Reply to post: Re: Oh, goodie!

Carnegie-Mellon Uni emits 'don't be stupid' list for C++ developers

Ken Hagan Gold badge

Re: Oh, goodie!

"There is very little out there to help stop you from accidentally writing code..."

and a 435 page tome is not going to help with that one iota because unless the checking is automated it simply won't happen. No-one has the time and energy to check each line of new code against such a vast list.

"Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes)."

As it happens, I already have a compiler that will test quite a number of these things in those cases where it can be checked at compile-time. (Modern compilers do pretty much everything that lint did 20 years ago.) The difficulty is that we still have all the undecidable cases left over and (as hinted by an earlier commentard) any sufficiently powerful language will allow undecidable cases.

If CERT (or anyone else) has a magic wand that will point at those cases (with sufficiently few false positives that it is actually worth me reading the output and sufficiently many true positives that I can justify splashing the cash on the tool) then I'm all ears. They could prove the worth of their tool by pointing it at some of the millions of lines in popular FOSS projects and submitting bug reports for all the security problems *before* they are posted as 0-days. (And yes, some vendors have tried this, but the fact that everyone didn't immediately go "wow!" and buy their product suggests that the results weren't clear-cut. Perhaps all the low-hanging fruit in this area were eaten by lint when I was in short trousers and even the medium-height stuff has been picked off by language evolution since then.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019