A year after writing the article about checking Tizen, developers of the PVS-Studio static analyzer checked the quality of the operating system code again, this time demonstrating the abilities of their product to detect errors and potential security vulnerabilities in the Android code.
Despite the fact that the Android code is of high quality and is well tested, and its development includes at least the use of Coverity static analyzer, PVS-Studio still managed to find a lot of interesting defects. Some errors are classified as CWE (Common Weakness Enumeration), which for a certain coincidence of circumstances can be used as vulnerability (CVE). That is why, if you want to protect your code from security vulnerabilities, you should find as many bugs as described in CWE and eliminate them.
According to developers, PVS-Studio is a tool for static application security testing (SAST) and can detect many potential vulnerabilities before they caused harm. This article describes examples of errors by the following categories:
- Pointless comparisons
- Null pointer dereference
- Private data is not cleared in memory
- Unspecified/implementation-defined behavior
- Incorrect memory control
- Array index out of bounds
- Broken loops
and so on.
Thus, 490 CWE per 1855000 lines of code have been detected or more than 1 vulnerability per 4000 lines.
Development of large complex projects is impossible without the use of programming methodologies and tools to help monitor the quality of the code. First of all, this is a literate coding standard, code reviews, unit tests, static and dynamic code analyzers. All this helps to detect defects in code at the earliest stages of development. Use additional programs and methods to control the quality of your code and make your product secure!
Source - https://www.viva64.com/en/b/0579/
Often people ask questions - which programming language is easier, which is the most popular, which one to start learning and so on. In this article we will compare two languages Python and Ruby; their reference implementations CPython and MRI, to be exact.
We took the latest versions of the source code from the repositories (Ruby, Python) for the analysis. There weren’t many glaring errors in these projects. Most of them are related to the usage of macros, although this code is quite innocent from the point of view of the developer. But at the same time, such suspicious fragments that occurred because of copy paste, comparing SOCKET type with null, undefined behavior, storing values to the variables that are already used or null pointer dereferencing are really worth reviewing.
Having analyzed all the warnings of general analysis diagnostics and removed all the false positives, we have come to the following conclusion concerning the error density:
More details about the code fragments where these suspicious code fragments were found:
It’s worth saying that despite these flaws, the code is still of high quality. We should also take such factors into account as the size of the codebase , or the fact that some fragments are erroneous only from the point of view of C++ language and they don’t affect the program in any way. That’s why this analysis may be rather subjective, because previously we haven’t evaluated the error density of these projects. We’ll try to do that in the future, so that we can later compare the result of the checks.
You got tired of politics! This is quite an interesting pastime for today (and not only for today).
Mari0 is a pretty good combination of Mario games and Portal. Perhaps, somebody was waiting for a release of this game. So, you have it today. What is notable? You can download the complete source codes, along with the shaders, sound and the graphics. It is written in Lua, and it has the engine for 2D games LÖVE. All is archived in a file with extension .love that in fact is a zip file. You can unpack it and see what's inside. Also, you can go and see what is here: https://love2d.org/.
Karen Sandler (Executive Director of the GNOME Foundation) was diagnosed with a hypertrophic cardiomyopathy, which greatly increases the probability of death from heart problems some time ago. She was recommended to implant a cardiostimulator. Karen got very curios and asked a few questions such as: “What kind of the software is running in it? Can she take a look at the code, before she will trust it with her life?”, but no one could give her clear answers.
It turned out that all medical devices get certified by FDA organization (Food and Drug Administration) in the USA, which has never conducted the review of source code until some problem may happen to the device’s software. Instead, FDA relies on the manufacturer's report, which includes all the information about it. In addition, this document meets the general standards that are required in this case.