Static Source Code Security Analyzers Comparison
Static Source Code Security Analyzers Comparison
Gisela P. Petrini
Khu Technologies S.A, Buenos Aires, Argentina
[email protected]
ABSTRACT
Application security encompasses countermeasures to prevent
vulnerabilities or weakness throughout the Software Development
Life Cycle (SDCL). The challenge is how to efficiently find and
avoid these vulnerabilities. One of the most common methods is
the use of static code analysis tools.
2.
Keywords
Application security, static source code analysis, software quality
1.
INTRODUCTION
RELATED WORK
https://samate.nist.gov/SRD/testsuite.php
http://checkstyle.sourceforge.net/
4
http://findbugs.sourceforge.net/
5
https://www.owasp.org/index.php/OWASP_LAPSE_Project
6
https://pmd.github.io/
7
http://jlint.sourceforge.net/
8
http://cppcheck.sourceforge.net/
9
https://msdn.microsoft.com /vstudio
10
http://www.sonarqube.org/
11
http://sourceforge.net/projects/visualcodegrepp/
12
http://www8.hp.com/ar/es/software-solutions/applicationsecurity-testing/
3
https://www.owasp.org/index.php/Code_Review_Introduction
3.
METHOD AND TOOLS
DESCRIPTION
The objective of the present work was to compare the
quality of several source code static analysis tools in order
to analyze which one provides a better accuracy. Thus,
some test cases selected from Juliet Test Suite for Java
language and different scan tools which will be explained
in this section were used.
Owner
OWASP
N1ckDunn
Sonarsource
License
Open source
Open source
Open source
HP
Coverity
Commercial
Commercial
3.2.1. LAPSE +
LAPSE+ is a Security Scanner for Java EE Applications.
It is part of OWASP Lapse Project. LAPSE+ is based on
static code analysis in order to detect the source and the
https://cwe.mitre.org/
4.
RESULTS
4.1.
Estimators
3.2.2. Sonarqube
4.2.
4.3.
Values
5.
Tools
Lapse+
VCG
Sonarqube
Coverity Code Advisor On Demand
Fortify on Demand
Tools
Lapse+
VCG
Sonarqube
Coverity Code Advisor On Demand
Fortify on Demand
True
Test cases
CWE89 CWE81 CWE80
59.677% 0.000% 59.677%
24.946% 30.755% 19.892%
10.753% 0.000% 0.000%
24.194% 0.000% 32.258%
9.946% 0.000% 0.000%
Test cases
CWE256 CWE259 CWE327
0.000%
0.000%
0.000%
0.000%
0.000%
0.000%
48.387%
14.516%
100.000%
100.000%
100.000%
50.000%
Tools
Lapse+
VCG
Sonarqube
Coverity Code Advisor On Demand
Fortify on Demand
Tools
Lapse+
VCG
Sonarqube
Coverity Code Advisor On Demand
Fortify on Demand
Test cases
CWE89 CWE81
0.408% 0.000%
0.425% 1.536%
0.228% 0.000%
0.007% 0.000%
0.003% 0.000%
CWE80
1.350%
1.870%
0.000%
0.029%
0.000%
Test cases
CWE256 CWE259 CWE327
0.000%
0.000%
1.758%
0.000%
0.000%
0.000%
0.042%
0.000%
CONCLUSIONS
0.000%
0.000%
2.629%
1.786%
6.
FUTURE WORK
7.
REFERENCES
Efficiency
Quality