Static program analysis is the analysis of computer software that is performed without actually executing programs. In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.
Here we’re listed top 6 static analyzers for especially PHP, JAVA, Ruby on Rails, C/C++, Python and for Phoenix Framework.
Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities. Unlike many web security scanners, Brakeman looks at the source code of your application. This means you do not need to set up your whole application stack to use it. Once Brakeman scans the application code, it produces a report of all security issues it has found.
Github Link – https://github.com/presidentbeef/brakeman
The latest version of Brakeman is 4.1.1 which was released on Dec 18th 2017. Brakeman should work with any version of Rails from 2.3.x to 5.x. Brakeman can easily analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 1.9.3 to run.
Brakeman Pro is the commercial version of Brakeman which offers a GUI, test integration, deeper analysis, and more.
- No Configuration Necessary
- Run it Anytime
- Better Coverage
- Best Practices
- Flexible Testing
Cppcheck is a static analysis tool for C/C++ code. It provides unique code analysis to detect bugs and focuses on detecting undefined behaviour and dangerous coding constructs. The goal is to detect only real errors in the code (i.e. have very few false positives).
Official Website Link – http://cppcheck.sourceforge.net/
Installation of CppCheck – You can easily install cppcheck for any Linux distributions.
- a) For Debains – sudo apt-get install cppcheck
- b) For Fedora – sudo yum install cppcheck
- c) For Mac – brew install cppcheck
Cppcheck mainly focus on bugs instead of stylistic issues. Therefore a tool that focus on stylistic issues could be a good addition.
FindBugs is a program which uses static analysis to look for bugs in Java code. FindBugs requires JRE (or JDK) 1.7.0 or later to run. However, it can analyze programs compiled for any version of Java, from 1.0 to 1.8.
Official Website Link – http://findbugs.sourceforge.net/
The current version of FindBugs is 3.0.1, released on 13:05:33 EST, 06 March, 2015.
The analysis engine reports nearly 300 different bug patterns. FindBugs has a plugin architecture, in which detectors can be defined, each of which may report several different bug patterns. Rather than use a pattern language for describing bugs, FindBugs detectors are simply written in Java, using a variety of techniques.
Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities.
Github Link –https://github.com/nccgroup/sobelow
Currently Sobelow detects some types of the following security issues:
- Insecure configuration
- Known-vulnerable Dependencies
- Cross-Site Scripting
- SQL injection
- Command injection
- Denial of Service
- Directory traversal
- Unsafe serialization
Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.
Official Website Link – https://pypi.python.org/pypi/bandit/
Bandit is currently a stand-alone tool which can be downloaded by end-users and run against arbitrary source code. As it matures and is proven to be useful, we see it being a possible addition to OpenStack CI gate tests with non-voting and eventually voting capabilities.
Bandit can be obtained by cloning the repository at https://git.openstack.org/openstack/bandit.git. The README.rst file contains documentation regarding installation, usage, and configuration.
Progpilot is a tool for static analysis of source code that currently only supports the PHP language although others are provided. Free and open-source, modern, this tool will especially fill the developers.
Github Link – https://github.com/designsecurity/progpilot
Indeed, Progpilot has a rich API that makes it very flexible and easily integrable to development environments and finally Progpilot is fully customizable, you can do everything to make the methods of detection of the vulnerabilities or how they will be brought back to you.