I’m currently assessing our progress toward the OpenSSF Best Practices ‘Passing’ Level. Two of the requirements are (click on the links for more details):
If you think one of these requirements applies to you, please respond to this thread and let me know if I can include your name in our project’s checklist. Having your name added to the checklist is optional. You can also respond to me in a private message if you don’t want to comment publicly.
BTW, although Alive2 is not doing static analysis of LLVM’s code, it has caught security problems in LLVM as well as one potential attack (a security bug fix was reverted in the middle of a large commit).
We run Alive2 on a continuous basis and try to report the bugs it finds as time allows.
Regarding folks with security expertise, we have a ton of people that have worked on static analysis, CFI and other run-time protections, etc.
But to be honest LLVM is not even close to being “secure”.
Also note that because we got mainly non web C++ code, then half of top 25 CWE practically do not apply to us.
One thing that is missing is an clang-tidy checking (at least most of bugprone checks) as an part of CI. And at the end clang-tidy is still missing lot of checks to even cover basic C++ vulnerabilities where clang-analyzer basically cover only C-like code.
As for “primary developer”, then maybe @AaronBallman ?
Other thing:
“We generally don’t really much on fuzzing, because we assume that all inputs are trusted.”
This is Met, I think we run UT with address sanitizer.
You can probably list me for Clang for both requirements – I was the primary author for SEI CERT C++ Coding Standard (2016 edition) which is primarily focused on secure coding practices in C++.