Re: C++ static analysis tools for CII badge

Kevin W. Wall
 

On Wed, Jan 9, 2019 at 3:24 PM Daniel Heckenberg
<@dheck> wrote:

Hello!

Are there any existing resources that demonstrate an automated static analysis
of C++ code for CII badge requirements? I'm hoping for something like a
specific set of clang-tidy checks that covers the CVSS v2 medium and high
severity vulnerabilities.

Background:
I'm the current chair of the TAC for the recently formed Academy Software Foundation
https://www.aswf.io/
We're hoping to assist our projects to achieve CII badges by providing
examples of static analysis for C++ projects that can be incorporated in
normal build processes, as well as our CI systems.
Daniel,

The DHS SWAMP (https://www.dhs.gov/science-and-technology/csd-swamp)
might have some things. I recall talking to Kevin Greene (BCC'd) at an
AppSec USA conference maybe 3 or 4 years ago and I seem to recall that
they had some stuff for C and C++. Not sure if / how well it supports
Continuous Integration though. (Also, I'm not sure that Kevin is still
at DHS, but if he is, perhaps he will reply to you.)

On the commercial side, there are things like Microfocus' Fortify,
which is a SAST tool that does a pretty good job identifying lots of
vulnerabilities in both C and C++. It's a mature product and I have
used it for some sizeable (5M LOC) C++ projects.

Hope that helps.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter:@KevinWWallNSA: All your crypto bit are belong to us.

Join CII-badges@lists.coreinfrastructure.org to automatically receive all group messages.