home.social
Sign in Create account

#coverity — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #coverity, aggregated by home.social.

  1. 0xC0DEC0DE07EA @[email protected] ·

    One static analysis tool tells me to use `lstat` and `fstat` to avoid (or at least detect) malicious replacement of a file that I `open`. Then, after doing this, my other static analysis tool complains that I’ve introduced a TOCTOU (time-of-use, time-of-check) between `lstat` and `open`.

    Sure, but I’m going to detect that. Real issue I have with all of this is that there’s still a window (which I estimate to be the about the same size in both versions of this program) between creating this pseudoterminal file and the next interaction I have with it (be that pulling file stats with `lstat` or `open`ing it).
    #SemGrep #Coverity #StaticAnalysis #Programming #C

    #semgrep #coverity #staticanalysis #programming #c
  2. 0xC0DEC0DE07EA @[email protected] ·

    One static analysis tool tells me to use `lstat` and `fstat` to avoid (or at least detect) malicious replacement of a file that I `open`. Then, after doing this, my other static analysis tool complains that I’ve introduced a TOCTOU (time-of-use, time-of-check) between `lstat` and `open`.

    Sure, but I’m going to detect that. Real issue I have with all of this is that there’s still a window (which I estimate to be the about the same size in both versions of this program) between creating this pseudoterminal file and the next interaction I have with it (be that pulling file stats with `lstat` or `open`ing it).
    #SemGrep #Coverity #StaticAnalysis #Programming #C

    #semgrep #coverity #staticanalysis #programming #c
  3. 0xC0DEC0DE07EA @c0dec0dec0de ·

    One static analysis tool tells me to use `lstat` and `fstat` to avoid (or at least detect) malicious replacement of a file that I `open`. Then, after doing this, my other static analysis tool complains that I’ve introduced a TOCTOU (time-of-use, time-of-check) between `lstat` and `open`.

    Sure, but I’m going to detect that. Real issue I have with all of this is that there’s still a window (which I estimate to be the about the same size in both versions of this program) between creating this pseudoterminal file and the next interaction I have with it (be that pulling file stats with `lstat` or `open`ing it).

    #semgrep #coverity #staticanalysis #programming #c
  4. 0xC0DEC0DE07EA @[email protected] ·

    One static analysis tool tells me to use `lstat` and `fstat` to avoid (or at least detect) malicious replacement of a file that I `open`. Then, after doing this, my other static analysis tool complains that I’ve introduced a TOCTOU (time-of-use, time-of-check) between `lstat` and `open`.

    Sure, but I’m going to detect that. Real issue I have with all of this is that there’s still a window (which I estimate to be the about the same size in both versions of this program) between creating this pseudoterminal file and the next interaction I have with it (be that pulling file stats with `lstat` or `open`ing it).
    #SemGrep #Coverity #StaticAnalysis #Programming #C

    #c #programming #staticanalysis #coverity #semgrep