Alex Rousskov wrote:
>
> I am not familiar with its4, but it looks like it is using an approach
> that is similar to your "find ./ -name "*.c" -exec egrep strcat",
> except some C language constructs are also recognized. In most cases
> such a search will show wrong warnings for Squid. For example, there
> is nothing wrong with the code that uses strcat or strcpy if
> boundaries are checked first. Also, many warnings are printed for
> external programs that are not a part of the Squid daemon (e.g. cache
> manager).
Henrik Nordstrom wrote:
>
> And if you look at these lines you will se that this is properly done
> already. I'll give this scanner gets a very low rating since it
> apparently flags all uses of functions which might be used(/abused)
> insecurely, not only the ones which cannot be easily identified as
> okay...
Excellent. Thanks very much for your comments. I was kinda
hoping this would be the general consensus as I'm quite a fan of
Squid :-)
Cheers,
Pete.
---------------------------------------------------------------
| Pete Philips \|/ |
| Integralis S3 Team O |
| E-mail: pete.philips@integralis.co.uk |
| Phone: +44 118 930 6060 |
| PGP Key: http://www.s3.integralis.co.uk/pgp/pete.pgp |
---------------------------------------------------------------
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Oct 27 2000 - 02:55:58 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:59 MST