Re: tools to scan source code

[Barrie Dempster <barrie () reboot-robot net>]

Using SWAAT as it comes is not entirely beneficial. The matches that come with 
it in the xml files are extremely naive and will false positive a LOT. For 
example SWAAT will pickup "system" as being a vulnerable call to the system 
command, even if it is within a string eg...
<?php
echo "Backup the system!" ;
?>

This is just one example, it doesn't analyse the code at all.

**********************
Finding Name 
 Backup the System
 
Severity of Finding 
 Medium 
 
Description 
 This function appears to issues a command to the operating system. If user 
supplied input is used here it may lead to operating system injection 
attacks. Ensure all such data is validated.
 

Finding Locations 
 In .\system.php, line 2 (context is <?php echo "Backup the System"; ?>) 
**********************

Far too many false positives for this to be a useful static analyser. It's not 
analysing at all, merely grepping - badly.

I'd steer clear of it for now, it could be more useful if you knock up your 
own XML configs, but since it's functionality is more limited than grep, 
you'd be better off just knocking up some, grep scripts.
Even `grep system\( *` is a better match and even this is a naive filter.
Calling SWAAT a static analyser is a bit of an exaggeration of it's current 
capabilities.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

              - http://reboot-robot.net -

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

Attachment: smime.p7s
Description: