[pkaye]

Its used to reverse engineer an unknown binary without the matching source code. Since Ghidra already is open source it be no use to audit Ghidra itself except for learning purposes. It might be useful to reverse engineer a closed source driver so you can write an open source one from scratch.

[NotSwift]

A security audit is still useful when you have sources to the program. There may still be some intended or just accidental security problems with it. Having the sources makes such an audit a lot easier to do.

[ShepherdKing]

Is there a standard process anywhere for vetting some software for information leakage? I would imagine that someone would deploy the software behind an MITM proxy and then look at the traffic, but it would be nice if there was some standard process or framework for this somewhere.

[aj3]

It's a huge code base, of course there are security issues. Same way IDA and radare have security issues. People who reverse malware take that into account.

[barkingcat]

I would expect there to be self-mutating code such that when the open source code is compiled with a particular compiler it activates a different code path (written into the compiler itself) such that the final resulting binary does not correspond to the source code if it were compiled with another compiler.

And if this resulting binary is distributed, audits of the source code wouldn't catch these modifications.

[Godel_unicode]

1) There are many java compilers with diverse origins. Try more than one.

2) The binary (or jar) can't lie about what it contains. Take it into an air gap and reverse engineer it, what's there is there. This includes compilers.

3) see posters comment about the impracticality of stopping someone with the money, talent, skills, and patience of the NSA :)