Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Mar 2013 17:31:02 -0400
From: Corey Bryant <>
To: Russ Allbery <>
Subject: Re: Security vulnerability tools

On 03/27/2013 04:31 PM, Russ Allbery wrote:
> Corey Bryant <> writes:
>> Clang
>> -----
>> Static analysis tool for C/C++
> Clang is, properly speaking, a compiler.  It happens to also have a static
> analyzer available as part of the same code base.
> If you're going to mention Clang, it's probably also pointing out that
> good old GCC has very extensive warning flags that can, among other
> things, find possible security vulnerabilities by locating variables that
> are used before being set, dangerous printf formats, mismatches between
> printf formats and arguments, and so forth.  For example, I currently use:
> WARNINGS = -g -O -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wendif-labels           \
>          -Wformat=2 -Winit-self -Wswitch-enum -Wdeclaration-after-statement  \
>          -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align           \
>          -Wwrite-strings -Wjump-misses-init -Wlogical-op                     \
>          -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls          \
>          -Wnested-externs -Werror
> with GCC (4.6 or later) with all of my software.  Many of those are not
> security-related, of course, but -Wformat=2 certainly is, and some of the
> -Wall and -Wextra warnings are as well.

Great, thanks for the input.  I don't see any reason to not include gcc 
warning options.

Corey Bryant

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ