Re: Static Code Analysis - Nuts and Bolts

[solemn <sohlow () gmail com>]

it's not free, but it's still fuckin' badass.
http://smartbearsoftware.com/codecollab.php

i'm still a fan of a text editor(vim) + ctags/cscope tho.

On 6/12/07, Paul Sebastian Ziegler <psz () observed de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi list,
>
> due to personal interest I'd like to ask on your opinion regarding best
> practices for static code analysis.
> I guess most of us are accustomed to this method. After all - if you
> want to find a vulnerability that basically means that either luck,
> fuzzing or statical analysis will have something to do in the process.
>
> Now statical analysis of many languages can be quite fun. Take PHP and
> Python for example. You can mostly read the code like a book and mark
> down interesting passages to further analyze later on. Grep and a good
> editor are about all we need.
>
> However other languages often tend to become really nasty. Let's say we
> want to analyze a 2MB C-source split up into several thousand files.
> "cat * | grep strcpy" will most probably return about a hundred results.
> I just did a lot of static analysis lately and sometimes it took me more
> than half an hour to trace back _one_ of the strcpy()-calls and check if
>  the copied bits could be controlled in some way.
>
> Of course not every dangerous call takes this long to check (also I
> might be a little slow), however I think that you all know what I'm
> talking about here.
>
> So after not having slept for about a week I started to search for tools
> to ease working on my projects. (Yes, I did drop my plans of auditing
> 2MB C-sources using only vim and grep...)
> Now this is where I'd like to open up an exchange on best practices and
> tool-combinations.
> What program(s) do you use in static code analysis? It doesn't matter if
> you are a hardcore grep+editor researcher or if you use complex
> frameworks: Tell me (and also the rest of the list) about it.
>
> I took a quick look at flawfinder and rats. However they do nothing that
> grep couldn't accomplish as well. For browsing the code and finding
> references to functions or declarations of variables I am currently
> using redhat's source-navigator.
> It is by no means perfect and has been unmaintained for a while -
> however it is still a great help.
> That is just my two cents.
>
> Any remarks/hints/ideas/concepts/nuts would be greatly appreciated by me
> as well as a lot of other people interested in the matter. (At least I
> hope so.)
>
> So please share your knowledge.
>
> Many Greetings
> Paul
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGby6uaHrXRd80sY8RChzMAJ4yYYMwrYWl4jYFWf+My0F9F6j9kACg+gJ3
> tJ85/F9c5u1EMH6cUeSH1dA=
> =Z8rK
> -----END PGP SIGNATURE-----