[WEB SECURITY] Open Source Code Analysis Tools

Truxaw, Matthew mtruxaw at firstam.com
Tue Apr 22 16:03:14 EDT 2008


This is a compilation of the emails I have received regarding code scanning tools (primarily open source with a few others).  I have not reviewed or verified most of this information.  I have not even followed all the links below.   I am hoping to find some time in the coming weeks to dig into this further.  If you have strong feelings for or against any of these tools or other tools, let me know.
 
 
OWASP Lapse Project <http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project> http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project <http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project >  
LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java J2EE applications for common types of security vulnerabilities found in Web applications. 

Pmd
URL: http://sourceforge.net/projects/pmd <http://sourceforge.net/projects/pmd> 
* Java-based static analysis tool
* Intended to find correctness and complexity issues, also finds some security issues

Findbugs URL: http://findbugs.sourceforge.net/ <http://findbugs.sourceforge.net/>  
Java-based static analysis tool
Intended to find correctnessissues, also identifies some security issues  

JeSS: http://sourceforge.net/project/showfiles.php?group_id=141386 <http://sourceforge.net/project/showfiles.php?group_id=141386> 
JeSS is a plugin for the Eclipse IDE. It is a static security scanner for Java source code. The plugin creates an AST for the source code and then uses the visitor pattern to find patterns in the AST that could be possible security bugs.
 
milk: http://milk.sourceforge.net/ <http://milk.sourceforge.net/> 
Milk is a security source code assessment tool using Orizon as API. Milk scans java and .NET source file in order to perform a security code review trying to point out safe coding best practices misuse
 
 
BogoSec : Source Code Security Quality Metric http://bogosec.sourceforge.net/ <http://bogosec.sourceforge.net/> 
BogoSec aims to increase awareness regarding code security vulnerabilities, while encouraging developers to produce more secure code over time. By simplifying the code scanning process, BogoSec achieves a goal of allowing developers to scan their code regularly and more effectively. 
Users also can benefit by using BogoSec in another way; comparing different available packages or consecutive releases of a package and identifying trends in the security level will enable users to make more educated software choices. 
 
BogoSec is a pluggable flexible framework. 
It currently has plugins to support the following three scanners: 
  
Flawfinder <http://www.dwheeler.com/flawfinder> http://www.dwheeler.com/flawfinder <http://www.dwheeler.com/flawfinder/> /
RATS http://www.securesw.com/rats/ <http://www.securesw.com/rats/> 
ITS4 http://www.cigital.com/its4/ <http://www.cigital.com/its4/> 
 

Hammurapi
URL: http://www.hammurapi.org/ <http://www.hammurapi.org/>   


There are a lot of tools for code analysis, not only java and .net, but also asp, php, c and so on. Enjoy it :  http://www.nosec.org/web/index.php?q=codereview

(SWAAT), you can download it from our site. http://securitycompass.com/inner_swaat.shtml

 There's some good material from the speaker at the last OWASP-Austin (TX) meeting. He has links to open source Java and .Net static analysis tools. The presentation also includes some general info on static vs dynamic analysis: http://denimgroup.typepad.com/denim_group/2008/03/static-analysis.html <http://denimgroup.typepad.com/denim_group/2008/03/static-analysis.html> 

	From this presentation:

	* FindBugs (Java) findbugs.sourceforge.net

	* PMD (Java)  pmd.sourceforge.net

	* FxCop(.NET)  www.gotdotnet.com/Team/FxCop/  
	FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines.
	http://www.microsoft.com/downloads/details.aspx?familyid=3389F7E4-0E55-4A4D-BC74-4AEABB17997B&displaylang=en 

	* XSSDetect (.NET) blogs.msdn.com/ace_team/archive/2007/10/22/xssdetect-public-beta-now-available.aspx 

Commercial Products:

I got a few recommendations for  Fortify  http://www.fortifysoftware.com <http://www.fortifysoftware.com/> 

I got a couple of recommendations for XSS Detect for  .NET as well.  This beta version appears free to download, at least for now.
XSSDetect http://www.microsoft.com/downloads/details.aspx?FamilyID=19a9e348-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=en <http://www.microsoft.com/downloads/details.aspx?FamilyID=19a9e348-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=en> 
 
XSSDetect is a static code analysis tool that helps identify Cross-Site Scripting security flaws found within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such "sanitized" paths.
 

Others mentioned :

Ouncelabs, 

KlocWork

Regards,
 
Matt Truxaw
Development Manager
 

**********************************************************************
This message contains confidential information intended only for the use of the addressee(s) named above and may contain information that is legally privileged.  If you are not the addressee, or the person responsible for delivering it to the addressee, you are hereby notified that reading, disseminating, distributing or copying this message is strictly prohibited.  If you have received this message by mistake, please immediately notify us by replying to the message and delete the original message immediately thereafter.

Thank you.

                                   FADLD Tag
**********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080422/dbcc9054/attachment.html>


More information about the websecurity mailing list