daniel:// stenberg://Mar 7

Looking back at all (now) published vulnerabilities in #curl that were present in code from 2020 until now, at no point in those years was the share of "C mistakes" higher than 15% of all vulns.

Through all years, the C mistake share of all vulnerabilities in #curl was never above 45% at any single point in history.

Show threadJake HowardMar 7
@bagder What changed ~2018? That's a pretty steep decline in C-related vulnerabilities.
Show threadAndrea (Drea) Tamar Pinski
@jake @bagder
There is also a jump after 2012 till 2018 for 'c mistakes'. That is definitely related to better tooling. E.g. sanitizers (which came out in 2012).
Also as you find the 'C mistakes' ones; there are less of them. And with folks running now with sanitizers on a daily bases, you will find them earlier. Not just about curl project doing it but folks in general.
Mar 7 at 10:09pmWeb
Show threaddaniel:// stenberg://Mar 7
@pinskia @jake yes, the tooling has improved through-out all this time. Also: CI started to become a big thing in the 2015-2020 time-frame and OSS-fuzz started fuzzing curl in 2017