top | item 47095314

(no title)

Would be neat if the call graph could be asserted easily.. As you could not only validate what vulnerabilities you are / aren't exposed to, but also choose to blacklist some API calls as a form of mitigation. Ensuring you don't accidentally start using something that's proven unsafe.

discuss

Gigachad|8 days ago

It’s easier to just update the package and not have to worry.

viraptor|9 days ago

https://bandit.readthedocs.io/en/latest/ can do that for python.

chii|8 days ago

but then if you could assert the call graph (easily, or even provably correctly), then why not just cull the unused code that led to vulnerability in the first place?

mseepgood|8 days ago

With a statically compiled language it is usually culled through dead-code elimination (DCE), and with static linking you don’t ship entire libraries.