本帖hyddd原創,轉載請标明,謝謝8>~
這兩天看關于靜态代碼掃描的東東,一開始沒什麼頭緒,搜了一下發現N多東西,整理一下寫成文檔,由于資料太多,還有很多東西沒寫上去。
靜态代碼掃描,借用一段網上的原文解釋一下(這裡叫靜态檢查):“靜态測試包括代碼檢查、靜态結構分析、代碼品質度量等。它可以由人工進行,充分發揮人的邏輯思維優勢,也可以借助軟體工具自動進行。代碼檢查代碼檢查包括代碼走查、桌面檢查、代碼審查等,主要檢查代碼和設計的一緻性,代碼對标準的遵循、可讀性,代碼的邏輯表達的正确性,代碼結構的合理性等方面;可以發現違背程式編寫标準的問題,程式中不安全、不明确和模糊的部分,找出程式中不可移植部分、違背程式程式設計風格的問題,包括變量檢查、命名和類型審查、程式邏輯審查、程式文法檢查和程式結構檢查等内容。”。
我看了一系列的靜态代碼掃描或者叫靜态代碼分析工具後,總結對工具的看法:靜态代碼掃描工具,和編譯器的某些功能其實是很相似的,他們也需要詞法分析,文法分析,語意分析...但和編譯器不一樣的是他們可以自定義各種各樣的複雜的規則去對代碼進行分析。
以下将會列出的靜态代碼掃描工具,會由于實作方法,算法,分析的層次不同,功能上會差異很大。有的可以做SQL注入的檢查,有的則不能(當然,由于時間問題還沒有對規則進行研究,但要檢查複雜的代碼安全漏洞,是需要更高深分析算法的,是以有的東西應該不是設定規則庫就可以檢查到的,但在安全方面的檢查,一定程度上也是可以通過設定規則進行檢查的)。
以下我在網上搜集到的分析工具,我整理了以下挑了一些出來,這裡隻是一部分,另外一些可以到參考連結上看一下:
工具名
靜态掃描語言
開源/付費
廠商
介紹
首頁網址
ounec5.0
VB.Net、C、C++和C#,
還支援Java。
付 費
Ounce Labs
\
http://www.ouncelabs.com/
Coverity Prevent
C/C++,C#,JAVA
付費
Coverity
還有其他輔助工具:
1.Coverity Thread Analyzer for Java
2.Coverity Software Readiness Manager for Java
3.Coverity Architecture Analyzer
http://www.coverity.com/index.html
@stake SmartRisk™
Analyzer
C/C++,Java
Symantec
Corporation
@stake SmartRisk™ Analyzer harnesses the power of
static analysis of binary executables (C, C++, and Java) to
identify, categorize and prioritize security。
注:在Symantec沒有搜到此産品?!
http://www.symantec.com/business/index.jsp
Rational Purify
IBM
Provides memory leak and memory corruption detection for
Windows,Runtime?!
http://www-01.ibm.com/software/awdtools/purify/
PREfix
microsoft
微軟用的靜态分析工具,但暫時沒有找到下載下傳,
現在好像在考慮釋出中!
Jtext
Java
parasoft
同時還有其他靜态分析代碼的産品,如:C++Test...
詳細請查詢官網
http://www.parasoft.com/jsp/cn/support.jsp
flawfinder
C/C++
開源
用Python編寫的c、c++程式安全稽核工具,
可以檢查潛在的安全風險。
http://www.dwheeler.com/flawfinder/
Static Code
Fortify
http://www.fortify.com/
Klocwork Insight
C/C++ ,Java
Klocwork
http://www.klocwork.com/products/insight.asp
PolySpace
Client/Server
C/C++、Ada語言
MathWorks
http://www.mathworks.cn/
rats
C/C++, Python,
Perl,
PHP代碼進行安全稽核的工具
http://www.fortify.com/security-resources/rats.jsp
LAPSE
LAPSE stands for a Lightweight Analysis for Program
Security in Eclipse. LAPSE is designed to help with
the task of auditing Java J2EE applications for common
types of security vulnerabilities found in Web applications.
LAPSE was developed by Benjamin Livshits as part of the
Griffin Software Security Project.
http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project
Fluid
java
We have explored properties including:
* race conditions and locking policies,
* unique references and other programmer-significant
aliasing properties,
* effects,
* appropriate typing,
* realtime threading policies, and
* single-threading policies.
http://www.fluid.cs.cmu.edu:8080/Fluid
Splint
C
University of
Virginia,
Department of
Computer
Science
靜态檢測針對C語言的安全工具和漏洞檢測。
http://www.splint.org/
cqual
馬裡蘭大學
輕量級的靜态掃描器,在類Linux系統下運作。
http://www.cs.umd.edu/~jfoster/cqual/
MOPS
berkeley大學
MOPS is a tool for finding security bugs in C programs
and for verifying conformance to rules of defensive programming
http://www.cs.berkeley.edu/~daw/mops/
BOON
BOON is a tool for automatically finding buffer overrun
vulnerabilities in C source code. Buffer overruns are one
of the most common types of security holes, and we hope
that BOON will enable software developers and code auditors
to improve the quality of security-critical programs.
http://www.cs.berkeley.edu/~daw/boon/
BLAST
The BLAST
2.0 Team
BLAST is a software model checker for C programs.
The goal of BLAST is to be able to check that software
satisfies behavioral properties of the interfaces it uses.
BLAST uses counterexample-driven automatic abstraction
refinement to construct an abstract model which is model
checked for safety properties. The abstraction is constructed
on-the-fly, and only to the required precision.
http://mtc.epfl.ch/software-tools/blast/
SpikeWAMP
Php
for analyzing PHP programs
http://developer.spikesource.com/wiki/index.php/SpikeWAMP
Pixy
Finding XSS and SQLI vulnerabilities
http://pixybox.seclab.tuwien.ac.at/pixy/
Mike
Java source code security scanner built on top of Orizon.
They are connected to OWASP.
http://milk.sourceforge.net/download.html
Smatch
http://smatch.sourceforge.net/
Oink
C++
C++ Static Analysis Tools
http://www.cubewano.org/oink
Frama-C
static analyzers for the C language.
http://frama-c.cea.fr/
RTL-check
RTL-check is an extensible and powerful abstract interpretation
framework for static analysis of programs from a safety and
security perspective
http://rtlcheck.sourceforge.net/
PMD
PMD scans Java source code and looks for potential problems like:
* Possible bugs - empty try/catch/finally/
switch statements
* Dead code - unused local variables, parameters
and private methods
* Suboptimal code - wasteful String/StringBuffer usage
* Overcomplicated expressions - unnecessary if statements,
for loops that could be while loops
* Duplicate code - copied/pasted code means copied/pasted bugs
http://pmd.sourceforge.net/
FindBugs
uses static analysis to look for bugs in Java code.
注意:提供Eclipse插件。
http://findbugs.sourceforge.net/
ITS4
C\C++
Cigital developed ITS4 to help automate source code
review for security.
http://www.cigital.com/its4/
QJ-Pro
QJ-Pro is a comprehensive software inspection tool targeted
towards the software developer.
QJ-Pro checks:
* conformance to coding standards,
* misuse of the Java language,
* best practice conformence
* code structure and
* potential bugs at the earliest stages of development.
注意:提供各種IDE插件!
http://qjpro.sourceforge.net/
Jint
Jlint will check your Java code and find bugs, inconsistencies
and synchronization problems by doing data flow analysis and
building the lock graph.
http://artho.com/jlint/
Hammurapi
code review system captures coding best practices and delivers
them to developers' fingertips. It also generates consolidated
reports for lead developers, architects, and managers to
monitor codebase quality and evolution.
http://www.hammurapi.biz/hammurapi-biz/ef/xmenu/hammurapi-group/index.html
DoctorJ
Among what it detects:
* misspelled words
* parameter and exception names:
o missing
o misordered
o misspelled
* Javadoc tags:
o invalid
o missing expected arguments
o invalid arguments
o missing descriptions
* undocumented classes, methods, fields,
parameters
http://www.incava.org/projects/java/doctorj/index.html
Dependency Finder
Dependency Finder is a suite of tools for analyzing
compiled Java code. At the core is a powerful dependency
analysis application that extracts dependency graphs and
mines them for useful information. This application comes
in many forms for your ease of use, including command-line
tools, a Swing-based application, a web application ready
to be deployed in an application server, and a set of Ant
tasks.
http://depfind.sourceforge.net/
Checkstyle
Checkstyle is a development tool to help programmers
write Java code that adheres to a coding standard.
It automates the process of checking Java code to spare
humans of this boring (but important) task. This makes
it ideal for projects that want to enforce a coding standard.
注意:提供多種IDE的插件。
http://checkstyle.sourceforge.net/
Classycle
Classycle's Analyser analyses the static class and package
dependencies in Java applications or libraries.
http://classycle.sourceforge.net/
JDepend
JDepend traverses Java class file directories and generates
design quality metrics for each Java package.
JDepend allows you to automatically measure the quality
of a design in terms of its extensibility, reusability,
and maintainability to manage package dependencies effectively.
http://www.clarkware.com/software/JDepend.html
JCSC
JCSC is a powerful tool to check source code against a highly
definable coding standard and potential bad code.
http://jcsc.sourceforge.net/
......
以下是直接提供代碼檢查/相關幫助的廠商:
Fortify: http://www.fortify.com/
ASPECT: http://www.aspectsecurity.com/
OWASP: http://www.owasp.org/index.php/Main_Page
securitycompass: http://www.securitycompass.com/resources.shtml
參考資料:
2. http://www.java2s.com/Product/Java/Byte-Source-Code/Source-Analysis-Diagram.htm
3. http://www.softwarelist.cn/?fsid=53&cid=530&cpath=ABAN
注:以上連結列舉了大量相關工具
本文轉自hyddd部落格園部落格,原文連結:http://www.cnblogs.com/hyddd/archive/2008/12/16/1356310.html,如需轉載請自行聯系原作者。
![Java小案例——随機數猜測随機數猜測[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)