You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
how often code gets executed in specific sub projects
which portions of specific sub projects are getting executed at all
where there's test coverage deficiencies
This issue therefore is to suggest developing a "code coverage dashboard" showing what (internal and external) sub project's code get executed in response to "code activations" by the highest available calling API.
For liboqs this may be as simple as tracking code coverage when running its tests (e.g., along the lines of open-quantum-safe/liboqs#167). For language-wrappers and oqsprovider it probably means developing specific test cases to be analyzed by a code coverage tool and separately reporting how often/which code gets executed in which sub project.
By way of example: I'd envision something along the lines of "An MLKEM768X25519 OpenSSL TLS handshake test leads to x instructions executed in libssl, y instructions in libcrypto, z instructions in oqsprovider, q instructions in liboqs, r instructions in mlkem_native.
These figures could serve as guidance pertaining to the probability of security exposure(s) in the different code bases and in consequence, to work load introduced to contributors and maintainers of each sub component where it to be subject to specific security response procedures. As the figures could be markedly different based on liboqs build config options , it may be valuable to report such configs separately, helping OQS to recommend specific config options for specific use cases: Some users may prefer better code coverage testing over performance, for example.
An additional benefit would be to improve code coverage (testing), a generally useful thing in its own right (and about sensible to tackle 8 years after the issue has been raised for liboqs :-)
The text was updated successfully, but these errors were encountered:
As part of the discussion to decide which sub projects to include in the security response process it became apparent --at least to me-- that OQS does not know
This issue therefore is to suggest developing a "code coverage dashboard" showing what (internal and external) sub project's code get executed in response to "code activations" by the highest available calling API.
For
liboqsthis may be as simple as tracking code coverage when running its tests (e.g., along the lines of open-quantum-safe/liboqs#167). For language-wrappers andoqsproviderit probably means developing specific test cases to be analyzed by a code coverage tool and separately reporting how often/which code gets executed in which sub project.By way of example: I'd envision something along the lines of "An MLKEM768X25519 OpenSSL TLS handshake test leads to x instructions executed in
libssl, y instructions inlibcrypto, z instructions inoqsprovider, q instructions inliboqs, r instructions inmlkem_native.These figures could serve as guidance pertaining to the probability of security exposure(s) in the different code bases and in consequence, to work load introduced to contributors and maintainers of each sub component where it to be subject to specific security response procedures. As the figures could be markedly different based on
liboqsbuild config options , it may be valuable to report such configs separately, helping OQS to recommend specific config options for specific use cases: Some users may prefer better code coverage testing over performance, for example.An additional benefit would be to improve code coverage (testing), a generally useful thing in its own right (and about sensible to tackle 8 years after the issue has been raised for
liboqs:-)The text was updated successfully, but these errors were encountered: