s2n-tls
s2n-tls copied to clipboard
aws
Add more Static Code Analyzers
This issue should track our work on adding more Static Code Analyzers to s2n. There are lots of Static Code Analyzers for C code, a good starting point to compare them is the list provided by SEI CERT C Coding Standard.
Code Analysis Tools that we may want to investigate adding to s2n:
- [x] CBMC
- [ ] clang
- [ ] Codechecker
- [ ] CodeSonar
- [ ] Coverity
- [X] cppcheck
- [X] ctverif (For constant time functions)
- [ ] ECLAIR
- [ ] EDG
- [ ] FramaC
- [ ] GCC
- [ ] IKOS
- [ ] Infer
- [ ] KLEE
- [ ] Klocwork
- [X] KWStyle (For line and function length)
- [ ] LDRA
- [ ] oclint
- [ ] Parasoft
- [ ] Polyspace
- [ ] PRQA
- [ ] Rose
- [X] SAW (For HMAC and TLS State Machine)
- [ ] SonarQube
- [ ] Splint
- [ ] tis-interpreter (https://github.com/TrustInSoft/tis-interpreter)
Lists of C Static Code Analyzers:
- https://github.com/mre/awesome-static-analysis#cc
- https://www.securecoding.cert.org/confluence/display/c/EE.+Analyzers
- https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#C.2C_C.2B.2B
- https://www.dwheeler.com/essays/static-analysis-tools.html
- https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
- https://www.owasp.org/index.php/Source_Code_Analysis_Tools
- http://stackoverflow.com/questions/2873/choosing-a-static-code-analysis-tool
- https://spinroot.com/static/
- https://www.gnu.org/software/hurd/open_issues/code_analysis.html#index2h1
- Test-driving static analysis tools in search of C code vulnerabilities [PDF]
Looking into adding Ubuntu22/gcc-12 to CI. https://developers.redhat.com/articles/2022/04/12/state-static-analysis-gcc-12-compiler
Hi. I just wanted to chime in. I'm current maintainer of IKOS. If you have any issues adding it, please feel free to ping us in the repo. If it's something we can fix, we'd be glad to help.
