|
|
Boost : |
Subject: Re: [boost] Coverity Static Code Analysis
From: Michael Fawcett (michael.fawcett_at_[hidden])
Date: 2009-02-04 11:45:03
On Wed, Feb 4, 2009 at 11:23 AM, John Maddock <john_at_[hidden]> wrote:
>
> I guess we would need a team of people willing to triage issues flagged up
> and then make contact with the appropriate library author: I'm guessing that
> while they cannot reveal the exact information provided by coverity they
> could say "there appears to be a potential buffer overrun on line #, can you
> please look into it?".
I didn't see a limit on the number of project members you could sign
up, so potentially all library authors could be members.
>From here: http://scan.coverity.com/faq.html#who
"Who can have access?
Access to the detailed analysis results is permitted only to members
of scanned projects, partially in order to ensure that potential
security issues may be resolved before the general public sees them.
Our approach is that of Responsible Disclosure. We provide the
analysis results to project developers only, and do not reveal details
to the public until an issue has been fixed. A portion of the defects
discovered by the Scan could reveal exploitable security
vulnerabilities."
--Michael Fawcett
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk