Hulp
Deze pagina aan uw boek toevoegen
Boek weergeven (27 pagina's)
Pagina's suggererenSoftwareSecurity2013/Group 10/Code Scanning Reflection
Uit Werkplaats
RATS
Qualities
- Opensource -> You can track how warnings are found
- Useful for simple checks
- Finds potential TOCTOU vulnerabilities and input verification
Limitations
- Does not find very meaningful security issues
- Finds not many issues
- 9 warnings for 60552 lines of code
Fortify
Qualities
- Works on Mac OS X and Linux
- Command line and GUI
- Clear GUI
- Finds more problems than RATS
- Seems to be a good proportion between false positives and real issues
(Erik: What is the basis for this conclusion? In your wiki page about the code scanning I cannot find any discussion of false/true positives) Response Added a discussion on the other wiki page
- False positives are justifiable
(Erik: What do you mean by "justifiable"? And again, what is the basis for this conclusion?) Response This is also discussed in a short discussion on the other wiki page
- Explicit error description
Limitations
- Tool needs more memory than default setting
- Tool needs quite long to analyse the ~4Mb
- Could scan, but couldn't run workbench on Ubuntu 12.10
- Difficult to get started (Found documentation at sample/basic/php/readme.txt)
