Summary
An audit of the current CI/CD static and dynamic analysis setup found that 4 criteria in the OpenSSF Best Practices Badge "Analysis" section are not actually satisfied, despite docs/migration/1.5-openssf-badge.md claiming the section is 8/8 (100%). Full evidence trail is in TODO.md. This issue tracks fixing the underlying problems (and, once fixed, correcting the badge profile at bestpractices.dev).
Two of the four are MUST-level criteria — meaning the project cannot honestly claim a "Passing" badge until they're addressed.
1. static_analysis_fixed (MUST) — Not Met
All medium and higher severity exploitable vulnerabilities discovered with static code analysis MUST be fixed in a timely way after they are confirmed.
Findings from cppcheck/clang-tidy, confirmed in docs/migration-schedule.md since 2026-06-14 (~3 weeks), still present in code today:
All 12 items in docs/migration-schedule.md Phase 2.0 remain unchecked (☐), including the 5 flagged by the project itself as priority.
2. dynamic_analysis_fixed (MUST) — Not Met
All medium and higher severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed.
(Tracked in detail, with a suggested code fix, in a dedicated issue: "Fix confirmed out-of-bounds write in BTree.c:276 (UBSan) and unfreed test allocations in AllocationLogTest".)
3. dynamic_analysis_unsafe (SUGGESTED) — Not Met
If the software includes a memory-unsafe language, at least one dynamic tool (e.g., a fuzzer) MUST be routinely used in combination with a mechanism to detect memory safety problems.
4. dynamic_analysis_enable_assertions (SUGGESTED) — Met in form only
Use a dynamic-analysis configuration that enables many assertions.
Action items
References
TODO.md — full evidence for each finding
docs/migration-schedule.md (Phase 2.0 — Code Health; Phase 3 — AFL++)
docs/migration/1.5-openssf-badge.md (self-reported badge status)
.github/workflows/ci.yml (static-analysis, sanitizer-tests jobs)
Summary
An audit of the current CI/CD static and dynamic analysis setup found that 4 criteria in the OpenSSF Best Practices Badge "Analysis" section are not actually satisfied, despite
docs/migration/1.5-openssf-badge.mdclaiming the section is 8/8 (100%). Full evidence trail is inTODO.md. This issue tracks fixing the underlying problems (and, once fixed, correcting the badge profile at bestpractices.dev).Two of the four are MUST-level criteria — meaning the project cannot honestly claim a "Passing" badge until they're addressed.
1.
static_analysis_fixed(MUST) — Not MetFindings from cppcheck/clang-tidy, confirmed in
docs/migration-schedule.mdsince 2026-06-14 (~3 weeks), still present in code today:strcpy) —modules/frontend/map2check.cpp:93,102,111modules/backend/library/lib/BTree.c:274-276modules/backend/library/lib/NonDetGeneratorKlee.c:41,47NonDetGeneratorLibFuzzy.c:103,AllocationLog.c:56,NonDetLog.c:70,ContainerBTree.c:23All 12 items in
docs/migration-schedule.mdPhase 2.0 remain unchecked (☐), including the 5 flagged by the project itself as priority.2.
dynamic_analysis_fixed(MUST) — Not MetBTree.c:276off-by-one at runtime inBTreeTest/ContainerBTreeTest— a real out-of-bounds write, not theoretical.AllocationLogTest(lines 75, 87) andAllocationLog.c:89.UBSAN_OPTIONS=halt_on_error=0,ASAN_OPTIONS=detect_leaks=0in.github/workflows/ci.yml,sanitizer-testsjob) instead of fixing them.(Tracked in detail, with a suggested code fix, in a dedicated issue: "Fix confirmed out-of-bounds write in BTree.c:276 (UBSan) and unfreed test allocations in AllocationLogTest".)
3.
dynamic_analysis_unsafe(SUGGESTED) — Not MetLibFuzzeris explicitly disabled (-DSKIP_LIB_FUZZER=ON) in all 3 CI jobs, includingsanitizer-tests— ASan only runs against the 7 fixed unit tests, never against fuzzer-generated input.NonDetGeneratorLibFuzzy.cis Map2Check's own product feature (fuzzing the user's analyzed C programs) — not self-fuzzing of Map2Check's own codebase.docs/migration-schedule.mdPhase 3, items 3.1.1–3.1.4) hasn't started.4.
dynamic_analysis_enable_assertions(SUGGESTED) — Met in form onlyCMAKE_BUILD_TYPE=Release/MinSizeRel, so-DNDEBUGis never injected — assertions would fire if present.assert()/BOOST_ASSERT()occur 0 times anywhere inmodules/— there's nothing to actually enable..clang-tidyis pre-configured to recognize these macros, but the project doesn't use them.Action items
static_analysis_fixed(see also Phase 2.0 indocs/migration-schedule.md).BTree.coff-by-one andAllocationLogTestleaks (dedicated issue), then fliphalt_on_error=1/detect_leaks=1inci.yml.sanitizer-tests, or bring forward the AFL++ Phase 3 work) to closedynamic_analysis_unsafe.assert()/BOOST_ASSERT()usage where it adds defensive value, or stop countingdynamic_analysis_enable_assertionsas meaningfully satisfied.References
TODO.md— full evidence for each findingdocs/migration-schedule.md(Phase 2.0 — Code Health; Phase 3 — AFL++)docs/migration/1.5-openssf-badge.md(self-reported badge status).github/workflows/ci.yml(static-analysis,sanitizer-testsjobs)