Future: Consider adding static analysis for vulnerabilities (e.g., hit density)

[david-a-wheeler]

Per section 5.B of the paper:

Perform static analysis on source code to determine the likely number of latent vulnerabilities (e.g., using Coverity scan, RATS, or flawfinder); measures such as hit density could indicate more problematic software. A variant would be to report on densities of warnings when warning flags are enabled.

[ya1gaurav]

This will report many False Alarms.

[david-a-wheeler]

Sure, but the point would be to see if the density was unusually high. If you keep walking to the edge of a cliff, eventually you are likely to fall off.