Re: C++ static analysis tools for CII badge
Kevin W. Wall
On Wed, Jan 9, 2019 at 3:24 PM Daniel Heckenberg
The DHS SWAMP (https://www.dhs.gov/science-and-technology/csd-swamp)
might have some things. I recall talking to Kevin Greene (BCC'd) at an
AppSec USA conference maybe 3 or 4 years ago and I seem to recall that
they had some stuff for C and C++. Not sure if / how well it supports
Continuous Integration though. (Also, I'm not sure that Kevin is still
at DHS, but if he is, perhaps he will reply to you.)
On the commercial side, there are things like Microfocus' Fortify,
which is a SAST tool that does a pretty good job identifying lots of
vulnerabilities in both C and C++. It's a mature product and I have
used it for some sizeable (5M LOC) C++ projects.
Hope that helps.
Blog: http://off-the-wall-security.blogspot.com/ | Twitter:@KevinWWallNSA: All your crypto bit are belong to us.