Coverity coverage of OpenSSL?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Coverity coverage of OpenSSL?

Gary Grebus
Hi,

I recently started building OpenSSL 1.0.1c in one of our source pools
that is scanned with Coverity, and was surprised at the large number of
issues that were reported.   There was a significant increase even from
an earlier version we were using.

What is the status of OpenSSL with regard to Coverity coverage?  Are
there a large number of known false positives?  Is there any regular
activity to identify and fix real defects?

Thanks,
    Gary
---
Gary Grebus
Dell Inc. / EqualLogic Storage

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Coverity coverage of OpenSSL?

Salz, Rich
Perhaps if someone donated a license or two to the core team, they'd be interested in tracking changes.

As of now, it's sporadic, depending on interested parties to submit patches. (Including Coverity at times, IIRC)

         /r$

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Coverity coverage of OpenSSL?

Ben Laurie-2
In reply to this post by Gary Grebus
On Tue, Dec 11, 2012 at 8:30 PM, Gary Grebus <[hidden email]> wrote:

> Hi,
>
> I recently started building OpenSSL 1.0.1c in one of our source pools
> that is scanned with Coverity, and was surprised at the large number of
> issues that were reported.   There was a significant increase even from
> an earlier version we were using.
>
> What is the status of OpenSSL with regard to Coverity coverage?  Are
> there a large number of known false positives?  Is there any regular
> activity to identify and fix real defects?

Coverity used to, and perhaps still do, run scans of OpenSSL, which we
had (have?) access to. I used to look at them and fix relevant ones,
but got irritated with the false positive level in the end.

If Coverity were interested in fixing their bugs, I might get
interested in looking at their reports again.

>
> Thanks,
>     Gary
> ---
> Gary Grebus
> Dell Inc. / EqualLogic Storage
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [hidden email]
> Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]