PSA: If you are C/C++ developer, use cppcheck
Dave Jones
davej at redhat.com
Wed Dec 18 15:37:53 UTC 2013
On Wed, Dec 18, 2013 at 09:12:06AM +0100, Ondrej Vasik wrote:
> Publishing them is a bit tricky - I can of course publish them (we scan
> with cppcheck, enhanced gcc warnings, clang and coverity) - but the
> reports may contain some attack vectors - and for inactive packages, it
> would only show the doors to attackers.
Then it's a good thing that attackers don't have any money and can't afford
to buy a checker license themselves.
Hiding bugs doesn't make them go away, and pretending we have tools bad people
don't is a fallacy.
Dave
More information about the devel
mailing list