A Root Canal Static Analysis Based Audit of Zephyr – Munawar Hafiz, OpenRefactory
Zephyr is undergoing an introspection process regarding the code quality. As a part of that, CodeChecker static analysis support was integrated in Zephyr 3.5.0. CodeChecker brings in 10 different linters and static analyzers including the clang static analyzer, clang tidy, CPPCheck, Facebook Infer, etc. In addition to that, deeper static analysis is required to find more bugs. For example, CPPCheck detects a limited set of buffer errors and does not detect any input validation errors. OpenRefactory has been working with the Alpha Omega project under the Linux Foundation to scan the top 10,000 Java, Python and Go projects, triage the results, report bugs and work with the maintainers to fix the bugs. In this talk, we will report on the results of a thorough security audit done on the Zephyr code. CodeChecker is more like good flossing habits; the audit performed by OpenRefactory is comparable to a root canal procedure.
