© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
I reviewed libfastjson version 0.99.8-2 as checked into bionic. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.
- libfastjson is similar to json-c but stripped down to meet the needs of
rsyslog.
- Our database doesn't have any CVEs for libfastjson; there are two CVEs
for json-c.
- Build-Depends: debhelper, pkg-config
- Does not daemonize
- No pre/post inst/rm scripts
- No init scripts
- No systemd unit files
- No dbus services
- No setuid files
- No binaries in bin
- No sudo fragments
- No udev rules
- There's a decent-size test suite run during the build
- No cron jobs
- Clean build logs
- No subprocesses spawned
- Memory management looked careful
- Files opened by command of clients
- Logging looked careful
- No environment variables
- No privileged operations
- No cryptography
- No networking
- No privileged portions of code
- No temporary files
- No WebKit
- No JavaScript
- No PolicyKIt
- Clean cppcheck
This looks like a well-written library, good comments throughout, good
error-checking. I really like doko's suggestion that this be bundled into
the rsyslog package but that feels like an unreasonable delta for Ubuntu
to carry from Debian.
Thanks