On 4/16/21 1:02 AM, Kamil Dudka wrote:
We have to (re)verify the software that we distribute in the end.
Understandable.
I am reading your responses as "upstream is not going to change anything". We will have to find some ways to deduplicate and record these false positives on our side then.
Another possibility would be to libraryize Gnulib, scan that library once and record its false positives on your side once, and then change Gnulib-using packages to use that library instead of their in-source Gnulib copies. This would also be some work on your side, but it might fit better into your workflow.
One qualm I have with this idea, is that whole-program static analysis can do a better job than per-module static analysis. But you're already giving up on whole-program analysis with the other libraries, and adding one more library to the mix shouldn't hurt much.
