daniel:// stenberg://

1 year ago

daniel:// stenberg://
1 year ago

lines of code per known vulnerability in #curl, 1998 - 2023. I purposely leave out the last year simply because it is a little too new code there to be fair - and that makes the graph really spike.

Note also that this treats all vulns equal, no matter which severity

#curl

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 year ago

the median age a CVE has existed in code when reported in #curl is 7.7 years!

#curl

in reply to daniel:// stenberg://

robinm

in reply to daniel:// stenberg:// 1 year ago

Does this means that we should ignore the right part of the graph (2015 and newer), and wait to see if the quality did effectively increase so much in recent years?

in reply to robinm

daniel:// stenberg://

in reply to robinm 1 year ago

@robinm it certainly might imply that we will get vulnerabilities reported for that period in the coming years, yes. I guess we will be able to tell in the future...

@robinm