Blue-teaming for Exiv2: three rules of bug fixing for better OSS security

In the second installment of a blog series on enhancing Exiv2's security, the author emphasizes the importance of a three-step process when fixing bugs, especially security vulnerabilities: adding regression tests, fixing the bug, and identifying and remedying variants. Regression tests serve as proof of resolution and ensure new code coverage, while finding variants addresses the likelihood of similar bugs. Through examples involving divide-by-zero errors and unsafe use of vector indexing, the blog illustrates using CodeQL for identifying bug variants, despite its simplistic queries yielding false positives. The author argues that each security bug is an opportunity for further defensive improvements, advocating for a comprehensive approach to bug fixing and leveraging CodeQL to enhance security hardening efforts.