Re: [Qemu-devel] QEMU CII Best Practices record

[Stefan Hajnoczi <stefanha@gmail.com>]

On Fri, Oct 13, 2017 at 02:25:07PM +0100, Daniel P. Berrange wrote:
> Many projects these days are recording progress wrt CII best practices
> for FLOOS projects. I filled out a record for QEMU:
> 
>   https://bestpractices.coreinfrastructure.org/projects/1309
> 
> I only looked at the 'Passing' criteria, not considered the 'Silver' and
> 'Gold' criteria. So if anyone else wants to contribute, register an
> account there and tell me the username whereupon I can add you as a
> collaborator.
> 
> Two items I don't think QEMU achieves for the basic "Passing" criteria
> 
>  -  The release notes MUST identify every publicly known vulnerability
>     that is fixed in each new release.
> 
>     I don't see a list of CVEs mentioned in our release Changelogs or
>     indeed a historic list of CVEs anywhere even outside the release
>     notes ?
> 
>  - It is SUGGESTED that if the software produced by the project includes
>    software written using a memory-unsafe language (e.g., C or C++), then
>    at least one dynamic tool (e.g., a fuzzer or web application scanner)
>    be routinely used in combination with a mechanism to detect memory
>    safety problems such as buffer overwrites.
> 
>    NB this is not 'coverity' which falls under the 'static anlaysis'
>    group. I'm unclear if anyone in the community does regular fuzzing
>    or analysis with ASAN & equiv ?

I'm not aware of automated ASAN or Valgrind runs although developers
tend to run them in ad-hoc fashion during development.

Stefan