Veracode Scan

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Veracode Scan

Boost - Users mailing list

Hi There,

 

As part of release practice in our org., we have run Veracode (static) scan on our application which uses BOOST. We got good amount of error pointing to the BOOST libraries.  Detecting the false positives and fixing the code will be a tedious task.

 

So, want to know if anyone in the community has faced such situations and want to share their experience on resolving those.

 

~Thanx

Abhijit


_______________________________________________
Boost-users mailing list
[hidden email]
https://lists.boost.org/mailman/listinfo.cgi/boost-users
Reply | Threaded
Open this post in threaded view
|

Re: Veracode Scan

Boost - Users mailing list
Yes. Vericode is gives false positivies all the time.

I had a scan fail my application and complainging about boost::asio::endpoint. I traced the line it was complaining about and it didn't like a memcpy with 16 bytes passed in as a param, with a destination field that was 16 bytes. Vericode called that a stack based buffer overrun. There is nothing wrong with boost::asio::endpoint that I can see.



On Wed, May 2, 2018 at 2:08 AM, Abhijit Dutta via Boost-users <[hidden email]> wrote:

Hi There,

 

As part of release practice in our org., we have run Veracode (static) scan on our application which uses BOOST. We got good amount of error pointing to the BOOST libraries.  Detecting the false positives and fixing the code will be a tedious task.

 

So, want to know if anyone in the community has faced such situations and want to share their experience on resolving those.

 

~Thanx

Abhijit


_______________________________________________
Boost-users mailing list
[hidden email]
https://lists.boost.org/mailman/listinfo.cgi/boost-users



_______________________________________________
Boost-users mailing list
[hidden email]
https://lists.boost.org/mailman/listinfo.cgi/boost-users
Reply | Threaded
Open this post in threaded view
|

Re: Veracode Scan

Boost - Users mailing list

Thanks Christopher, did you find any valid cases as such detected by Veracode…

 

From: Boost-users [mailto:[hidden email]] On Behalf Of Christopher Pisz via Boost-users
Sent: 02 May 2018 19:14
To: [hidden email]
Cc: Christopher Pisz <[hidden email]>
Subject: Re: [Boost-users] Veracode Scan

 

Yes. Vericode is gives false positivies all the time.

I had a scan fail my application and complainging about boost::asio::endpoint. I traced the line it was complaining about and it didn't like a memcpy with 16 bytes passed in as a param, with a destination field that was 16 bytes. Vericode called that a stack based buffer overrun. There is nothing wrong with boost::asio::endpoint that I can see.

 

On Wed, May 2, 2018 at 2:08 AM, Abhijit Dutta via Boost-users <[hidden email]> wrote:

Hi There,

 

As part of release practice in our org., we have run Veracode (static) scan on our application which uses BOOST. We got good amount of error pointing to the BOOST libraries.  Detecting the false positives and fixing the code will be a tedious task.

 

So, want to know if anyone in the community has faced such situations and want to share their experience on resolving those.

 

~Thanx

Abhijit


_______________________________________________
Boost-users mailing list
[hidden email]
https://lists.boost.org/mailman/listinfo.cgi/boost-users

 


_______________________________________________
Boost-users mailing list
[hidden email]
https://lists.boost.org/mailman/listinfo.cgi/boost-users