I was that kind of person that would run off-the-shelf tools on open source projects and report the findings (you know, those with a high false positive rate) hoping to help.
Now I'm kind of person that will run tools made by myself on open source projects and report the findings hoping to help.
What changed was that I learned enough to develop tools to help. What remains the same is that I often struggle to understand the findings (but I'm improving at this)
In related news, I've reported a couple hundred bugs on Python C extensions this week, that became a couple dozen issues and PRs.
Very happy with the results, but the most important part to me is building (and releasing) the tools and running the analyses.
Shout out to the maintainers of h5py, lxml, Cython, APSW, psutil, kiwisolver, pyhacl, cereggii, atom, enaml, and maybe others I'm forgetting, for being receptive and giving feedback and guidance.
@danzin Thanks you for reporting us high quality issues! What I really liked with your reports were the "confidence" and "classification" columns. To take an example, it reported the following:
> Secrets not zeroed classification=CONSIDER confidence=MEDIUM
Which indeed is indeed something that is lacking from both pyhacl and HACL*. We are gonna discuss it with the people at HACL* :)
@drlazor8 Thank you for your kind words, working with you has been a real pleasure!
The tool has been evolving since I created the pyhacl report, I'll soon do a follow up review to see if the new features catch anything else interesting.
And please let me know if you have other C extensions you'd like reviewed :)
danzin
Julien Castiaux