[C-safe-secure-studygroup] Next Steps for the group - Update to WG14

[Aaron Ballman]

I agree, this is an excellent start. Thank you Laurence and Clive!

>> Some attempt has been made to begin writing - or 're-framing' - the rules so
that they would be suitable for static analysis tools, but not much
progress has been made here
> Not sure what’s meant by this.

I think this is talking about the fact that some MISRA rules are
machine checkable, but not in a practical sense over a very large code
base (scaling issues, essentially). For instance, identifier
uniqueness over the entire code base can be difficult to deal with in
large code bases with lots of identifiers. This may also be touching
on some of the things Martin has brought up regarding acceptable false
positive rates for various analyzers.

~Aaron

On Thu, Sep 20, 2018 at 5:49 AM, Clive Pygott <clivepygott at gmail.com> wrote:
> Good start Laurence
>
> I've restructured it a bit to give some background for any of the committee
> coming at it cold, and added a couple of my own thought
>
>      Clive
>
>
>
> On Wed, Sep 19, 2018 at 6:23 PM Laurence Urhegyi
> <Laurence.Urhegyi at codethink.co.uk> wrote:
>>
>> We just had the meeting. We only had representation from folks with a
>> safety-critical background, so couldn't make any progress looking through
>> rules,
>> sadly.
>>
>> An update on current position of the group:
>>
>> We currently have no chairperson, as Robert cannot commit to this for the
>> rest
>> of 2018 due to travel schedule. Others in the group cannot take on the
>> role due
>> to other constraints. This means we also don't have enough contribution
>> from
>> people with security-critical expertise: Aaron and Martin have been trying
>> their
>> best but cannot always attend on a regular basis.
>>
>> We're due to present an update at the next WG14 meeting (w/c Mon Oct 15,
>> Pittsburgh, USA). The ideal outcome would be encouraging some additional
>> contributors to come forward, and maybe even a chairperson. At the very
>> least,
>> some group attendees can meet f2f and take stock of where we're at.
>>
>> Below is a first pass of an outline for the update we intend to give. I'd
>> like
>> to request that people review the below and add to it as they see fit. Any
>> contributions are appreciated. In the meantime we'll continue to hold
>> these
>> meetings and hope more people can be available.
>>
>> WG14 Update
>> ~~~~~~~~~~~
>>
>> * We've been working through the MISRA-C rules to triage them to identify
>> whether they'd fit into a Safety, Security or Safety and Security profile
>> for a
>> technical document, where the rules would be aimed at diagnosis by static
>> analysis tools, as opposed to rules for programmers - along with an
>> established
>> deviation process - as MISRA targets.
>> * We're just over half way through the MISRA-C rules.
>> * After this is complete, the plan is move onto writing the new rules for
>> the
>> new technical document, addressing the three profiles mentioned above.
>> * Some attempt has been made to begin writing - or 're-framing' - the
>> rules so
>> that they would be suitable for static analysis tools, but not much
>> progress has
>> been made here.
>> * Overall progress is slower than hoped for.
>> * We currently have no chairperson and a lack of contributions from people
>> with
>> security-critical expertise, due to constraints on availability more than
>> any
>> other factor.
>>
>>
>> _______________________________________________
>> C-safe-secure-studygroup mailing list
>> C-safe-secure-studygroup at lists.trustable.io
>>
>> https://lists.trustable.io/cgi-bin/mailman/listinfo/c-safe-secure-studygroup
>
>
> _______________________________________________
> C-safe-secure-studygroup mailing list
> C-safe-secure-studygroup at lists.trustable.io
> https://lists.trustable.io/cgi-bin/mailman/listinfo/c-safe-secure-studygroup
>