On Fri, Oct 13, 2017 at 02:25:07PM +0100, Daniel P. Berrange wrote: > Many projects these days are recording progress wrt CII best practices > for FLOOS projects. I filled out a record for QEMU: > > https://bestpractices.coreinfrastructure.org/projects/1309 > > I only looked at the 'Passing' criteria, not considered the 'Silver' and > 'Gold' criteria. So if anyone else wants to contribute, register an > account there and tell me the username whereupon I can add you as a > collaborator. > > Two items I don't think QEMU achieves for the basic "Passing" criteria > > - The release notes MUST identify every publicly known vulnerability > that is fixed in each new release. > > I don't see a list of CVEs mentioned in our release Changelogs or > indeed a historic list of CVEs anywhere even outside the release > notes ? > > - It is SUGGESTED that if the software produced by the project includes > software written using a memory-unsafe language (e.g., C or C++), then > at least one dynamic tool (e.g., a fuzzer or web application scanner) > be routinely used in combination with a mechanism to detect memory > safety problems such as buffer overwrites. > > NB this is not 'coverity' which falls under the 'static anlaysis' > group. I'm unclear if anyone in the community does regular fuzzing > or analysis with ASAN & equiv ?
I'm not aware of automated ASAN or Valgrind runs although developers tend to run them in ad-hoc fashion during development. Stefan
