Frequently Asked Questions (FAQ)
What is the Scan Ladder?
The Scan Ladder is a conceptual progression for open
source code to advance towards being Coverity Clean. A project's advancement
to each new rung on the ladder is based on dealing with the issues at
its current rung.
What are the details about each rung?
See the Scan Ladder page.
Who can have access?
Access to the detailed analysis results is permitted only to members of scanned projects, partially in order to ensure that potential security issues may be resolved before the general
public sees them.
Our approach is that of Responsible Disclosure. We provide the analysis results to project developers only, and do not reveal details to the public until an issue has been fixed. A portion of the defects discovered by the Scan could reveal exploitable security vulnerabilities.
For a thorough discussion of Full Disclosure and Responsible Disclosure, you can refer to comments by Bruce Schneier, or Matt Blaze, or the Wikipedia article on Full Disclosure.
If you are a member of an open source project, and your project is already listed on the Scan Ladder, read the Developer FAQ then follow the Sign In link beside the entry for your project on the ladder.
If you are a member of an open source project, and your project is not already listed, read the Developer FAQ, then please email scan-admin@coverity.com
Can I get my project into the Scan?
The following definitions are Coverity's guideline for including projects in the Scan.
Project licenses must meet the criteria described by the Open Source Initiative. http://www.opensource.org/docs/definition.php
Projects initiated and maintained by registered nonprofit organizations (any nationality), individuals, or groups with no associated corporation are automatically eligible.
Projects initiated and maintained by for-profit corporations, or with licenses outside the OSI guidelines, or with licenses within the OSI guidelines, but which are conditional to different audiences, are included at Coverity's discretion.
Why is Coverity giving the results away?
The Scan project began in collaboration with Stanford University. It started under a contract with the Department of Homeland Security to harden open source software which provides critical infrastructure for the Internet.
The result has been overwhelming. With over 6,000 defects fixed in the first year - averaging over 16 fixes every day of the year, recognition of benefits from the Scan results has been growing steadily. Requests for access to the results and inclusion of additional projects has shown that the open source community recognizes the benefits of the analysis.
In response, Coverity is dedicating resources to Scan beyond the requirements of the DHS contract. Many additional projects will have access to their analysis results this year. We will also include projects outside the scope of critical infrastructure, since preventing crashes and data-loss are worthwhile contributions in those codebases as well.
How is the Department of Homeland Security involved?
The Scan project started under a contract with DHS to harden open source software.
The National Cyberspace Strategy document details their priorities to:
- Identify and Remediate Existing Vulnerabilities
- Develop Systems with Fewer Vulnerabilities and Assess Emerging Technologies for Vulnerabilities
Those priorities include sub-elements to:
- Secure the Mechanisms of the Internet
- Improve the Security and Resilience of Key
Internet Protocols
- Reduce and Remediate Software
Vulnerabilities
- Assess and Secure Emerging Systems
DHS has no day-to-day involvement in the Scan project.
What is static analysis?
Static analysis is a set of processes for finding source code flaws.
In static analysis, the code under examination is not executed. As a result, test cases and specially designed input datasets are not required. Examination for defects is not limited to the lines of code that are run during some number of executions of the program, but can include all lines of code in the codebase.
Additionally, Coverity's implementation of static analysis in Prevent can follow all the possible paths of execution through source code and find defects caused by the conjunction of statements that are not errors independent of each other.
What types of issues does the tool find?
Some examples of the defects include:
- leaked resources
- references to pointers that could be NULL
- references to pointers that are guaranteed to be NULL
- use of uninitialized data
- array overruns
- unsafe use of signed values
- use of resources that have been freed
The consequences of each type of defect are dependent on the specific instance. For example, unsafe use of signed values may cause crashes, lead to unexpected behavior, or lead to an exploitable security vulnerability.
How can I get this tool for use on my non-open-source codebase?
Coverity Prevent is a commercial software product. There is more information available on the Coverity Web page, or you can contact the sales department.
|
