CVE databases just aren't usable for determining most of the vulnerability fixes going into a project. Linux distributions like Debian relying on CVEs to determine which fixes need to be backported have serious security issues. Greg KH spells this out again and again for Linux.
As far as I know we ran Coverity on Gecko way back in the day and it didn’t really do anything to address the flood of security problems.
-
-
I think a distinction needs to be made between claims. I agree it's implausible that static analysis can find/fix any significant portion of flaws in C code with fundamentally bad object lifetime and ownership policy. OTOH...
-
If you have a C codebase that's not doing wacky things with object lifetime and ownership, it seems *plausible* that advanced static analysis could find and help you fix most serious bugs.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.