Automatic source code security review portal
Summary: Portal to implement automatic security review of Debian distributed software
- C programming (internals and tools)
- PHP programming (frontend)
As part of its QA process, Debian has developed some automatic checking tools to do an automatic review of Debian packages. These tools (lintian and linda) can be used locally by Debian maintainers and are also used in a portal so that all reports are public.
In order to ease the security review process it is necessary to have those tools be run automatically, over all the archive, and, using some pre-defined metrics, detect the software that the audit teams needs to focus on. That way, security bugs would be detected and removed from vulnerable software before they were introduced in the "testing" distribution and, later, into the "stable" distribution. Reducing the number of vulnerabilities in released software would benefit our users (as their exposure when using the Debian distribution would be reduced) and would also help the project as this would eventually help reduce the workload of the Security Testing Team.
The goal of this project is to develop a source code security review service based on existing tools and a set of metrics in order to:
- automatically generate and publish reports using these tools, which would be run through all the archive
- generate a "security" score for the different packages available
- show graphs representing the score evolution of both packages in the distribution and the distribution overall
- detect which packages cannot be reviewed (using these tools) because of the way they are being packaged
This service could help:
- Package maintainers and upstream authors, as they could use the published reports to review the software they are maintaining
- The Security Audit Team, since it could focus on software that is highlighted as "more vulnerable" than other
The service should be implemented allowing for the introduction of new security audit tools, should they be made available.