[Bug 35984] New: automated static code analysis should include security tests
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35984 Bug ID: 35984 Summary: automated static code analysis should include security tests Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: evelyn@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org A few libraries have asked recently if, prior to production/during the development lifecycle, automated source code analysis tools are used to test for security flaws specifically. Typically these questions are in relation to processes like renewing cybersecurity insurance or initial discovery by a potential partner library's security/IT department. Perlcritic seems to be currently used, but as far as I can tell it appears the tests are for enforcing the coding standard. Using an automated tool to look for security flaws will be a beneficial addition to the project, so I'd like to at least start the discussion here. OWASP has an informational page for further reading: https://owasp.org/www-community/controls/Static_Code_Analysis -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35984 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35984 Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |emily.lamancusa@montgomeryc | |ountymd.gov -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35984 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- I think it's an interesting idea that we should certainly explore. I remember hearing about RATS but I don't think it's actually maintained: https://manpages.ubuntu.com/manpages/trusty/man1/rats.1.html I didn't realise until now but Perl::Critic apparently does have a "security" theme. I think this is probably the direction we should pursue. We could always develop our own Perl::Critic policies (which leverages PPI under the hood). -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35984 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=34347 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org