Klocwork's open source program did some source code analysis for OpenLDAP a few years back. We've analyzed the project again using our static analysis product, Klocwork Insight, and found some bugs and potential security vulnerabilities that may be of interest. The results are hosted on a secure web portal so only contributors to the project will have access to the results. They will not be published. Please email opensource at klocwork dot com for the login credentials.
Issue Summary: https://opensource.klocwork.com/review/insight-review.html#reportviewer_ goto:project=openldap,report=6,scope=1
Full Details/Issue Management: http://goo.gl/9GNiu
This program will be offered free to open source projects on an ongoing basis, so if you find the results of value we could analyze future versions of your project as well.
Cheers,
Lynn Gayowski
Klocwork
P +1.613. 836.8899 ext. 424
lynn.gayowski at klocwork.com
On Apr 14, 2011, at 3:41 PM, Lynn Gayowski wrote:
Klocwork’s open source program did some source code analysis for OpenLDAP a few years back. We’ve analyzed the project again using our static analysis product, Klocwork Insight, and found some bugs and potential security vulnerabilities that may be of interest. The results are hosted on a secure web portal so only contributors to the project will have access to the results. They will not be published. Please email opensource at klocwork dot com for the login credentials.
For the benefit of you and the community, please note that the OpenLDAP Foundation considers this as an open request for those interested in the Klockwork report to contact Klockwork for that report. To the extent that Klockwork and any interested party choose to enter into any sort of agreement, that agreement is between Klockwork and the interested party. The OpenLDAP Foundation, nor the OpenLDAP Project (an organized activity of the OpenLDAP Foundation), would not be a party to that agreement and hence cannot and will not be bound by any such agreement.
It must also be noted that the Project requires all contributions (including not just source code) to be publicly disclosable. This is why it won't enter into an agreement precluding it from publishing particular contributions, such as a report. It is the contributors responsibility, not the Project's, to only contribute materials which are publicly disclosable. The Project will publish any and all contributions (it may choose to delay contributions of certain materials (such as "major security issues", but all contributions get published in due course).
This note is not intended to dissuade anyone interested in this report from seeking access to the report and/or viewing the report. The note is intended to make clear that those seeking access to such reports are acting on their own behalf, not on the behalf of the OpenLDAP Foundation or the OpenLDAP Project.
Regards, Kurt
--- Executive Director, OpenLDAP Foundation
Issue Summary: https://opensource.klocwork.com/review/insight-review.html#reportviewer_goto... Full Details/Issue Management: http://goo.gl/9GNiu
This program will be offered free to open source projects on an ongoing basis, so if you find the results of value we could analyze future versions of your project as well.
Cheers, Lynn Gayowski Klocwork P +1.613. 836.8899 ext. 424 lynn.gayowski at klocwork.com
Thanks Kurt. Just to clarify one point - when I said that results will not be published, I meant that Klocwork will not be publishing results anywhere. Any interested users are free to use the results however they wish and can publicly disclose the reports or not - completely up to you. We know the developers are the best judges of what information is worth sharing on the mailing list so we leave it to them. We do not have a non-disclosure agreement or any other agreement required to access the analysis results. We're merely making the results of our analysis available to developers on this project.
We appreciate the opportunity to work with the open source community and hope we can contribute some value to OpenLDAP. All feedback is welcome.
-----Original Message----- From: Kurt Zeilenga [mailto:Kurt@OpenLDAP.org] Sent: April-15-11 11:29 AM To: Lynn Gayowski Cc: openldap-devel@OpenLDAP.org Subject: Re: Static Analysis of OpenLDAP
On Apr 14, 2011, at 3:41 PM, Lynn Gayowski wrote:
Klocwork's open source program did some source code analysis for
OpenLDAP a few years back. We've analyzed the project again using our static analysis product, Klocwork Insight, and found some bugs and potential security vulnerabilities that may be of interest. The results are hosted on a secure web portal so only contributors to the project will have access to the results. They will not be published. Please email opensource at klocwork dot com for the login credentials.
For the benefit of you and the community, please note that the OpenLDAP Foundation considers this as an open request for those interested in the Klockwork report to contact Klockwork for that report. To the extent that Klockwork and any interested party choose to enter into any sort of agreement, that agreement is between Klockwork and the interested party. The OpenLDAP Foundation, nor the OpenLDAP Project (an organized activity of the OpenLDAP Foundation), would not be a party to that agreement and hence cannot and will not be bound by any such agreement.
It must also be noted that the Project requires all contributions (including not just source code) to be publicly disclosable. This is why it won't enter into an agreement precluding it from publishing particular contributions, such as a report. It is the contributors responsibility, not the Project's, to only contribute materials which are publicly disclosable. The Project will publish any and all contributions (it may choose to delay contributions of certain materials (such as "major security issues", but all contributions get published in due course).
This note is not intended to dissuade anyone interested in this report from seeking access to the report and/or viewing the report. The note is intended to make clear that those seeking access to such reports are acting on their own behalf, not on the behalf of the OpenLDAP Foundation or the OpenLDAP Project.
Regards, Kurt
--- Executive Director, OpenLDAP Foundation
Issue Summary:
https://opensource.klocwork.com/review/insight-review.html#reportviewer_ goto:project=openldap,report=6,scope=1
Full Details/Issue Management: http://goo.gl/9GNiu
This program will be offered free to open source projects on an
ongoing basis, so if you find the results of value we could analyze future versions of your project as well.
Cheers, Lynn Gayowski Klocwork P +1.613. 836.8899 ext. 424 lynn.gayowski at klocwork.com
I've thrown together a quick style sheet to view the XML file with issues, if anyone cares. It works, but can definitely be improved:-)
-
Hallvard B Furuseth -
Kurt Zeilenga -
Lynn Gayowski