SoftwareSecurity2014/Group 6/Code Scanning Reflection
(Erik: Fortify gives quite a small number of warnings for Roundcube, compared to what some other groups encounter. Eg, one group reports one complaint for every 5 lines of code. Is Roundcube a really small application? )
Reflection on Code Scanners
RATS
The name of this tool – rough auditing tool for security – already suggests that there can not be too high expectations in it. However, it can be very useful. It is also extremely fast, due to its simple way to scan source code based on patterns. The speed is a big advantage compared to some other tools, since it is easy to quickly check some code. On the other hand, it also produces many false positives, since in most cases it can not detect whether a vulnerability has been dealt with in the code. This is a large problem, since it is not very pleasing to have to check every time whether there is an actual problem in the reported line (especially when this has been done before for this line already). As far as we know, there is no way to make RATS ignore specific parts of the code. It would be useful to be able to annotate something as fixed and make RATS ignore this.
Pros | Cons |
---|---|
|
|
RIPS
RIPS is especially designed to analyze PHP source code and search for different kinds of vulnerabilities. RIPS is available for free and runs quite fast: 200 seconds for the Roundcube project on a below average laptop. The output is quite extended. For each report of a possible vulnerability a structured tree of the relevant code is shown, so that you will have a clear view of the tainted used data that is passed along as it eventually reaches a sensitive function. From the analysis of our scan we could observe that RIPS sometimes incorrectly assumes that tainted data is passed to such a function, especially when there are complex code structures. This may also be due to the fact that RIPS does not support OOP, which is the programming structure in a major part of the Roundcube project's source code. All in all we think that RIPS is quite a useful tool to use. The level in detail is somewhat below that of Fortify, but the UI is very detailed. There are in-depth descriptions for each vulnerability and the possible attacks that could be initiated, although these descriptions are more generic. There is also a possibilty to generate an exploit based on an identified vulnerability, but we did not test this.
Pros | Cons |
---|---|
|
|
Fortify
One of the first things that is noticable is that fortify runs quite a while to analyse the source code (~33 min on a laptop that is already a few years old). Also all issues that we looked at where false positives (privacy violations in fact didn't reveal anything; hardcoded passwords weren't any; dangerous file inclusions were only configuration files and seemed to be implemented in a secure way; ...). This makes fortify really annoying to work with and not very usable. Since it takes so much time to analyze, one can not quickly have a look on the project. Dealing with all the false positives makes it very time consuming as well. We believe that developers don't enjoy fortify very much.
(Erik: Moreover, I think that Fortify would not be able to spot many issues wrt V4 and V9, as this typically requires some insight in what the web app is meant to do. Eg Fortify seems to focus a lot on lack of input validation, but for access control it can hardly say sensible things.
Pros | Cons |
---|---|
|
|