Open source code analysis tools

11 April 2023 3 minutes Author: Endpool

Dynamic or static code analysis?

Many different tools have to be used to check software quality. In particular, they include static and dynamic analysis tools. In this article, we will try to understand why one methodology, either static or dynamic analysis, may not be sufficient for comprehensive program analysis and why it is better to use these two approaches together. Static code analysis is the process of identifying errors and flaws in the source code of programs. It is not necessary to run the program for its execution, all analysis will be performed on the existing code base. The closest analogy that can be made with static code analysis is the so-called code review process, only automated (which is performed by a robot program). Note that the use of static code analysis is not limited to the detection of errors in the program. Some static analyzers allow you to check whether the source code conforms to the company’s accepted code design standard.

Dynamic code analysis is a way of analyzing a program directly during its execution. The analysis is performed with the help of a set of data that is provided as an input to the program under study. Therefore, the effectiveness of the analysis directly depends on the quality and quantity of input data for testing. It is from them that the completeness of the code coverage depends, which will be obtained as a result of testing. Dynamic testing is most important in those industries where the main criterion is the reliability of the program, response time or consumed resources. It can be, for example, a real-time system that manages a responsible area of production, or a database server. In such areas, any mistake made can be critical.

TABBY

TABBY is a static code analysis tool for the Java language.

CLICK HERE

Gosec

Checks source code for security issues by scanning the Go AST.

CLICK HERE

Kunlun-Mirror

A static scanning tool that supports PHP, JavaScript, etc.

CLICK HERE

Phptrace

A tracing and debugging tool for PHP scripts.

CLICK HERE

Nodejsscan

Static security code scanner (SAST) for Node.js.

CLICK HERE

Python

Static security code scanner for Python programs.

CLICK HERE

PHP-Reaper

Very fast PHP tool to scan ADOdb code for SQL injections.

CLICK HERE

Phortress

Static PHP code analyzer for finding potential vulnerabilities.

CLICK HERE

Hades

Hades – a system for detecting static vulnerabilities in code.

CLICK HERE

Overview

Bandit is a tool designed to quickly find common security issues in Python code.

CLICK HERE

Goreporter

A Golang tool that performs static analysis, code review, and generates a code quality report.

CLICK HERE

Codemillx

 Is a CodeQL helper that extracts comments from code and can  generate codeql qll library modules.

CLICK HERE

Python Taint

Static analysis of Python web applications based on theoretical foundations (control flow graphs, fixed point, data flow analysis)

CLICK HERE

GoKart

 

GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code.

CLICK HERE

Cobra

Cobra is a source code security auditing tool that supports the discovery of security issues in the source code of a wide range of development languages.

CLICK HERE

Other related articles
ServicesSoft
Read more
Ways of using JS in cyber security
JavaScript is a dynamic, prototype programming language. Classified as a prototypical subset of object-oriented, but also supports other imperative and functional programming paradigms.
617
Found an error?
If you find an error, take a screenshot and send it to the bot.