The European Commission EU-FOSSA project runs its Apache code review project and is about to start the KeePass one.
As announced in a previous news (see link), Apache and KeePass have been selected as a result of a public survey. They are candidate to be code reviewed by the pilot project, in order to analyse and test the source code for potential security problems.
The currently conducted Apache Code Review addresses the CORE and APR modules. For CORE, a total of 3 batches and 5 files will be reviewed. For APR, approximately 32 batches and 102 files are in scope.
You can follow the code review evolution by consulting the updates posted on the EU FOSSA Community, under the Code review log page.
The EU-FOSSA pilot is to result in a systematic approach for the EU institutions to make sure that widely-used key open source components can be trusted. The project should also allow the EU institutions to contribute to the integrity and security of key open source software.
More information:
Comments
Security is a dynamic environment and a static audit could give a false sense of security.
A vulnerability in a FOSS component could be announced 1 hour, 1 day, one week after the review and so will not be tracked.
How deep does the code review go.
If the code is under a copy left license and the code has to be shared. Would there be bad coding practices in the code creating vulnerabilities e.g. hard coded passowords, badly structured code.
Is all of the above being picked up?