scholarly journals Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools

2018 ◽  
Author(s):  
Foteini Cheirdari ◽  
George Karabatis
Keyword(s):  
Static Analysis ◽  
False Positive ◽  
Source Code ◽  
Analysis Tools ◽  
Positive Source

scholarly journals Evaluation of SQL Injection Vulnerability Detection Tools

2019 ◽  
Vol 9 (1) ◽  
pp. 1747-1751
Keyword(s):  
Static Analysis ◽  
Web Applications ◽  
Source Code ◽  
False Negative ◽  
Vulnerability Detection ◽  
Sql Injection ◽  
User Input ◽  
Root Cause ◽  
Analysis Tools ◽  
Free Open Source

SQL injection vulnerabilities have been predominant on database-driven web applications since almost one decade. Exploiting such vulnerabilities enables attackers to gain unauthorized access to the back-end databases by altering the original SQL statements through manipulating user input. Testing web applications for identifying SQL injection vulnerabilities before deployment is essential to get rid of them. However, checking such vulnerabilities by hand is very tedious, difficult, and time-consuming. Web vulnerability static analysis tools are software tools for automatically identifying the root cause of SQL injection vulnerabilities in web applications source code. In this paper, we test and evaluate three free/open source static analysis tools using eight web applications with numerous known vulnerabilities, primarily for false negative rates. The evaluation results were compared and analysed, and they indicate a need to improve the tools.

scholarly journals Detecting security vulnerabilities with static analysis – A case study

2021 ◽  
Keyword(s):  
Open Source ◽  
Static Analysis ◽  
Source Code ◽  
Performance Comparison ◽  
Test Suite ◽  
Study Analysis ◽  
Security Vulnerabilities ◽  
Analysis Tools ◽  
A Performance

Abstract Many security vulnerabilities can be detected by static analysis. This paper is a case study and a performance comparison of four open-source static analysis tools and plugins (PMD, SpotBugs, Find Security Bugs, and SonarQube) on Java source code. Experiments have been conducted on the widely used Juliet Test Suite with respect to six selected weaknesses from the official Top 25 list of Common Weakness Enumeration. In this study, analysis metrics have been calculated for helping Java developers decide which tools can be used when checking their programs for security vulnerabilities. It turned out that particular weaknesses are best detected with particular tools.

scholarly journals Automatically Fixing Static Analysis Tools Violations

2020 ◽  
Author(s):  
Diego Marcilio ◽  
Rodrigo Bonifácio
Keyword(s):  
Static Analysis ◽  
Source Code ◽  
False Positives ◽  
Analysis Tools ◽  
Two Stages ◽  
Programming Practices

Static analysis tools analyze source code to find deviations, or violations, from recommended programming practices defined as rules. A warning is raised when a piece of code violates any rule. Even though these tools can help to identify defects, developers still face several barriers when using them. Among the challenges are the significant number of reported warnings, often caused by false-positives, and the need to devise fixes, a repetitive and error-prone process. In this work, we addressed these two difficulties in two stages: 1) we identified which kind of rules are mostly fixed by Java developers when using SonarQube (a widely used static analysis tools); 2) we implemented a tool that provides automatic fixes for a subset of the previously commonly fixed found rules. The results obtained indicate that providing automatic fixes for commonly fixed warnings is feasible and welcomed by developers.

scholarly journals Static Analysis: An Introduction

Queue ◽  
2021 ◽  
Vol 19 (4) ◽  
pp. 29-41
Author(s):  
Patrick Thomson
Keyword(s):  
Computer Science ◽  
Static Analysis ◽  
Source Code ◽  
Theory And Practice ◽  
Analysis Tool ◽  
Linux Kernel ◽  
Analysis Tools ◽  
The Future ◽  
Static Analysis Tool

Modern static-analysis tools provide powerful and specific insights into codebases. The Linux kernel team, for example, developed Coccinelle, a powerful tool for searching, analyzing, and rewriting C source code; because the Linux kernel contains more than 27 million lines of code, a static-analysis tool is essential both for finding bugs and for making automated changes across its many libraries and modules. Another tool targeted at the C family of languages is Clang scan-build, which comes with many useful analyses and provides an API for programmers to write their own analyses. Like so many things in computer science, the utility of static analysis is self-referential: To write reliable programs, we must also write programs for our programs. But this is no paradox. Static-analysis tools, complex though their theory and practice may be, are what will enable us, and engineers of the future, to overcome this challenge and yield the knowledge and insights that we practitioners deserve.

Is Static Analysis Able to Identify Unnecessary Source Code?

2020 ◽  
Vol 29 (1) ◽  
pp. 1-23
Author(s):  
Roman Haas ◽  
Rainer Niedermayr ◽  
Tobias Roehm ◽  
Sven Apel
Keyword(s):  
Static Analysis ◽  
Source Code

scholarly journals Hypervisor-assisted dynamic malware analysis

Cybersecurity ◽  
2021 ◽  
Vol 4 (1) ◽  
Author(s):  
Roee S. Leon ◽  
Michael Kiperberg ◽  
Anat Anatey Leon Zabag ◽  
Nezer Jacob Zaidenberg
Keyword(s):  
Dynamic Analysis ◽  
Static Analysis ◽  
Cyber Security ◽  
Malware Analysis ◽  
Analysis Tools ◽  
Significant Performance

AbstractMalware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transparent to the running OS and its applications. The evaluation of the system’s efficiency suggests that the induced performance overhead is negligible.

Static analysis tools for security checking in code at Motorola

2008 ◽  
Vol XXVIII (1) ◽  
pp. 76-82 ◽  
Author(s):  
R Krishnan ◽  
Margaret Nadworny ◽  
Nishil Bharill
Keyword(s):  
Static Analysis ◽  
Analysis Tools
Sign in / Sign up

Export Citation Format

Share Document