Coverity Scan: Would/DId It Catch the Heartbleed Defect?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Coverity Scan: Would/DId It Catch the Heartbleed Defect?

Tom Browder
Is OpenSSL participating in the Coverity free scanning program for
open source software?  If not, it might have caught the Heartbleed
bug.  If so, why did it miss it?

See this link for the latest report on open source statistics:

  http://softwareintegrity.coverity.com/register-for-scan-report-2013.html

Kind regards,

-Tom
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

Hanno Böck-4
On Wed, 16 Apr 2014 05:25:58 -0500
Tom Browder <[hidden email]> wrote:

> Is OpenSSL participating in the Coverity free scanning program for
> open source software?

Don't know.

> If not, it might have caught the Heartbleed
> bug.

No.
http://blog.regehr.org/archives/1128


--
Hanno Böck
http://hboeck.de/

mail/jabber: [hidden email]
GPG: BBB51E42

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

Tom Browder
On Wed, Apr 16, 2014 at 5:38 AM, Hanno Böck <[hidden email]> wrote:
> On Wed, 16 Apr 2014 05:25:58 -0500
> Tom Browder <[hidden email]> wrote:
>
>> Is OpenSSL participating in the Coverity free scanning program for
>> open source software?
...

Thanks for the link, Hanno!

Regards,

-Tom
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

Stefan H. Holek
In reply to this post by Tom Browder
No, Coverity did not catch Heartbleed.

http://security.coverity.com/blog/2014/Apr/on-detecting-heartbleed-with-static-analysis.html


On 16.04.2014, at 12:25, Tom Browder wrote:

> Is OpenSSL participating in the Coverity free scanning program for
> open source software?  If not, it might have caught the Heartbleed
> bug.  If so, why did it miss it?
>
> See this link for the latest report on open source statistics:
>
>  http://softwareintegrity.coverity.com/register-for-scan-report-2013.html
>
> Kind regards,
>
> -Tom

--
Stefan H. Holek
[hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

Floodeenjr, Thomas
Klocwork seems to have caught it:

http://www.klocwork.com/blog/software-security/saving-you-from-heartbleed/?mkt_tok=3RkMMJWWfF9wsRolva7JZKXonjHpfsX56%2B4tX6CwlMI%2F0ER3fOvrPUfGjI4FTsZrI%2BSLDwEYGJlv6SgFSrbAMah1ybgNUxE%3D


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stefan H. Holek
Sent: Friday, April 18, 2014 10:09 AM
To: [hidden email]
Subject: Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

No, Coverity did not catch Heartbleed.

http://security.coverity.com/blog/2014/Apr/on-detecting-heartbleed-with-static-analysis.html


On 16.04.2014, at 12:25, Tom Browder wrote:

> Is OpenSSL participating in the Coverity free scanning program for
> open source software?  If not, it might have caught the Heartbleed
> bug.  If so, why did it miss it?
>
> See this link for the latest report on open source statistics:
>
>  
> http://softwareintegrity.coverity.com/register-for-scan-report-2013.ht
> ml
>
> Kind regards,
>
> -Tom

--
Stefan H. Holek
[hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

Jeffrey Walton-3
On Fri, Apr 18, 2014 at 12:24 PM, Floodeenjr, Thomas
<[hidden email]> wrote:
> Klocwork seems to have caught it:
>
> http://www.klocwork.com/blog/software-security/saving-you-from-heartbleed/?mkt_tok=3RkMMJWWfF9wsRolva7JZKXonjHpfsX56%2B4tX6CwlMI%2F0ER3fOvrPUfGjI4FTsZrI%2BSLDwEYGJlv6SgFSrbAMah1ybgNUxE%3D
>
It looks like it was caught with hand tuning; and not out of the box.

If hand tuning is OK, then it looks like Coverity also caught it.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

Floodeenjr, Thomas
Yes, I suppose it is easier to look for something, after you already know what to look for. ;)

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Jeffrey Walton
Sent: Friday, April 18, 2014 11:16 AM
To: OpenSSL Users List
Subject: Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

On Fri, Apr 18, 2014 at 12:24 PM, Floodeenjr, Thomas <[hidden email]> wrote:
> Klocwork seems to have caught it:
>
> http://www.klocwork.com/blog/software-security/saving-you-from-heartbl
> eed/?mkt_tok=3RkMMJWWfF9wsRolva7JZKXonjHpfsX56%2B4tX6CwlMI%2F0ER3fOvrP
> UfGjI4FTsZrI%2BSLDwEYGJlv6SgFSrbAMah1ybgNUxE%3D
>
It looks like it was caught with hand tuning; and not out of the box.

If hand tuning is OK, then it looks like Coverity also caught it.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
:��I"Ϯ��r�m���� (���Z+�K�+����1���x ��h���[�z�(���Z+� ��f�y������f���h��)z{,���