> * If an issue is found, I don't think we want it publicly available on something like Jenkins, but to be reviewed and handled by a security team (which for now is the PPMC) and then announce it in a controlled manner.
>
> Happy to discuss these points at any level of detail, or add people to
> the security team if there's interest. :)
>
> John
> ps we've been meaning to have a security discussion on the list, I suspect this thread will accelerate that...
>
> On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi
> <an...@citrix.com>
> wrote:
>
>> I have used Coverity in the past for commercial projects with very
>> good success. I did a quick google search and looks like Coverity
>> has a program for open source software quality which can potentially
>> leveraged for CloudStack. Here is the link
>> http://scan.coverity.com/getting-started.html
>>
>>
>> -----Original Message-----
>> From: John Kinsella [mailto:jlk@stratosec.co]
>> Sent: Tuesday, November 20, 2012 11:12 AM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Re: Static Analysis Tools
>>
>> Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally I think findbugs is a bit of a toy, but anything helps...
>>
>> John
>>
>> On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us>
>> wrote:
>>
>>> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
>>> <an...@citrix.com> wrote:
>>>>
>>>> Folks
>>>>
>>>> I want to get your opinion on using static analysis tools like PMD
>>>> for CloudStack to catch some of the bugs early on. Maven has a
>>>> plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
>>>>
>>>> Thanks
>>>> Animesh
>>>
>>> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
>>> we can't do something else, but this exists.
>>> https://analysis.apache.org/dashboard/index/100206
>>>
>>> --David
>>>
>>
>> Stratosec - Secure Infrastructure as a Service
>> o: 415.315.9385
>> @johnlkinsella
>>
>>
>
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
>
>
Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella
Re: Static Analysis Tools
Posted by John Kinsella <jl...@stratosec.co>.
My bad for misintrepertation. :) Coverity for a while actually did try to market themselves as a security product…yeah they still have their "Security Advisor" product. That said, I wouldn't say it's what they're known for, either. ;)
Anyways - yeah if we can have a system that points out common software defects, I can't think of a reason not to use it.
It'll help improve security as a side effect as well, as many security defects are related to some type of software defect...
John
On Nov 20, 2012, at 12:15 PM, Animesh Chaturvedi <an...@citrix.com>
wrote:
> John
>
> Agreed to your points on limiting exposure to security vulnerability but Coverity is not known for security analysis. I am not advocating any tool in particular the intent is more to catch bugs early on.
>
> Thanks
> Animesh
>
> -----Original Message-----
> From: John Kinsella [mailto:jlk@stratosec.co]
> Sent: Tuesday, November 20, 2012 11:53 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Static Analysis Tools
>
> Allow me to clarify my previous statement - Fortify has such a program, as well, and they've given me a license to scan ACS for this purpose.
>
> What you run into with this, is i don't think you want a security scanner as part of the build process for several reasons:
> * They're slow.
> * Unless a human reviews the results, they're pretty much useless. So you've just burning CPU cycles.
> * If an issue is found, I don't think we want it publicly available on something like Jenkins, but to be reviewed and handled by a security team (which for now is the PPMC) and then announce it in a controlled manner.
>
> Happy to discuss these points at any level of detail, or add people to the security team if there's interest. :)
>
> John
> ps we've been meaning to have a security discussion on the list, I suspect this thread will accelerate that...
>
> On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi <an...@citrix.com>
> wrote:
>
>> I have used Coverity in the past for commercial projects with very
>> good success. I did a quick google search and looks like Coverity has
>> a program for open source software quality which can potentially
>> leveraged for CloudStack. Here is the link
>> http://scan.coverity.com/getting-started.html
>>
>>
>> -----Original Message-----
>> From: John Kinsella [mailto:jlk@stratosec.co]
>> Sent: Tuesday, November 20, 2012 11:12 AM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Re: Static Analysis Tools
>>
>> Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally I think findbugs is a bit of a toy, but anything helps...
>>
>> John
>>
>> On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us>
>> wrote:
>>
>>> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
>>> <an...@citrix.com> wrote:
>>>>
>>>> Folks
>>>>
>>>> I want to get your opinion on using static analysis tools like PMD
>>>> for CloudStack to catch some of the bugs early on. Maven has a
>>>> plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
>>>>
>>>> Thanks
>>>> Animesh
>>>
>>> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
>>> we can't do something else, but this exists.
>>> https://analysis.apache.org/dashboard/index/100206
>>>
>>> --David
>>>
>>
>> Stratosec - Secure Infrastructure as a Service
>> o: 415.315.9385
>> @johnlkinsella
>>
>>
>
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
>
>
Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella
RE: Static Analysis Tools
Posted by Animesh Chaturvedi <an...@citrix.com>.
John
Agreed to your points on limiting exposure to security vulnerability but Coverity is not known for security analysis. I am not advocating any tool in particular the intent is more to catch bugs early on.
Thanks
Animesh
-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Tuesday, November 20, 2012 11:53 AM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Static Analysis Tools
Allow me to clarify my previous statement - Fortify has such a program, as well, and they've given me a license to scan ACS for this purpose.
What you run into with this, is i don't think you want a security scanner as part of the build process for several reasons:
* They're slow.
* Unless a human reviews the results, they're pretty much useless. So you've just burning CPU cycles.
* If an issue is found, I don't think we want it publicly available on something like Jenkins, but to be reviewed and handled by a security team (which for now is the PPMC) and then announce it in a controlled manner.
Happy to discuss these points at any level of detail, or add people to the security team if there's interest. :)
John
ps we've been meaning to have a security discussion on the list, I suspect this thread will accelerate that...
On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi <an...@citrix.com>
wrote:
> I have used Coverity in the past for commercial projects with very
> good success. I did a quick google search and looks like Coverity has
> a program for open source software quality which can potentially
> leveraged for CloudStack. Here is the link
> http://scan.coverity.com/getting-started.html
>
>
> -----Original Message-----
> From: John Kinsella [mailto:jlk@stratosec.co]
> Sent: Tuesday, November 20, 2012 11:12 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Static Analysis Tools
>
> Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally I think findbugs is a bit of a toy, but anything helps...
>
> John
>
> On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us>
> wrote:
>
>> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
>> <an...@citrix.com> wrote:
>>>
>>> Folks
>>>
>>> I want to get your opinion on using static analysis tools like PMD
>>> for CloudStack to catch some of the bugs early on. Maven has a
>>> plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
>>>
>>> Thanks
>>> Animesh
>>
>> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
>> we can't do something else, but this exists.
>> https://analysis.apache.org/dashboard/index/100206
>>
>> --David
>>
>
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
>
>
Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella
Re: Static Analysis Tools
Posted by John Kinsella <jl...@stratosec.co>.
Allow me to clarify my previous statement - Fortify has such a program, as well, and they've given me a license to scan ACS for this purpose.
What you run into with this, is i don't think you want a security scanner as part of the build process for several reasons:
* They're slow.
* Unless a human reviews the results, they're pretty much useless. So you've just burning CPU cycles.
* If an issue is found, I don't think we want it publicly available on something like Jenkins, but to be reviewed and handled by a security team (which for now is the PPMC) and then announce it in a controlled manner.
Happy to discuss these points at any level of detail, or add people to the security team if there's interest. :)
John
ps we've been meaning to have a security discussion on the list, I suspect this thread will accelerate that...
On Nov 20, 2012, at 11:39 AM, Animesh Chaturvedi <an...@citrix.com>
wrote:
> I have used Coverity in the past for commercial projects with very good success. I did a quick google search and looks like Coverity has a program for open source software quality which can potentially leveraged for CloudStack. Here is the link http://scan.coverity.com/getting-started.html
>
>
> -----Original Message-----
> From: John Kinsella [mailto:jlk@stratosec.co]
> Sent: Tuesday, November 20, 2012 11:12 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: Static Analysis Tools
>
> Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally I think findbugs is a bit of a toy, but anything helps...
>
> John
>
> On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us>
> wrote:
>
>> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
>> <an...@citrix.com> wrote:
>>>
>>> Folks
>>>
>>> I want to get your opinion on using static analysis tools like PMD
>>> for CloudStack to catch some of the bugs early on. Maven has a plugin
>>> for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
>>>
>>> Thanks
>>> Animesh
>>
>> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
>> we can't do something else, but this exists.
>> https://analysis.apache.org/dashboard/index/100206
>>
>> --David
>>
>
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
>
>
Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella
RE: Static Analysis Tools
Posted by Animesh Chaturvedi <an...@citrix.com>.
I have used Coverity in the past for commercial projects with very good success. I did a quick google search and looks like Coverity has a program for open source software quality which can potentially leveraged for CloudStack. Here is the link http://scan.coverity.com/getting-started.html
-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Tuesday, November 20, 2012 11:12 AM
To: cloudstack-dev@incubator.apache.org
Subject: Re: Static Analysis Tools
Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally I think findbugs is a bit of a toy, but anything helps...
John
On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us>
wrote:
> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
> <an...@citrix.com> wrote:
>>
>> Folks
>>
>> I want to get your opinion on using static analysis tools like PMD
>> for CloudStack to catch some of the bugs early on. Maven has a plugin
>> for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
>>
>> Thanks
>> Animesh
>
> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
> we can't do something else, but this exists.
> https://analysis.apache.org/dashboard/index/100206
>
> --David
>
Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella
Re: Static Analysis Tools
Posted by John Kinsella <jl...@stratosec.co>.
Additionally I (and others) run ACS through Fortify Source Code Analyzer. Personally I think findbugs is a bit of a toy, but anything helps...
John
On Nov 20, 2012, at 10:44 AM, David Nalley <da...@gnsa.us>
wrote:
> On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
> <an...@citrix.com> wrote:
>>
>> Folks
>>
>> I want to get your opinion on using static analysis tools like PMD for CloudStack to catch some of the bugs early on. Maven has a plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
>>
>> Thanks
>> Animesh
>
> So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
> we can't do something else, but this exists.
> https://analysis.apache.org/dashboard/index/100206
>
> --David
>
Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella
Re: Static Analysis Tools
Posted by David Nalley <da...@gnsa.us>.
On Tue, Nov 20, 2012 at 1:36 PM, Animesh Chaturvedi
<an...@citrix.com> wrote:
>
> Folks
>
> I want to get your opinion on using static analysis tools like PMD for CloudStack to catch some of the bugs early on. Maven has a plugin for PMD http://maven.apache.org/plugins/maven-pmd-plugin/
>
> Thanks
> Animesh
So we have Sonar (analysis.apache.org) sorta in place - doesn't mean
we can't do something else, but this exists.
https://analysis.apache.org/dashboard/index/100206
--David