Open Discussion on Static Code Analysis

zivkovicmilos commented 1 year ago

Description

Currently, the gno repo does not feature any advanced static code analysis workflows. This issue is meant to start a discussion on utilizing different tools, and their effectiveness in identifying vulnerabilities before they are exploited.

Code Analysis Tooling

What kind of code analysis tooling should we set up?
Should we utilize the standard CodeQL scanning GitHub offers out of the box, or utilize something like Snyk or Deepsource, that have GitHub integrations? Or even something beefier like SonarCube?

Relevant Snyk comparison article

Setting up a vulnerability reporting workflow

Code analysis tools are far from perfect - and they don't catch everything, especially when the problem is located on a protocol level.

Should we use a third-party platform, or the built in GitHub private vulnerability reporting tool?

Bounties for issues

Should we set up bounties for critical issues?
What kind of issues would qualify for bounties?

cc @anarcher @ltzmaxwell @piux2 et al.

zivkovicmilos commented 7 months ago

@kristovatlas Pinging here to revive this ancient issue

kristovatlas commented 6 months ago

The GitHub scanner is delightfully easy to get going, so we'll start there.

I'd like to trial some of the paid stuff as well, but whether it sticks around depends on how the trial goes. I'll post in this issue as we gather more info.

zivkovicmilos commented 5 months ago

This has been resolved with #1915

gnolang / gno