We aim to meet the OpenSSF Best Practices passing or higher badge level. One of the requirements is to run dynamic code analysis on the project's source code.
See the "Analysis" section here: https://bestpractices.coreinfrastructure.org/en/projects/2288
Is there anyone on this project with expertise in this area?
The ASWF makes SonarQube available to us, and cppcheck (C, C++), clang static analyzer (C, C++) seem relevant. Is there a well known Python static analysis tool we could use to satisfy this?
Details from OpenSSF Best Practices:
It is SUGGESTED that at least one dynamic analysis tool be applied to any proposed major production release of the software before its release. [dynamic_analysis] Hide details
A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.
We aim to meet the OpenSSF Best Practices passing or higher badge level. One of the requirements is to run dynamic code analysis on the project's source code.
See the "Analysis" section here: https://bestpractices.coreinfrastructure.org/en/projects/2288
Is there anyone on this project with expertise in this area?
The ASWF makes SonarQube available to us, and cppcheck (C, C++), clang static analyzer (C, C++) seem relevant. Is there a well known Python static analysis tool we could use to satisfy this?
Details from OpenSSF Best Practices: