Static code analysis is a method in computer program debugging that is done by examining the code without actually executing the program. The process provides an understanding of the code structure and can help to ensure that the code adheres to laid down standards.
Automated tools can assist programmers and developers and auditors in carrying out static analysis. The process of scrutinising code by visual inspection alone (by looking at a printout, for example), without the assistance of automated tools, is sometimes called program understanding or program comprehension. This post will look at the techniques of static code analysis in order to understand its concept.
The principal advantage of static analysis is the fact that it can reveal errors that do not manifest themselves until a disaster occurs weeks, months or years after release.
Analysis of source codes requires running a static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using several define techniques as:
- Data Flow Analysis
- Control Flow Graph
- Taint Analysis
- Lexical Analysis
Limitations of Static Analysis
Static code analysis is used for a specific purpose in a specific phase of development. But there are some limitations that should be noted as seen below:
Not Understanding the Intent of the Developer: A static analysis tool may detect possible overflow in a calculation but might not be able to determine that the function fundamentally does not do what is expected.
Cannot detect rules That Aren’t Statically Enforceable: Static code tools cannot detect some coding rules that depend on external documentation or those that are open to subjective interpretation.
Benefits:
There are several benefits to using static analysis especially if you need to comply with specific standards.
Speed: It takes time for developers to do manual code reviews. Automated tools are much faster. Static code checking addresses problems early on time. And it pinpoints exactly where the error is in the code. So, you’ll be able to fix those errors faster. It should also be noted that coding errors found earlier are less costly to fix.
Depth: Testing can’t cover every possible code execution path. But a static code analyzer can. You’ll get an in-depth analysis of where there might be potential problems in your code, based on the rules applied in the analysis tool.
Accuracy: Manual code reviews are prone to human error. Automated tools are not. They scan every line of code to identify potential problems.
Types of Static Code Analysis
There are several tools out there, however, there are few things to consider when deciding on the right tool to use.
Programming Language: Analyzers are designed for many different programming languages. So, it’s important to choose a tool that supports your language.
Standards: One of the primary uses of static analyzers is to comply with standards. So, if you’re in a regulated industry that requires a coding standard, you’ll want to make sure your tool supports that standard.
Below are a list of Static code analysis tools
Open Source/Free Static code analysis tools
- Agnitio (Objective-C, C#, Java & Android)
- Brakeman (Rails)
- DevBug (PHP)
- FindBugs (Java)
- Find Security Bugs (Java, Scala, Groovy)
- FlawFinder (C/C++)
- Microsoft FxCop (.NET)
- DotNET Security Guard (C# and VB.net)
- Google CodeSearchDiggity (Multiple)
- PMD (Java)
- Puma Scan (.NET)
- Microsoft PreFast (C/C++)
- SonarQube (20+ languages including Java, C#, and JavaScript)
- Splint (C)
- VisualCodeGrepper (C/C++, C#, VB, PHP, Java & PL/SQL)
- RIPS (PHP)
- phpcs-security-audit (PHP)
- Yasca (Multiple)
Commercial Static code analysis tools
- Fortify (OWASP Member)
- Veracode (OWASP Member)
- GrammaTech
- ParaSoft
- Armorize CodeSecure (OWASP Member)
- Checkmarx Static Code Analysis (OWASP Member)
- Rational AppScan Source Edition
- Coverity
- PVS-Studio
- Puma Scan Professional (.NET)
- Insight
- Polyspace Static Analysis
- RIPS NextGen (PHP)
Leave a Reply