[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tar + cpio - covscan issues

From: Paul Eggert
Subject: Re: tar + cpio - covscan issues
Date: Fri, 16 Apr 2021 11:56:05 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1

On 4/16/21 1:02 AM, Kamil Dudka wrote:
We have to (re)verify the software that we distribute in the end.


I am reading your responses as "upstream is not going to change anything".  We
will have to find some ways to deduplicate and record these false positives on
our side then.

Another possibility would be to libraryize Gnulib, scan that library once and record its false positives on your side once, and then change Gnulib-using packages to use that library instead of their in-source Gnulib copies. This would also be some work on your side, but it might fit better into your workflow.

One qualm I have with this idea, is that whole-program static analysis can do a better job than per-module static analysis. But you're already giving up on whole-program analysis with the other libraries, and adding one more library to the mix shouldn't hurt much.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]