Software Security/Group 4/Code Scanning

Uit Werkplaats
< Software Security‎ | Group 4
Versie door Pol van Aubel (overleg | bijdragen) op 8 jun 2011 om 15:25 (PHPLint)
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

Fortify

Fortify

Run completed in 52:13 (minutes, not hours) on an 8-core login server of the RU, stitch.science.ru.nl. Fortify utilizes two cores and is allowed to run with 1024 MiB of memory.

Commands used to run the analysis:

$ ./sourceanalyzer -b g4phpbb2 -clean
$ ./sourceanalyzer -b g4phpbb2 ~/phpBB2/**/**/**/*.php
$ ./sourceanalyzer -verbose -b g4phpbb2 -scan -Xmx1024m -f ~/results.fpr


  • 56 low risk errors
    • 10 Cookie Security: HTTPOnly not Set - Relevant to our interests (V11)
    • 4 Cookie Security: Persistent Cookie - Relevant to our interests (V11)
    • 2 Cross-Site Scripting: Poor Validation
    • 4 Password Management: Password in Comment
    • 26 System Information Leak - Relevant to our interests (V9)
    • 10 Weak Cryptographic Hash - Relevant to our interests (V7)
  • 1 medium risk errors
    • 1 Cross-Site Scripting: Poor Validation
  • 2488 high risk errors
    • 8 Cross-Site Scripting: Persistent
    • 96 Cross-Site Scripting: Reflected
    • 213 Dangerous File Inclusion
    • 478 Dynamic Code Evaluation: Code Injection
    • 69 Header Manipulation - Relevant to our interests (V11)
    • 496 Header Manipulation: Cookies - Relevant to our interests (V11)
    • 7 Insecure Randomness - Relevant to our interests (V7)
    • 12 Password Management: Empty Password
    • 676 Path Manipulation
    • 24 Privacy Violation - Relevant to our interests (V9)
    • 409 SQL Injection
  • 3543 critical risk errors
    • 288 Cross-Site Scripting: Reflected
    • 924 Dangerous File Inclusion
    • 23 Path Manipulation
    • 2308 SQL Injection


Reports (using Fedora 11 x64 "stitch.science.ru.nl"): [1]

Yasca

Yasca

We used the tool Yasca with the plugin PHPLint. Yasca supports multiple plugins, but not all of them work correctly. Below is a complete overview of all the errors found, including those by the plugin.

Errors found:
High Risk

  • PHPLint Finding: 6394
  • Authentication: Weak Credentials: 2

Medium risk:

  • PHPLint Finding: 6908

Low risk:

  • Possible Licensing Restrictions:74
  • Performance: Post-Increment of Simple Variable: 267
  • Performance: Function Within Loop Declaration: 134
  • PHPLint Finding: 2544
  • Best Practice: Short Open Tag: 2
  • Best Practice: Always Quote Array Keys: 66

Yasca produced 16392 warnings.

Yasca result (using the plugin PHPLint on OSX): [2]

PHPLint

We have also used PHPLint separately from Yasca on the phpBB2 project. By using PHPLint separately we hoped to generate less false positives. A lot of false positives in Yasca are generated due to the fact that each php file is analyzed separately. This results in errors like "undeclared variable" or "undeclared function". Unfortunately we did not manage to configure PHPLint in a way that it follows all "includes" starting with the main file "index.php". So the following overview of error messages, warnings and notices are mainly the same as those generated by Yasca with PHPLint. The overview includes some types of messages that came up frequently.

  • Error messages: 6673
    • Concatenating different types 985
    • Variable has not been assigned 247
    • Type mismatch 232
    • Keyword as variable name 160
  • Warning messages: 6990
    • Function not declared 1275
    • Array value with unknown type 1237
    • Control character in string 1020
    • Comparing different types 985
  • Notice messages: 2537
    • Variable assigned but never used 225
    • Undeclared constan 1057

The full results (PHPLint on OSX) can be found here: [3]