SoftwareSecurity2012/Group 10/Code Scanning Reflection
In this section, we summarize the results of our trials of the code scanning utilities.
Troublesome tools
We intended to use the CodeSecure package as well as the PHPLint packages in a proper fashion. These tools however provided troublesome because in one case the trial version of the application proved unable to scan the application, and in the second case the sheer inpracticality of the PHPLint tools.
PHPLint
PHPLint yielded a vast number of warnings, of which the majority of the warnings were more comments on PHP style rather than true security errors. We doubt PHPLint's usefulness as a helpful tool in the verification of application security, because of its aim of being a PHP checker more than a security scanner.
RIPS
Overall RIPS seems useful (as it has certainly pointed out some valid issues), although it does lack some polish. For example, we were unable to locate any functionality to save/export scan results and the results page does not offer any way to filter by found vulnerability type. Also, the verbosity level should be carefully selected to avoid having to dig through hundreds (if not thousands) of false negatives. Performing a separate scan for each inidividual component of a codebase might allow for easier review of the results.
RATS
It is only a static code scanner only loking for certain functions that are used. The database of functions it looked for only stated that it could be a problematic function. There was no information on what the problems could be that the function introduces or how to use correctly. The tool can be used to look for specific functions that are related to the problems we are looking for but there are other faster ways of doing this.
Yasca
Yasca is a code scanner which can run a number of plugins, such as plugins for PHPLint and RATS, making it potentially a useful tool in the automation of code scanning. However, none of the plugins proved to work correctly. Faulty behaviour ranged from simply giving an error to giving obviously wrong output. For example, the PHPLint plugin told us that it could not find any builtin PHP function.