login
Search
Ben Chelf, CTO of Coverity Inc., offered access to the bugs discovered by the Coverity tool, previously known as the Stanford Checker, to a select few interested developers.
Coverity is a tool that detects bugs, including security vulnerabilities, in source code. They have been tracking several open-source projects and have previously reported bugs in the Linux kernel [story] and FreeBSD [story] among others.
He explained the motive behind not announcing the bugs:
"Right now, we're guarding access to the actual defects that we report for a couple of reasons: (1) We think that you, as developers of Linux, should have the chance to look at the defects we find to patch them before random other folks get to see what we found and (2) From a support perspective, we want to make sure that we have the appropriate time to engage with those who want to use the results to fix the code. Because of this second point, I'd ask that if you are interested in really digging into the results a bit further for your project, please have a couple of core maintainers (or group nominated individuals) reach out to me to request access."
Greg Kroah-Hartman suggested they should contact the Kernel Security Mailing List for security-related issues or just post the bugs to the Linux Kernel Mailing List otherwise.
From: Ben Chelf [email blocked] List: Linux-kernel [email blocked] Subject: Coverity Open Source Defect Scan of Linux Date: 2006-03-06 5:35:11 Hello Linux Developers, I'm the CTO of Coverity, Inc., a company that does static source code analysis to look for defects in code. You may have heard of us or of our technology from its days at Stanford (the "Stanford Checker"). The reason I'm writing is because we have set up a framework internally to continually scan open source projects and provide the results of our analysis back to the developers of those projects. Linux is one of the 32 projects currently scanned at: http://scan.coverity.com My belief is that we (Coverity) must reach out to the developers of these packages (you) in order to make progress in actually fixing the defects that we happen to find, so this is my first step in that mission. Of course, I think Coverity technology is great, but I want to hear what you think and that's why I worked with folks at Coverity to put this infrastructure in place. The process is simple -- it checks out your code each night from your repository and scans it so you can always see the latest results. Right now, we're guarding access to the actual defects that we report for a couple of reasons: (1) We think that you, as developers of Linux, should have the chance to look at the defects we find to patch them before random other folks get to see what we found and (2) From a support perspective, we want to make sure that we have the appropriate time to engage with those who want to use the results to fix the code. Because of this second point, I'd ask that if you are interested in really digging into the results a bit further for your project, please have a couple of core maintainers (or group nominated individuals) reach out to me to request access. As this is a new process for us and still involves a small number of packages, I want to make sure that I personally can be involved with the activity that is generated from this effort. So I'm basically asking for people who want to play around with some cool new technology to help make source code better. If this interests you, please feel free to reach out to me directly. And of course, if there are other packages you care about that aren't currently on the list, I want to know about those too. If this is the wrong list, my sincerest apologies and please let me know where would be a more appropriate forum for this type of message. Many thanks for reading this far... -ben Ben Chelf Chief Technology Officer Coverity, Inc. From: Dave Jones [email blocked] Date: 2006-03-06 5:49:59 On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote: > Right now, we're guarding access to the actual defects that we report > for a couple of reasons: (1) We think that you, as developers of Linux, > should have the chance to look at the defects we find to patch them > before random other folks get to see what we found and (2) From a > support perspective, we want to make sure that we have the appropriate > time to engage with those who want to use the results to fix the code. > Because of this second point, I'd ask that if you are interested in > really digging into the results a bit further for your project, please > have a couple of core maintainers (or group nominated individuals) reach > out to me to request access. As this is a new process for us and still > involves a small number of packages, I want to make sure that I > personally can be involved with the activity that is generated from this > effort. > > So I'm basically asking for people who want to play around with some > cool new technology to help make source code better. If this interests > you, please feel free to reach out to me directly. And of course, if > there are other packages you care about that aren't currently on the > list, I want to know about those too. The last time I asked about access to your bug list, I was asked to sign the equivalent of a non-compete agreement. Is this still in place? Dave From: Adrian Bunk [email blocked] Date: 2006-03-06 10:27:29 On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote: > Hello Linux Developers, Hi Ben, > I'm the CTO of Coverity, Inc., a company that does static source code > analysis to look for defects in code. You may have heard of us or of our > technology from its days at Stanford (the "Stanford Checker"). The > reason I'm writing is because we have set up a framework internally to > continually scan open source projects and provide the results of our > analysis back to the developers of those projects. Linux is one of the > 32 projects currently scanned at: > > http://scan.coverity.com >... > Right now, we're guarding access to the actual defects that we report > for a couple of reasons: (1) We think that you, as developers of Linux, > should have the chance to look at the defects we find to patch them > before random other folks get to see what we found and (2) From a > support perspective, we want to make sure that we have the appropriate > time to engage with those who want to use the results to fix the code. > Because of this second point, I'd ask that if you are interested in > really digging into the results a bit further for your project, please > have a couple of core maintainers (or group nominated individuals) reach > out to me to request access. As this is a new process for us and still > involves a small number of packages, I want to make sure that I > personally can be involved with the activity that is generated from this > effort. >... It seems there is some internal communication problem inside your company: This is far from being a "new process", you already offered this for some time at http://linuxbugsdb.coverity.com/ (with the exception that you stopped updating the results half a year ago). If you as the CTO didn't know about this it is giving a very bad impression of your company. Some questions regarding this move: - can you migrate the accounts from linuxbugsdb.coverity.com? - are the comments Linux kernel developers like me did at linuxbugsdb.coverity.com migrated to scan.coverity.com or was this wasted work? Another thing you could give a small clarification about: Your email sounds as if your offer was like a charity offer from Coverity, Inc. OTOH, I remember press rumors of Coverity, Inc getting 297 000 Dollar for this from the Department of Homeland Security. I'm sure you are not silently omitting that you are getting public fundings for what you are offering, but an official statement would be nice. > -ben cu Adrian From: Bernd Petrovitsch [email blocked] Date: 2006-03-06 10:43:51 Some improvements for the next press release (of Coverty, Inc.): On Mon, 2006-03-06 at 11:27 +0100, Adrian Bunk wrote: > On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote: > > Hello Linux Developers, [...] > > analysis back to the developers of those projects. Linux is one of the ^^^^^ should have been "The Linux kernel" [...] > > for a couple of reasons: (1) We think that you, as developers of Linux, ^^^^^ should have been "the Linux kernel" [...] > It seems there is some internal communication problem inside your > company: ACK. > This is far from being a "new process", you already offered this for > some time at http://linuxbugsdb.coverity.com/ (with the exception that > you stopped updating the results half a year ago). > > If you as the CTO didn't know about this it is giving a very bad > impression of your company. [...] Bernd From: Ben Chelf [email blocked] Date: 2006-03-06 13:39:22 Bernd Petrovitsch wrote: > On Mon, 2006-03-06 at 12:03 +0100, Michal Schmidt wrote: > >>Bernd Petrovitsch wrote: >> >>>>>analysis back to the developers of those projects. Linux is one of the >>> >>> ^^^^^ >>> should have been "The Linux kernel" >> >>Why? Are you afraid of confusion with Linux the washing powder? > > > No (that's actually the cobfusion I don't fear). Just to clarify -- I am aware (and have been since it's inception) of Coverity's previous work on the subject. I was one of the guys at Stanford who started pushing Linux through the technology years and years ago :) However, the "new process" piece is the fact that now we have the infrastructure in place to provide the results of the daily scans that we are performing of the kernel and other open source projects back to the developers and core maintainers of those projects. Sorry about any confusion caused by my terminology with "Linux". I admit, form email and should have been "Linux kernel"... -ben From: Ben Chelf [email blocked] Date: 2006-03-06 13:46:04 (sorry for not responding to all Qs in the last email) > Some questions regarding this move: > - can you migrate the accounts from linuxbugsdb.coverity.com? > I will look into this -- I don't see any reason not to. > - are the comments Linux kernel developers like me did at > linuxbugsdb.coverity.com migrated to scan.coverity.com or was this > wasted work? > That may be a bit more challenging, but again, I'll look into it. The goal, of course, was not to waste your (or anyone's) work... > > Another thing you could give a small clarification about: > Your email sounds as if your offer was like a charity offer from > Coverity, Inc. > > OTOH, I remember press rumors of Coverity, Inc getting 297 000 Dollar > for this from the Department of Homeland Security. > > I'm sure you are not silently omitting that you are getting public > fundings for what you are offering, but an official statement would be > nice. > Snipped from http://scan.coverity.com: "In collaboration with Stanford University, Coverity is establishing a new baseline for software quality and security in open source based on the analysis of over 30 of the most critical and widely used open source projects in the world. Under a contract with the Department of Homeland Security, we apply the latest innovation in automated defect detection to uncover some of the most critical types of bugs found in software. We are making the results of our automated analysis available to the maintainers within the open source community. Additional projects will be added over time. Through this process, our hope is that the benefits of the open source model are further accelerated with faster and easier remediation of defects in open source." I feared my original email was a bit too long as it stood...apologies if anyone felt misled. -ben From: Greg KH [email blocked] Date: 2006-03-06 15:46:04 On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote: > Right now, we're guarding access to the actual defects that we report > for a couple of reasons: (1) We think that you, as developers of Linux, > should have the chance to look at the defects we find to patch them > before random other folks get to see what we found and (2) From a > support perspective, we want to make sure that we have the appropriate > time to engage with those who want to use the results to fix the code. If you feel these are security related, please contact security@kernel.org with the information (as is documented in the kernel documentation). If you do not feel they are security related, but just normal bugs that don't really cause problems, feel free to just post the information here on lkml, and cc: the maintainers of the affected areas of code. In other words, these should be treated like any other potential bug report. And I mean "potential", as your tool has had false positives in the past :) thanks, greg k-h
