Static Code Analysis Tools
Below you find a list of static source code analysis tools recommended for CERN developers. These tools are supposed to allow developers to review their code quickly, looking for some common potential bugs and vulnerabilities (both security- and non-security-related), thus increasing reliability and security of their programs.
This is a summary of an evaluation of code analysis tools, done by the CERN Computer Security Team. It is by no means a comprehensive list of all the existing tools, nor is it a list of the most complete tools. The tools presented below have been selected for their ease of use, simplicity and by their efficiency per invested time ratio. Another list can be found here.
The tools and the documentation provided are for Linux, but most of the tools are also available on Windows as well (links are provided). If you happen to use CERNs' Gitlab-CI (Continuous Integration) service, note that all static code analysers are provided through a dedicated Docker image. See these examples and this report for details.
C / C++
| CppLint | Free | stand-alone script | CppLint is a script that checks for compatibility of code with Google's style guide for the C++ language. It can find some dangerous constructions and report general bad practices, syntax errors and style inconsistencies. |
|---|---|---|---|
| Flawfinder | Free | stand-alone script | Flawfinder checks for calls to known potentially vulnerable library function calls. |
| RATS | Free | stand-alone script | RATS targets various languages and has specific detection rules for each. For C / C++, it will check for calls to vulnerable library functions and some bad practices that can lead to buffer overflows. |
| Coverity Prevent | Commercial/ available at CERN |
(...) | Coverity is a security company with extensive static analysis experience. They have conducted many open source scans and have high reputable clients. |
| VCG | Free | stand-alone tool | Visual Code Grepper is an automated code security review tool which is intended to drastically speed up the code review process by identifying bad/insecure code. |
Java
| FindBugs | Free | standalone GUI application, or Eclipse plugin |
FindBugs is a highly configurable tool, that allows loading custom rule sets. The default rule set is rather broad spectrum and includes many security related checks. |
|---|---|---|---|
| CodePro Analytix | Free | Eclipse plugin, or Maven/Ant build integration |
CodePro Analytix's default configuration includes rules rather similar to FindBugs, but it has the advantage of having a few additional rules and is somewhat simpler to use and configure. |
| PMD | Free | stand-alone script | PMD finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. |
| VCG | Free | stand-alone tool | Visual Code Grepper is an automated code security review tool which is intended to drastically speed up the code review process by identifying bad/insecure code. |
Perl
| Perl::Critic | Free | perl module | The default configuration of Perl::Critic can seem somewhat harsh to most programmers, but we provide a lighter configuration, more targeted towards security. |
|---|---|---|---|
| RATS | Free | stand-alone script | RATS targets various languages and has specific detection rules for each. For perl, it focuses on risky calls of built-in/library functions. |
| LC's lint | Free | script available on AFS | Checks for conformity to Lionel Cons' Perl guide. |
Python
As a very basic rule, apply the latest security patches to your python interpreter.
Please note: On SLC, the security patches are applied and backported to earlier versions of Python.
| Pychecker | Free | stand-alone script | This static analyzer focuses on finding bugs. It has only a couple of checks that are security related. |
|---|---|---|---|
| Pylint | Free | stand-alone script | Pylint is a tool that checks for errors in Python code, tries to enforce a coding standard and looks for bad code. |
| RATS | Free | stand-alone script | RATS targets various languages and has specific detection rules for each. For python, it will find some dangerous system calls. |
PHP
| Pixy | Free | stand-alone script | Although it might look like outdated (its home page is announcing support for PHP4), Pixy is doing an outstanding job when looking for Cross-Site Scripting vulnerabilities and SQL or code injections. |
|---|---|---|---|
| RATS | Free | stand-alone script | RATS targets various languages and has specific detection rules for each. In the case of PHP, it targets calls to some library functions. |
| RIPS | Free | stand-alone web application | RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. |
| VCG | Free | stand-alone tool | Visual Code Grepper is an automated code security review tool which is intended to drastically speed up the code review process by identifying bad/insecure code. |