Secure Coding mailing list archives
Interesting tidbit in iDefense Security Advisory 06.26.07
From: dwheeler at ida.org (David A. Wheeler)
Date: Thu, 28 Jun 2007 10:17:02 -0400
In this discussion:
| This is a perfect example of how a source code analysis tool failed, | because you let a developer tell it to NOT scan it. :) I wonder if | there are flags like that in Fortify? There are flags like that in *every* source code scanner I know of. The state of the art is just not at a point where you don't need a way to turn off warnings for false positives.
That's exactly right, unfortunately. To compensate for the problem of
people inserting bad ignore directives, many scanning tools _also_
include an "ignore the ignores" command. For example, flawfinder has a
--neverignore (-n) flag that "ignores the ignore command". I believe
that such an option ("ignore ignores") is critically necessary for any
tool that has "ignore" directives, to address this very problem.
If you couldn't insert "ignore" directives, many people wouldn't use
such tools at all, and would release code with vulnerabilities that
WOULD be found by such tools.
--- David A. Wheeler
Current thread:
- Interesting tidbit in iDefense Security Advisory 06.26.07, (continued)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
- The Next Frontier McGovern, James F (HTSC, IT) (Jun 26)
- The Next Frontier Paco Hope (Jun 27)
- The Next Frontier ljknews (Jun 27)
- The Next Frontier Steven M. Christey (Jun 27)
- The Next Frontier McGovern, James F (HTSC, IT) (Jun 28)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Leichter, Jerry (Jun 27)
- Comparing Software Vendors McGovern, James F (HTSC, IT) (Jun 28)
- Interesting tidbit in iDefense Security Advisory 06.26.07 J. M. Seitz (Jun 28)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Leichter, Jerry (Jun 28)
- Interesting tidbit in iDefense Security Advisory 06.26.07 David A. Wheeler (Jun 28)