oss-sec mailing list archives
Re: Security vulnerability tools
From: Corey Bryant <coreyb () linux vnet ibm com>
Date: Wed, 27 Mar 2013 17:31:02 -0400
On 03/27/2013 04:31 PM, Russ Allbery wrote:
Corey Bryant <coreyb () linux vnet ibm com> writes:Clang ----- Static analysis tool for C/C++Clang is, properly speaking, a compiler. It happens to also have a static analyzer available as part of the same code base. If you're going to mention Clang, it's probably also pointing out that good old GCC has very extensive warning flags that can, among other things, find possible security vulnerabilities by locating variables that are used before being set, dangerous printf formats, mismatches between printf formats and arguments, and so forth. For example, I currently use: WARNINGS = -g -O -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wendif-labels \ -Wformat=2 -Winit-self -Wswitch-enum -Wdeclaration-after-statement \ -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align \ -Wwrite-strings -Wjump-misses-init -Wlogical-op \ -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls \ -Wnested-externs -Werror with GCC (4.6 or later) with all of my software. Many of those are not security-related, of course, but -Wformat=2 certainly is, and some of the -Wall and -Wextra warnings are as well.
Great, thanks for the input. I don't see any reason to not include gcc warning options.
-- Regards, Corey Bryant
Current thread:
- Security vulnerability tools Corey Bryant (Mar 27)
- Re: [kernel-hardening] Security vulnerability tools Tim Brown (Mar 27)
- Re: Re: [kernel-hardening] Security vulnerability tools Corey Bryant (Mar 27)
- Re: Re: [kernel-hardening] Security vulnerability tools Steve Grubb (Mar 28)
- Re: Re: [kernel-hardening] Security vulnerability tools Tim Brown (Mar 28)
- Re: Re: [kernel-hardening] Security vulnerability tools Corey Bryant (Mar 27)
- Re: [kernel-hardening] Security vulnerability tools Tim Brown (Mar 27)
- Re: Security vulnerability tools Solar Designer (Mar 27)
- Re: [kernel-hardening] Re: Security vulnerability tools Corey Bryant (Mar 27)
- Re: Security vulnerability tools Solar Designer (Mar 28)
- Re: [kernel-hardening] Re: Security vulnerability tools Corey Bryant (Mar 27)
- Re: Security vulnerability tools Russ Allbery (Mar 27)
- Re: Security vulnerability tools Corey Bryant (Mar 27)
- Re: Security vulnerability tools Murray McAllister (Mar 27)
- Re: Security vulnerability tools Andreas Ericsson (Mar 28)
- Re: Security vulnerability tools Corey Bryant (Mar 29)
- Re: Re: Security vulnerability tools Raphael Geissert (Mar 29)