Re: C++ static analysis tools for CII badge

David A. Wheeler
 

On Thu, 10 Jan 2019, Daniel Heckenberg wrote:
A very specific CII badge aspect is that detection and timely remedy of CVSS
v2 medium and high severity issues is required.  coverity seems to
have a report generator which performs this, but I haven't seen any
direct or automatic way to map other C/C++ analysis tool outputs to
CVSS scores.  How is this usually done?
Daniel Stenberg:
I don't know about "usually", but I can tell you how we do it in curl (which incidentally also matches what I see in several other C/C++ projects).
In the curl project we run several static code analyzers, fuzzers etc on the code *before release* and we fix the issues we find, meaning that whatever these tools find never typically cause any CVSS scores at all. We fix those problems before release.
The security flaws we do get reported, are thus typically found by others (or tests that runs outside of our CI infra) or by our own developers on released code. They're not issued automatically by anyone and they're received and dealt with by humans.
I think that is the usual case. Use tools & tests so potential problems can be found & fixed before release. Since they aren't in a release, those normally potential problems do not normally get CVSS scores. Nowadays people often make continuous changes to a git master branch, and then use various ways to release it (put in in a package manager distro, tag it, and/or merge it into a production branch).

If a vulnerability is found in a *released* version of the software, organizations like NIST typically do the CVSS scoring for you. You can also calculate the CVSS score yourself, the CVSS base score is easy to figure out. The reason the criteria use the CVSS score is to ensure that at least the *important* vulnerabilities get fixed relatively quickly once they are known publicly, to reduce the risk to people using that software.

One point that may not be obvious: tool findings are not necessarily vulnerabilities. Many tools are based on heuristics, and they do not "know" the larger environment & expectations.

Hope that helps!

--- David A. Wheeler

Join CII-badges@lists.coreinfrastructure.org to automatically receive all group messages.