Re: Scanning an Open Source Program For Issues
"Hal Vaughan" <hal@halblog.com> wrote in message
news:_Ckvj.8241$0%3.4401@trnddc06...
I've just downloaded an open source Java program that I can use for
networking (I'm testing a Java implementation of ssh that I asked
about in
an earlier post). I have the source, but it's a lot of stuff to
read. Are
there any shortcuts in what I can look for if I want to be sure this
program doesn't phone home or store my passwords or id keys anywhere
I
don't want them?
I figured I could use grep and search for any references to using
networking
packages, but Java io packages could be used as well. Any ideas of
how to
do a quick scan or search to verify there are no networking contacts
other
than connecting to the system I specify?
I usually answer question only when I know the answer (or think I do,
anyway). This is speculation, so take it with a grain of salt.
Try modifying it to create a SecurityManager that catches every
attempt to use the network, the file system, etc. You can simply log
and grant each request, which, at the end of your session will show
you which sorts of accesses were done, or you can get fancier and
display a dialog for each one, allowing you to forbid anything that
looks questionable. This won't prove that obscure code paths don't
lead to the kind of violation you're concerned about, but if
everything looks OK, you'll be more confident.
And, of course, you can look for other users of the package and ask
what their experience has been.