Developers of a static analyzer decided to recheck the FreeBSD project and to show that even in such serious and qualitative projects PVS-Studio easily finds errors. This was the topic of their blog post - . Although this project is regularly checked by other known analyzer C*****y, it had a considerable number of potential vulnerabilities (CWE).

As the author states, he spent just 2-3 hours looking for the potential vulnerabilities, but it took him about 3 weeks to put it all in an article. The reason for the delay was that PVS-Studio issued a great number of general-analysis warnings, which had to be handled by doing certain settings of the analyzer. The vast majority of false positives appears because of various macros and they can be easily eliminated by using a variety of mechanisms, provided by PVS-Studio. Further on, the author gives examples of the tool customization with examples.

Besides the standard Copy-Paste errors and typos there were also 56 potential vulnerabilities detected. Of course, only a few of the found CWE errors can turn into CVE (more details about the difference between CWE and CVE can be found here ). However, the more bugs that fall under the classification of CWE are found by static analysis, the better.

There is no doubt that the use of the static analyzer will be much higher if it is used regularly, not occasionally. A one-time check, like the one the author described in the article, can be a good way of showing the abilities of the analyzer, but it won’t be of real use to the project. The whole point of static analysis is that a lot of errors can be corrected at an early phase of the development. Additionally, it is much easier to keep the analyzer report “clean” and not to look for errors among hundreds of false positives. Here we have a complete analogy with the compiler warnings.

P.S. This is the second analysis of FreeBSD using PVS-Studio. The report of 2016 can be viewed by the link - .