SoftwareSecurity2013/CodeScanners

Uit Werkplaats
< SoftwareSecurity2013
Versie door Erik Poll (overleg | bijdragen) op 17 apr 2013 om 08:14 (Other code analysis tools)
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

Code analysis tools

There are several source code analysis tools we can experiment with:

  • Fortify A commercial tool from HP, for various programming languages. See HP's webpage. Licences will emailed for this.
  • RATS The Rough Auditing Tool for Security, available here

Other code analysis tools

There are many static analysis tools, both open-source and commercial. Many open source tools seems to have short life spans, and quickly die due to lack of maintenance.

RIPS, a tool only for PHP, available here, is a reasonably mature open source code scanner.

In the past we have tried PHPLint (which people were not too enthusiastic about), YASCA (which, besides its own analysis, also supports RATS and PHPLint as plugins) and CodeSecure (a commercial tool for which you can get a 2-week trials, but for a version of the tool that only handles a limited size code base).

There are some tools around that seem to be dead or not really usable for real applications: Pixy, PHP-SAT, SWAAT, CodeScan.

PHP Codesniffer only appears to check (syntactic) coding styles.