[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[netCDF #BDF-181549]: security vulnerability checking

This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.

Subject: [netCDF #BDF-181549]: security vulnerability checking
Date: Wed, 14 May 2008 08:54:58 -0600

Hi Robert,

We have made internal checks for buffer overflows in the netCDF
C library, using our extensive test suite and tools such as
Electric Fence, dbx "check access" tools, and the libumem library
on Solaris.  Most tools that are good for finding memory leaks
can also check for buffer overflows and other memory access violations
that can be exploited.

We don't believe there are remaining buffer overflows our code, but
would like better tools for detecting these and other security
problems.

NOAA has a license for a commercial tool that scans C, C++, and Java
code for possible security problems.  They have run this on netCDF,
but so far won't share the results with us.  The tool costs about
$15k, and we couldn't justify purchasing it without knowing whether
it could find any actual problems.

Our latest approach has been to request a scan of our code from
Coverity

  http://scan.coverity.com/about.html

who donates analysis of Open Source projects to the developers to help
improve the security of Open Source software.  We initially requested
a scan in January 2008, but got no response, so I have just requested
analysis of a smaller subset of our software by Coverity.  You might
try the same approach after reading the FAQ on the web site above.

--Russ

Russ Rew                                         UCAR Unidata Program
address@hidden                     http://www.unidata.ucar.edu



Ticket Details
===================
Ticket ID: BDF-181549
Department: Support netCDF
Priority: Normal
Status: Closed

Prev by Date: [netCDF #AUD-213411]: bug fix for netcdf under gcc-4.3
Next by Date: [netCDF #HJG-499978]: Compiling a netCDF library using Intel Visual
Previous by thread: [netCDF #BDF-181549]: security vulnerability checking
Next by thread: [netCDF #AUD-213411]: bug fix for netcdf under gcc-4.3
Index(es):
- Date
- Thread