Re: C++ static analysis tools for CII badge
Thanks again for the very helpful replies!
Daniel and David, you've both clarified the essential point: analysis tools detect errors or potentially error-prone code which only become identified vulnerabilities in larger contexts. Most of the projects in the ASWF domain are used for making images, typically in environments that are not open to general network access or arbitrary inputs from untrusted users. As far as I'm aware, there are no existing published vulnerabilities (e.g. CVSS scored examples) from these projects. This is partly why our community seems to be struggling a little to know how to adhere to the spirit of the CII badging requirements.
So... we can't map CVSS medium and high to any specific set of analysis checks or even particular coding errors. But we'd still like to be able to provide some good-practice examples of specific analysis configurations for our projects to follow.
Looking at the curl example, and specifically the clang-tidy checks:
This appears to be just running the default set of clang-tidy checks with a few globally disabled to avoid false positives. Similarly, the lgtm config seems to be just the default. These would be very easy to add for our projects. Is this a reasonable setup to guide our community?