Fortify Source Code Analysis

Ethan Blanton elb at pidgin.im
Wed May 18 16:25:44 EDT 2011


Kenny_Herold at cargill.com spake unto us the following wisdom:
> Just wondering if your development team had ever entertained the
> thought of submitting your source code for a static code analysis by
> Fortify.  It is free of charge and can be a source validation for any
> disputes on potential vulnerabilities, as well as a means of ensuring
> that your code is secure in other ways than a code walk-through or
> peer review.

Pidgin has been scanned by a number of automated security scanners
over the years, I am not sure off the top of my head whether Fortify
is one of them.

> Our organization had a request to introduce your application into our
> environment, which, in part, was rejected because of the inability to
> scan the source code because there were snippets of some languages
> that we did not license for with Fortify.

You should be able to validate the important parts of Pidgin
functionality by scanning *only* C language files.  I'm not sure what
you did not have a license for, but the only non-C language sources
which are actually linked to Pidgin are plugin loaders which can be
trivially disabled at compile time (Perl, Tcl, and Mono (C#)).  There
are Python, shell, and possibly other sources which are used only for
build-time issues, and their security need not be validated for
deployment (provided you are not validating the build process, and I
don't know why you would).

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/pipermail/support/attachments/20110518/21a88081/attachment.sig>


More information about the Support mailing list