Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday August 23 2019, @10:44AM   Printer-friendly
from the static-code-analysis dept.

Submitted via IRC for SoyCow2718

Facebook doesn't have the most stellar privacy and security track record, especially given that many of its notable gaffes were avoidable. But with billions of users and a gargantuan platform to defend, it's not easy to catch every flaw in the company's 100 million lines of code. So four years ago, Facebook engineers began building a customized assessment tool that not only checks for known types of bugs but can fully scan the entire codebase in under 30 minutes—helping engineers catch issues in tweaks, changes, or major new features before they go live.

The platform, dubbed Zoncolan, is a "static analysis" tool that maps the behavior and functions of the codebase and looks for potential problems in individual branches, as well as in the interactions of various paths through the program. Having people manually review endless code changes all the time is impractical at such a large scale. But static analysis scales extremely well, because it sets "rules" about undesirable architecture or code behavior, and automatically scans the system for these classes of bugs. See it once, catch it forever. Ideally, the system not only flags potential problems but gives engineers real-time feedback and helps them learn to avoid pitfalls.

"Every time an engineer makes a proposed change to our codebase, Zoncolan will start running in the background, and it will either report to that engineer directly or it will flag to one of our security engineers who's on call," says Pieter Hooimeijer, a security engineering manager at Facebook. "So it runs thousands of times a day, and found on the order of 1,500 issues in calendar year 2018."

Source: https://www.wired.com/story/facebook-zoncolan-static-analysis-tool/?verso=true


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by fadrian on Friday August 23 2019, @02:27PM (4 children)

    by fadrian (3194) on Friday August 23 2019, @02:27PM (#884112) Homepage

    Static analysis tools are useful. That being said, they often cast too broad a net, finding too many false positives. In addition, they take a lot of fiddling to tune and/or to get to shut up when aforementioned false positives occur. You'll spend a lot more time with these things than you expected to when you use them. But, all-in-all, more useful than not.

    --
    That is all.
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2) by DannyB on Friday August 23 2019, @05:08PM (3 children)

    by DannyB (5839) Subscriber Badge on Friday August 23 2019, @05:08PM (#884239) Journal

    One of the best static analysis tools is the compiler for a language that has strong type discipline and other safety features. The language design becomes one of the major safety features, enforced by the compiler.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 2) by FatPhil on Friday August 23 2019, @05:25PM (1 child)

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Friday August 23 2019, @05:25PM (#884248) Homepage
      Heresy! That forces the programmer to explicitly say what he wants. That might do terrible things like permit reviewers to see if what the code does matches what it's supposed to do.

      >quack<!
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
      • (Score: 2) by DannyB on Friday August 23 2019, @05:33PM

        by DannyB (5839) Subscriber Badge on Friday August 23 2019, @05:33PM (#884253) Journal

        You're right! Better to depend on unit testing which demonstrates that the code does the right thing, at least under certain conditions, rather than that it does the right thing in principle.

        Not that I'm against unit testing. Just for testing higher level things that compilers cannot (yet) test. Because we cannot (yet) express those ideas in a language.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 2) by darkfeline on Saturday August 24 2019, @02:07AM

      by darkfeline (1030) on Saturday August 24 2019, @02:07AM (#884502) Homepage

      I believe Facebook uses PHP, so...

      --
      Join the SDF Public Access UNIX System today!