what s coverity static analysis ever done for us
play

Whats Coverity static analysis ever done for us? Philip Withnall - PowerPoint PPT Presentation

Jan 17, 2023 •115 likes •236 views

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

  1. What’s Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER

  2. What is static analysis? Compile-time testing of all possible code paths. What’s Coverity static analysis ever done for us? 2

  3. What is Coverity Scan? Proprietary Free to use for open source projects A locally run tool and paired web service What’s Coverity static analysis ever done for us? 3

  4. What is Coverity Scan? What’s Coverity static analysis ever done for us? 4

  5. What is Coverity Scan? What’s Coverity static analysis ever done for us? 5

  6. Is it the best tool for the job? Mature support for triaging and dismissing false positives Wide use over many projects and active development Free to use Proprietary Submission rate limiting Should be used as one tool out of many What’s Coverity static analysis ever done for us? 6

  7. How have we been using Coverity? Jenkins + JHBuild Manually created Jenkins jobs Limited set of hand-picked ‘security critical’ modules E-mail notification of scan results Partial ownership by module maintainers No real comaintainership of the project What’s Coverity static analysis ever done for us? 7

  8. What impact has this had? Randall Munroe, https://xkcd.com/523/ , CC-BY-NC 2.5 What’s Coverity static analysis ever done for us? 8

  9. How is this useful? Find bugs in error paths Complements unit testing Find bugs in parsers and file loaders Find bugs before they are hit at runtime Jenkins won’t forget to run analyses like maintainers do What’s Coverity static analysis ever done for us? 9

  10. How is this not useful? Not reasonable to use as a try-server Initial dump of false positives when adding a project Problems with handling idiomatic C Jenkins + JHBuild is not the most reliable What’s Coverity static analysis ever done for us? 10

  11. How do I get involved? Talk to me; propose modules for inclusion into Jenkins Or go with Coverity yourself Or try other static analysis tools ( clang-analyzer ?) and let me know! What’s Coverity static analysis ever done for us? 11

  12. Miscellany Jenkins jobs https://jenkins.freedesktop.org/view/GNOME%20Coverity/ Coverity http://scan.coverity.com/ Wikipedia on static analysis https://en.wikipedia.org/wiki/Static_program_analysis Creative Commons Attribution-ShareAlike 4.0 International License Beamer theme: https://git.gnome.org/browse/presentation-templates/tree/GUADEC/2017 What’s Coverity static analysis ever done for us? 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

Datalog CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs Static Analysis Tools Black-box Testing/Fuzzing 2 Coverity: a Static Analysis Company 3 Bug Report From Coverity Actual bug Path

701 views • 59 slides
Static Analysis of Your OSS Project with Coverity LinuxCon EU 2015 Stefan Schmidt Samsung Open

Static Analysis of Your OSS Project with Coverity LinuxCon EU 2015 Stefan Schmidt Samsung Open

Static Analysis of Your OSS Project with Coverity LinuxCon EU 2015 Stefan Schmidt Samsung Open Source Group stefan@osg.samsung.com Samsung Open Source Group 1 Agenda Introduction Survey of Available Analysers Coverity Scan

455 views • 41 slides
Path Projection For User-Centered Static Analysis Tools Khoo Yit Phang , Jeff Foster, Michael

Path Projection For User-Centered Static Analysis Tools Khoo Yit Phang , Jeff Foster, Michael

Path Projection For User-Centered Static Analysis Tools Khoo Yit Phang , Jeff Foster, Michael Hicks, Vibha Sazawal University of Maryland PASTE 2008, November 10 1 Success in Static Analysis Coverity, Fortify, Grammatech, Klocwork, many others

895 views • 86 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity Oss-Fuzz Overview Continuous Fuzzing of our import filters Thanks to Google we get to use their infrastructure and resources

542 views • 26 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
ALICE experience using Coverity ALICE experience using Coverity Federico Carminati, Peter

ALICE experience using Coverity ALICE experience using Coverity Federico Carminati, Peter

ALICE experience using Coverity ALICE experience using Coverity Federico Carminati, Peter Hristov, Axel Naumann and Olga Datskova (CERN) presented by Olga Datskova (CERN, ALICE Offline) Ferrara, 04/07/2011 1 AliRoot framework AliRoot

377 views • 18 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
How to Pay for College Arizona Commission for Postsecondary Education Deena Lager, Director

How to Pay for College Arizona Commission for Postsecondary Education Deena Lager, Director

How to Pay for College Arizona Commission for Postsecondary Education Deena Lager, Director Arizona Student Financial Aid Programs and Arizona Family College Savings (529) Program www.az529.gov How to Pay for College AGENDA: Three Common

462 views • 19 slides
Harmful Interference in Ka-band Satellite Communications: Regulation vs Technical Advancement

Harmful Interference in Ka-band Satellite Communications: Regulation vs Technical Advancement

Harmful Interference in Ka-band Satellite Communications: Regulation vs Technical Advancement Dr. Symeon Chatzinotas Research Scientist in Satellite Communications 3rd Luxembourg Workshop on Space and Satellite Communications Law 5 June 2014,

446 views • 19 slides
SPLOST Citizens Review Committee October 9, 2009 Update Meeting Agenda Welcome Welcome

SPLOST Citizens Review Committee October 9, 2009 Update Meeting Agenda Welcome Welcome

SPLOST Citizens Review Committee October 9, 2009 Update Meeting Agenda Welcome Welcome 2005 and 2009 SPLOST Programs: 2005 and 2009 SPLOST Programs: Collections and Disbursements Collections and Disbursements Trends

517 views • 50 slides
Humanities Budget Presentation The View from 2017 Last Years Slide Understanding NEW Revenue

Humanities Budget Presentation The View from 2017 Last Years Slide Understanding NEW Revenue

Humanities Budget Presentation The View from 2017 Last Years Slide Understanding NEW Revenue Allocation: Opportunity and Risk 2016-17 Imaginary Imaginary (2016) Opportunity Risk NET Revenue Allocation $34,722,000 $36,000,000

486 views • 26 slides
Static Analysis For Improved Application Performance And Quality Eric Cloninger

Static Analysis For Improved Application Performance And Quality Eric Cloninger

Static Analysis For Improved Application Performance And Quality Eric Cloninger (ericc@motorola.com) Product Line Manager, Development Tools Motorola Mobility Housekeeping bit.ly bundle for all content - http://bitly.com/nwJ1Jj @ecmoto

401 views • 19 slides
ODOR WORKSHOP OCTOBER 17, 2017 INTRODUCTIONS Eric Oddo, PE Environmental Engineering Program

ODOR WORKSHOP OCTOBER 17, 2017 INTRODUCTIONS Eric Oddo, PE Environmental Engineering Program

ODOR WORKSHOP OCTOBER 17, 2017 INTRODUCTIONS Eric Oddo, PE Environmental Engineering Program Manager Keith Schmidt, PE Senior Civil Engineer Stephanie Ulmer Environmental Resources Specialist Jennifer Snyder Engineering Technician MEETING

467 views • 33 slides
ASCP Board of Certification Update CLEC 2019 Susan M. Harrington, PhD, D(ABMM), MLS(ASCP) CM

ASCP Board of Certification Update CLEC 2019 Susan M. Harrington, PhD, D(ABMM), MLS(ASCP) CM

ASCP Board of Certification Update CLEC 2019 Susan M. Harrington, PhD, D(ABMM), MLS(ASCP) CM Chair, Board of Governors BOC Who We Are The American Society for Clinical Pathology (ASCP) Board of Certification (BOC) is an independent

484 views • 33 slides
Electrical Conductivity Vanderbilt Student Volunteers for Science 2018-2019 VINSE/VSVS Rural Why

Electrical Conductivity Vanderbilt Student Volunteers for Science 2018-2019 VINSE/VSVS Rural Why

Electrical Conductivity Vanderbilt Student Volunteers for Science 2018-2019 VINSE/VSVS Rural Why is the science in this lesson important? Efficient and cost-effective alternatives to conventional conducting materials are being explored.

479 views • 19 slides

More recommend