What is Static Code Analysis

August 1, 2020 / By Sivanesh.

Static code analysis (SCA) or Source code analysis is the process of analyzing the source code without executing or running it. Static Analysis can detect possible vulnerabilities in the source code by analyzing a set of code against a set (or multiple sets) of coding rules.

Here are some benefits of Static Code Analysis,

  1. faster project execution
  2. Better source code at check-in
  3. Less costly development cycles
  4. Shorter time-to-market

Syntax Analysis

Syntax Analysis Creates a lossless transformation of the source code by generating the “Abstract Syntax Tree”.

Syntax Analysis can be used to find Coding Style Issues and Simple Defects

  • Simple security defects (e.g. use of banned encryption API)
  • Simple coding style issues (e.g. no dynamic memory allocation)

Data Flow Analysis

Data Flow Analysis Can find program crashes across functions and files. Monitoring the lifecycle of data objects like Creation, Assignment, Usage, Deletion and Must be monitored across all paths in the Control Flow Graph such as Function calls, Compilation units, Etc.,

Complex Issue need trace back ( Sample report of Klocwork – Static Code Analyzer)

Klocwork Report with Root Cause Analysis

Symbolic Logic Analysis

  • Define functional behavior between symbols
  • Don’t necessarily know what the values will be at runtime
  • Used to infer software behavior

Complex Issue need trace back ( Sample Klocwork Report – Static Code Analyser)

Unvalidated integer value ‘size’ is received from ‘atoi’ at line 1474 and can be used to access an array through call to ‘rcs_change_text’ at line 1707.

Security vulnerabilities detection with Klocwork

Klocwork – Static Code Analyser

Klocwork is an ISO, IEC certified static source code analysis tool from Perforce and widely adopted by more than 2,200 customers worldwide, allows developers to identify code defects, at developer’s desktop, while they are coding.

Klocwork static application security testing (SAST) for C, C++, Java and C# can identify software security, quality, and reliability issues and it can help organisations to enforce compliance with industry standards. Klocwork can perform Dataflow Analysis, Syntax Analysis and Symbolic Logic Analysis to analyse the source code for vulnerabilities. Register here for Klocwork Trail, https://meteonic.com/contact-us or send a mail to support@meteonic.com