How many times, did you need an automatic static code analyzer? What was your first option? Some people often think in some commercial solutions like Fortify or Veracode, but what about the free options? The commercial options are too expensive, for small companies or for freelance security specialists. For that reason, we are going to enumerate the top of free static code analysis tools.
Brakeman
For: Ruby
Setup: Require Ruby and Gem. Install using “gem install Brakeman”.
How to use: “brakeman application_path”
Link: https://github.com/presidentbeef/brakeman
Comments: It the best scanner for Ruby. Its specialty is the “on rails” applications.
Setup: Require Ruby and Gem. Install using “gem install Brakeman”.
How to use: “brakeman application_path”
Link: https://github.com/presidentbeef/brakeman
Comments: It the best scanner for Ruby. Its specialty is the “on rails” applications.
NodeJsScan
For: NodeJs
Setup: It only requires python.
How to use: “python NodeJsScan.py -d <dir>”
Link: https://github.com/ajinabraham/NodeJsScan
Comments: This scanner has a minimum of false positive. It has periodic updates.
Setup: It only requires python.
How to use: “python NodeJsScan.py -d <dir>”
Link: https://github.com/ajinabraham/NodeJsScan
Comments: This scanner has a minimum of false positive. It has periodic updates.
RIPS
For: PHP
Setup: It requires PHP.
How to use: RIPS is a web application written in PHP, you have to install Apache HTTP and run the web application.
Link: https://sourceforge.net/projects/rips-scanner
Comments: This is great scanner. It finds a lot of possible issues. Sadly, the new version is not free, so the free version is not supported any more.
Setup: It requires PHP.
How to use: RIPS is a web application written in PHP, you have to install Apache HTTP and run the web application.
Link: https://sourceforge.net/projects/rips-scanner
Comments: This is great scanner. It finds a lot of possible issues. Sadly, the new version is not free, so the free version is not supported any more.
Findbugs
For: Java
Setup: It requires Java SE.
How to use: Open the jar application, and select the source code folder.
Link: http://findbugs.sourceforge.net/
Comments: Findbugs is a general purpose scanner. It will find for bugs and bad practices. In particular, it has got a security module, which can find security issues like XSS, SQLi, etc.
Setup: It requires Java SE.
How to use: Open the jar application, and select the source code folder.
Link: http://findbugs.sourceforge.net/
Comments: Findbugs is a general purpose scanner. It will find for bugs and bad practices. In particular, it has got a security module, which can find security issues like XSS, SQLi, etc.
Microsoft FxCop
For: .Net
Setup: It requires .Net
How to use: Open the application, and select the exe or dll files.
Link: https://msdn.microsoft.com/en-us/library/bb429476(v=vs.80).aspx
Comments: This is a good scanner, it will find the most of the vulnerabilities. This scanner will analyze the compiled files. If you have the code, you need compiled it.
Setup: It requires .Net
How to use: Open the application, and select the exe or dll files.
Link: https://msdn.microsoft.com/en-us/library/bb429476(v=vs.80).aspx
Comments: This is a good scanner, it will find the most of the vulnerabilities. This scanner will analyze the compiled files. If you have the code, you need compiled it.
JsHint
For: JavaScript
Setup: It requires NodeJs. To install run “npm install -g jshint”.
How to use: “jshint application_path”
Link: http://jshint.com
Comments: It find a lot of false positives. It finds code bad practices, most of them are not false positives (LOL).
Setup: It requires NodeJs. To install run “npm install -g jshint”.
How to use: “jshint application_path”
Link: http://jshint.com
Comments: It find a lot of false positives. It finds code bad practices, most of them are not false positives (LOL).
CodeCrawler
For: C#
Setup: It requires .Net
How to use: Open the application folder with the source code.
Link: https://codecrawler.codeplex.com/
Comments: It finds a lot of false positives and fails several times (crash!).
Setup: It requires .Net
How to use: Open the application folder with the source code.
Link: https://codecrawler.codeplex.com/
Comments: It finds a lot of false positives and fails several times (crash!).
YASCA
For: .Net, Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL
Setup: Install the msi.
How to use: “yasca.exe application_path”
Link: http://www.scovetta.com/yasca.html
Comments: It is a multi-language scanner. It finds a lot of false positives. It finds some bad practices too.
Setup: Install the msi.
How to use: “yasca.exe application_path”
Link: http://www.scovetta.com/yasca.html
Comments: It is a multi-language scanner. It finds a lot of false positives. It finds some bad practices too.
Visual Code Grepper
For: C++, C#, VB, PHP, Java and PL/SQL
Setup: Install the msi.
How to use: Open the application and select the source code.
Link: https://sourceforge.net/projects/visualcodegrepp/
Comments: It is a multi-language scanner too. It finds a lot of false positives, but less than YASCA.
Setup: Install the msi.
How to use: Open the application and select the source code.
Link: https://sourceforge.net/projects/visualcodegrepp/
Comments: It is a multi-language scanner too. It finds a lot of false positives, but less than YASCA.
Graudit (Only Linux)
For: ASP, JSP, Perl, PHP, Python
Setup: Download and execute.
How to use: “graudit application_path”.
Link: https://github.com/wireghoul/graudit
Comments: This scanner uses a knowledge base based in regular expressions. The most advantage is that can be easily customize to find custom issues. Using the default base, I did not get good results, a lot of false positives web found, and many real issues were not identified.
Setup: Download and execute.
How to use: “graudit application_path”.
Link: https://github.com/wireghoul/graudit
Comments: This scanner uses a knowledge base based in regular expressions. The most advantage is that can be easily customize to find custom issues. Using the default base, I did not get good results, a lot of false positives web found, and many real issues were not identified.
Code Warrior (Only Linux)
For: C, C#, PHP, Java, Ruby, ASP, JavaScript
Setup: Download and compiled it using “make”.
How to use: Open the application and select the source code.
Link: https://github.com/CoolerVoid/codewarrior
Comments: Like RIPS this scanner is a web application. But we do not need Apache, only run the scanner, and the browser will be opened. Then we have to select the source code. In my opinion, and based in the results, this “multi” scanner is the best option. It find a lot of issues, and a low rate of false positives.
Setup: Download and compiled it using “make”.
How to use: Open the application and select the source code.
Link: https://github.com/CoolerVoid/codewarrior
Comments: Like RIPS this scanner is a web application. But we do not need Apache, only run the scanner, and the browser will be opened. Then we have to select the source code. In my opinion, and based in the results, this “multi” scanner is the best option. It find a lot of issues, and a low rate of false positives.
No comments:
Post a Comment