GSOC Idea: Secure code review enhancements

Events happening in the community are now at Drupal community events on www.drupal.org.
greggles's picture
Posted by greggles on March 22, 2011 at 9:41am

The secure code review module was a great success from SOC2010. It would be great to enhance it further for 2011.

Possible ideas:

  • Extending the rules it uses to find vulnerabilities so it can catch all of the contributed module vulnerabilities announced in 2010, 2009, etc. (this isn't fully practical, but getting just 50% or so would be a great improvement!)
  • Abstracting the reporting to something more standard - currently the module uses its own logging mechanism which goes to a flat file. It would be great to use something more centralized like log4drupal
  • Anything else a student might find

Jim Berry is an obvious candidate for this if he is still interested in participating as a student, otherwise he would make a great mentor. I would also be willing to help as a mentor on this or any other security related project.

Categories: , ,

Comments

i'm interested

Posted by ahmdrefat on March 22, 2011 at 5:25pm
ahmdrefat's picture

i am interested in many "drupal" ideas, especially that related to security;
even i am a begginer in security issues. but i think i can work on this idea;
so it will be great, to work with you :)

I don't think I got the first

Posted by eltermann on March 27, 2011 at 3:36am
eltermann's picture

I don't think I got the first point.

What I understood for now: when someone find and report a security issue, it's posted in the security advisories page.
So, I took a look at it and there were reports like "Module N: version X has this security issue: [explanation]. So if you are running this version of the module, update to version Y".

The purpose of the module should be review contrib modules searching security issues.
Your idea is to get the already known issues and try to find them programatically? By doing so, it would be possible to build a reviewer that checks the security of the code.

Just read main page of Secure Code Review module and found it great!
(I'm studying compilers this semester ^^)

Well, I will apply for GSoC this year and liked to talk about this enhancements you are proposing...
I'm eltermann at IRC.

Yes, the idea is that most

Posted by greggles on March 28, 2011 at 4:15pm
greggles's picture

Yes, the idea is that most mistakes can be found programatically. So, if we can write the secure_code_review tool to find the mistakes listed on security/contrib then we can run the tool on the rest of the contributed modules to try and identify the same vulnerability in other modules.

knaddison blog | Morris Animal Foundation

Google Summer of Code 2011

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: