librelist archives

« back to archive

New tool - Security Metrics

New tool - Security Metrics

From:
Lucas Kanashiro
Date:
2014-02-04 @ 18:11
Me and Alexandre are working with the addition of Clang extractor and we
identified the necessity of a new tool related of security metrics.

Our proposal is create a new tool in Analizo (security-metrics). It will
parsing the Clang metrics generated and show the security metrics by
file. The security metrics will be the number of bugs found. Maybe, the
lines of bugs could be presented. 

What you think about it?

-- 
Lucas Kanashiro Duarte
Engenharia de Software - FGA/UnB
kanashiro.duarte@gmail.com

Re: [analizo] New tool - Security Metrics

From:
Antonio Terceiro
Date:
2014-02-04 @ 20:19
On Tue, Feb 04, 2014 at 04:11:32PM -0200, Lucas Kanashiro wrote:
> Me and Alexandre are working with the addition of Clang extractor and we
> identified the necessity of a new tool related of security metrics.
> 
> Our proposal is create a new tool in Analizo (security-metrics). It will
> parsing the Clang metrics generated and show the security metrics by
> file. The security metrics will be the number of bugs found. Maybe, the
> lines of bugs could be presented.
> 
> What you think about it?

I have several questions

- are working on a clang extractor to replace doxyparse, or a tool to
  extract security facts? or both?

- what tool(s) exactly are we talking about?

- for a user, what is the difference between running this security tool
  from analizo instead of running the clang tool directly?

- can this new security tool improve the existing analizo features?  for
  example, if I could get security-related counts together with coupling
  and cohesion metrics, than that is useful for me to have that inside
  analizo. If it's a separate tool that is not integrated with other
  types of analysis that analizo already does, maybe it does not make
  much sense.

-- 
Antonio Terceiro <terceiro@softwarelivre.org>
http://softwarelivre.org/terceiro

Re: [analizo] New tool - Security Metrics

From:
Paulo Meirelles
Date:
2014-02-04 @ 20:35
2014-02-04 Antonio Terceiro <terceiro@softwarelivre.org>:

> On Tue, Feb 04, 2014 at 04:11:32PM -0200, Lucas Kanashiro wrote:
> > Me and Alexandre are working with the addition of Clang extractor and we
> > identified the necessity of a new tool related of security metrics.
> >
> > Our proposal is create a new tool in Analizo (security-metrics). It will
> > parsing the Clang metrics generated and show the security metrics by
> > file. The security metrics will be the number of bugs found. Maybe, the
> > lines of bugs could be presented.
> >
> > What you think about it?
>
> I have several questions
>
> - are working on a clang extractor to replace doxyparse, or a tool to
>   extract security facts? or both?
>

Both but a first step is working on a "tool to extract security facts".


> - what tool(s) exactly are we talking about?
>

the "tool to extract security facts" but that will replace doxyparse for C
and C++ code analysis.


> - for a user, what is the difference between running this security tool
>   from analizo instead of running the clang tool directly?
>

The Analizo tool kit and, in particular, can obtain other metrics
together... we also want to replace doxyparse. For now, we want to see/show
this metric on the Mezuro Platform.


> - can this new security tool improve the existing analizo features?  for
>   example, if I could get security-related counts together with coupling
>   and cohesion metrics, than that is useful for me to have that inside
>   analizo. If it's a separate tool that is not integrated with other
>   types of analysis that analizo already does, maybe it does not make
>   much sense.
>

We are working on the first case:  "get security-related counts together
with coupling and cohesion metrics", for example.

What "baby-step" could you suggest for us?

thanks in advance,
-- 
Paulo Meirelles
FGA-UnB (http://fga.unb.br)
CCSL-IME/USP (http://ccsl.ime.usp.br)

Re: [analizo] New tool - Security Metrics

From:
Antonio Terceiro
Date:
2014-02-11 @ 03:23
On Tue, Feb 04, 2014 at 06:35:39PM -0200, Paulo Meirelles wrote:
> 2014-02-04 Antonio Terceiro <terceiro@softwarelivre.org>:
> 
> > On Tue, Feb 04, 2014 at 04:11:32PM -0200, Lucas Kanashiro wrote:
> > > Me and Alexandre are working with the addition of Clang extractor and we
> > > identified the necessity of a new tool related of security metrics.
> > >
> > > Our proposal is create a new tool in Analizo (security-metrics). It will
> > > parsing the Clang metrics generated and show the security metrics by
> > > file. The security metrics will be the number of bugs found. Maybe, the
> > > lines of bugs could be presented.
> > >
> > > What you think about it?
> >
> > I have several questions
> >
> > - are working on a clang extractor to replace doxyparse, or a tool to
> >   extract security facts? or both?
> >
> 
> Both but a first step is working on a "tool to extract security facts".
> 
> 
> > - what tool(s) exactly are we talking about?
> >
> 
> the "tool to extract security facts" but that will replace doxyparse for C
> and C++ code analysis.
> 
> 
> > - for a user, what is the difference between running this security tool
> >   from analizo instead of running the clang tool directly?
> >
> 
> The Analizo tool kit and, in particular, can obtain other metrics
> together... we also want to replace doxyparse. For now, we want to see/show
> this metric on the Mezuro Platform.
> 
> 
> > - can this new security tool improve the existing analizo features?  for
> >   example, if I could get security-related counts together with coupling
> >   and cohesion metrics, than that is useful for me to have that inside
> >   analizo. If it's a separate tool that is not integrated with other
> >   types of analysis that analizo already does, maybe it does not make
> >   much sense.
> >
> 
> We are working on the first case:  "get security-related counts together
> with coupling and cohesion metrics", for example.
> 
> What "baby-step" could you suggest for us?

maybe getting the initial work I did on a clang-based extractor and
adding the security issues count on top of that? Than after you get the
security issues done you would continue getting the rest of the
extractor to work.

-- 
Antonio Terceiro <terceiro@softwarelivre.org>
http://softwarelivre.org/terceiro