mailing list archives
Re: The Static Analysis Market and You
From: "Dave Korn" <dave.korn () artimi com>
Date: Tue, 14 Oct 2008 19:25:13 +0100
Dave Aitel wrote on 14 October 2008 15:53:
possibility is that more research dollars will flood into the space
and the technology will get better and live up to its marketing.
Another possibility is that no matter how much you spend, pure static
analysis can't do the things you want it to do (the IBM and to some
extent Fortify bet).
Which is it?
You really asking, or is that just rhetorical? It's blatantly option B.
If your code compiles without warnings and lint errors, you've probably
already got 99% of what these tools can do for you, for free. And the other
1% is the stuff that needs a skilled human being to look at it, anyway; until
we get a real AI working on it, none of this stuff is a great deal more subtle
than "grep -R strcpy *".
Had to read the source just to even get a look at that one, and found a bit
that made me LOLWTF:
//var path = '../';
//for(i=1; i<level; i++) path = path + "../";
//for(j=1; j<10; j++) document.getElementById('img'+j).src = path +
for(k=1; k<10; k++)
document.getElementById('link'+k).href = path +
for(k=1; k<10; k++) document.getElementById('link'+k).href =
path + document.getElementById('link'+k).getAttribute('href');
Heh. Disabled now, but it really does look a lot like at some point
somebody had never heard of absolute paths ...
Can't think of a witty .sigline today....
Dailydave mailing list
Dailydave () lists immunitysec com