SoftwareSecurity2014/CodeScanners

Uit Werkplaats
< SoftwareSecurity2014
Versie door Erik Poll (overleg | bijdragen) op 26 mrt 2014 om 22:23
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

Code analysis tools

There are several source code analysis tools we can experiment with:

  • Fortify A commercial tool from HP, for various programming languages. See HP's webpage. Licences will emailed for this.
  • RATS The Rough Auditing Tool for Security, available here


Other code analysis tools

There are many static analysis tools, both open-source and commercial. Many open source tools seems to have short life spans, unfortunately, and quickly die due to lack of maintenance. Two interesting one to try, in addition to Fortiy and RATS, are

  • Checkmarx, a commercial tool offering free trials, available here
  • RIPS, a tool only for PHP, available here, is a reasonably mature open source code scanner,though development has stopped in 2013...


In the past we have tried PHPLint (which people were not too enthusiastic about), YASCA (which, besides its own analysis, also supports RATS and PHPLint as plugins) and CodeSecure (a commercial tool for which you can get a 2-week trials, but for a version of the tool that only handles a limited size code base).

There are some tools around that seem to be dead or not really usable for real applications: Pixy, PHP-SAT, SWAAT, CodeScan.

PHP Codesniffer only appears to check (syntactic) coding styles.