The article does not conflate defects and security risks. It clearly separates them: "The analysis resulted in 655 defects and 71 potential security vulnerabilities."
Some security vulnerabilities can fall directly under the 'software bug' or 'defect' umbrella while others can be found off roaming in fields of coding semantics and input validation routines. The difference is subtle and subjective. Also, in the article, the 655 defects are broken down into sub-categories and probably 'Security Vulnerabilities' is just another category but it is a better attention grabber.
Cheers.
From the article (response to similar critique; see comments in original article):
"Regarding Alec Flett's post I just want to clarify the methodology I used for this analysis. Although this analysis was automated (machine generated) the level of analysis is more sophisticated then a traditional lint-type tool. Klocwork and other modern static analysis tools are breaking the common misconception that these types of tools are noisy. In fact, the most crucial advancement in the static analysis field is the significant improvement in the signal-to-noise ratio, making it an efficient use of the developer's time.
In this particular analysis we reviewed the entire results to verify the correctness of the defects. For example, to address Alec's point about XPCOM refcounting, we did account for that in the analysis. As I mentioned in my post, as with any analysis only the developers can be the final judge on the severity of these problems."
Slashdot Mirror
The article does not conflate defects and security risks. It clearly separates them: "The analysis resulted in 655 defects and 71 potential security vulnerabilities." Some security vulnerabilities can fall directly under the 'software bug' or 'defect' umbrella while others can be found off roaming in fields of coding semantics and input validation routines. The difference is subtle and subjective. Also, in the article, the 655 defects are broken down into sub-categories and probably 'Security Vulnerabilities' is just another category but it is a better attention grabber. Cheers.
From the article (response to similar critique; see comments in original article):
"Regarding Alec Flett's post I just want to clarify the methodology I used for this analysis. Although this analysis was automated (machine generated) the level of analysis is more sophisticated then a traditional lint-type tool. Klocwork and other modern static analysis tools are breaking the common misconception that these types of tools are noisy. In fact, the most crucial advancement in the static analysis field is the significant improvement in the signal-to-noise ratio, making it an efficient use of the developer's time.
In this particular analysis we reviewed the entire results to verify the correctness of the defects. For example, to address Alec's point about XPCOM refcounting, we did account for that in the analysis. As I mentioned in my post, as with any analysis only the developers can be the final judge on the severity of these problems."