Automatic source code security review portal


As part of its QA process, Debian has developed some automatic checking tools to do an automatic review of Debian packages. These tools (lintian and linda) can be used locally by Debian maintainers and are also used in a portal so that all reports are public.

The Debian Security Audit Team started over a year ago in an attempt to review the packages distributed by Debian (after establishing some priorities) with some security audit tools.

In order to ease the security review process it is necessary to have those tools be run automatically, over all the archive, and, using some pre-defined metrics, detect the software that the audit teams needs to focus on. That way, security bugs would be detected and removed from vulnerable software before they were introduced in the "testing" distribution and, later, into the "stable" distribution. Reducing the number of vulnerabilities in released software would benefit our users (as their exposure when using the Debian distribution would be reduced) and would also help the project as this would eventually help reduce the workload of the Security Testing Team.

The goal of this project is to develop a source code security review service based on existing tools and a set of metrics in order to:

This service could help:

The service should be implemented allowing for the introduction of new security audit tools, should they be made available.