Menu
▾
▴
Re: [Opencxx-users] static code analysis
|
From: Grzegorz J. <ja...@he...> - 2004-02-24 01:28:35
|
Markus, I had a quick look at these tools, this is what I found: * AntiC/Jlint: webpage [http://www.ispras.ru/~knizhnik/jlint/ReadMe.htm], a kind of lint for C++ and Java. * BLAST: cannot find it, Wikipedia has a link to a package in computational biology called BLAST, but apparently this is not this BLAST. * BOON: "BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code. (...) BOON has many serious limitations and defects, and it is not for the faint of heart." [http://www.cs.berkeley.edu/~daw/boon/] * Broadway: Looks like it handles C only. It seems non-free. [http://www.cs.utexas.edu/users/emery/] * CQual: "A tool for adding type qualifiers to C." [http://sourceforge.net/projects/cqual/] * DAEDALUS: I am not sure how we can use this software, also I don't see a link to source code. [http://www.di.ens.fr/~cousot/projects/DAEDALUS/synthetic_summary/index.shtml] * ESC/Java: for Java. [http://research.compaq.com/SRC/esc/] * Flawfinder: "(...) program that examines source code and reports possible security weaknesses." [http://www.dwheeler.com/flawfinder/] Looks like it handles C only. * MOPS: commercial. [http://www.mops.fu-berlin.de/Products.htm] * SLAM: "This tool uses model checking to verify predicates of a boolean program generated from a C program" [from the summary at VFiasco project site] * Smatch: "Smatch is C source checker but mainly focused [on] checking the Linux kernel code." [http://smatch.sourceforge.net/] * Splint: "Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes." [http://www.splint.org/] On Mon, 23 Feb 2004, SF Markus Elfring wrote: > 1. sharing and reusing ideas (=> code) I am not aware of idea diffusion between these projects and OpenC++. If you think there are good ideas there that are applicable to OpenC++ now, please discuss them here. If you think OpenC++ ideas can be reused by these projects, please advertise OpenC++ to them and let me know if they decide to use/reuse OpenC++. > 2. Was your code ever checked by such tools? It looks like only AntiC is applicable. I am not aware of anybody running OpenC++ source through it. Usually linting sources is much more work that just running the program --- you get lots of spurious messages and you have to read through them and work around them. Moreover, running a lint tool once has only limited impact, as with time the code picks up new dirt. So to get the real value out of linting you need to include it in the development process, i.e. add to makefiles, install lint tool on CompileFarm, convince people to run it on a regular basis (e.g. before release) and keep pinging them if they don't. This is a lot of work and I don't think that it brings as much value at the moment. The work invested in linting could be spent much better, e.g. on templates support. However, as always I am open to discussion: if you still think that OpenC++ project needs linting, please do some more advertising/convincing on this list (and volunteer to implement the process and be a lint guardian :-). Thanks for your input Grzegorz > > > > ------------------------------------------------------- > SF.Net is sponsored by: Speed Start Your Linux Apps Now. > Build and deploy apps & Web services for Linux with > a free DVD software kit from IBM. Click Now! > http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click > _______________________________________________ > Opencxx-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencxx-users > > ################################################################## # Grzegorz Jakacki Huada Electronic Design # # Senior Engineer, CAD Dept. 1 Gaojiayuan, Chaoyang # # tel. +86-10-64365577 x2074 Beijing 100015, China # # Copyright (C) 2003 Grzegorz Jakacki, HED. All Rights Reserved. # ################################################################## |
