When I started working on NSS 7 months ago one of the tasks I was asked to do was to work through the related Coverity issues. This post summarises some learnings from this as we've since come a long way since over the last months.
Static analysis plays a crucial part in locating vulnerabilities and bugs during development. For NSS we currently use multiple static analysis tools. While scan-build as well as infer are great applications to find bugs, they require a lot of manual management. Features such as the
incremental analysis of infer help with that though. Nonetheless, Coverity with its rich interface is the tool driving day to day analysis of NSS.
When I started working on static analysis issues in NSS we only had Coverity scans for NSS releases in Firefox, which meant that we had to wait for six weeks or more to get feedback from the analyser on possible bugs. Now we have regular scans of the NSS tree as well as local scans with scan-build and infer.
Challenges of a crypto library
A big challenge when doing static analysis of a low-level (cryptographic) library is the high number of false positives. Errors like
tainted value can very likely be totally benign code that shifts around some bits as often necessary for efficiently and securely implemented crypto algorithms. Many false positives also mean a lot of work without actually improving the code and an increased probability of missing an actual bug.
Dealing with technical debt
A library as old as NSS naturally comes with a lot of technical debt, which creates a huge backlog of static analysis bugs. Mostly in code that hasn't been of big interested to most developers so far.
In our case tools such as Coverity come in especially handy as they allow for regular incremental scans with automatic updates on new bugs. We still have a long way to go to fix old bugs but the good news is that new bugs are rarely introduced and newly introduced bugs get fixed right away.
The long-term goal is obviously to reduce the backlog of bugs to an acceptable level by either fixing or removing the code. But I think static analysis tools already significantly improved the quality of all new code.