Security Static Code Analysis

Norrin · August 6, 2019, 11:20am

Hi, did you take into consideration using available static code security analysis tools to automatically discover vulnerabilities in code? Most of them are free and integrated with Github, so they can even create tasks/issues to fix open gaps in code.

Examples

Snyk - https://snyk.io/test/ (free, does require only manifest file)
LGTM - https://lgtm.com/ (free, does not support Go, but can be used for other components e.g. Lunie)
WhiteSource Bolt - https://bolt.whitesourcesoftware.com/github/
SonarCloud - https://sonarcloud.io/about

List of others

drzow · August 26, 2019, 1:49pm

If you are asking about a security analysis of Tendermint and the Cosmos-SDK, multiple third party assessments have been done of those code bases – I would assume that those third parties were using either these tools or ones like them to catch the low-hanging fruit. Of course, each of those assessments was a point-in-time event, so your point still has merit from a continuous integration / assessment perspective. Having chatted a good deal with the security team at Tendermint (AIB), I would expect that they are doing something to this end.

Cheers,
Terry

Topic		Replies	Views
Tendermint Core Security Advisory Syringa Security	1	1461	July 2, 2020
[Development Tools] Cosmos & Tendermint Ecosystem	1	3386	October 6, 2019
Additions to the bug bounty program Miscellaneous	1	2207	November 20, 2018
Cosmos Mainnet Security Advisory Lavender Security	7	4453	April 10, 2020
Cosmos Mainnet Security Advisory Periwinkle Security	2	3661	October 29, 2019

Security Static Code Analysis

Related Topics