On Saturday, 28 April 2018 at 16:01:44 UTC, Stefan Koch wrote:
On Saturday, 28 April 2018 at 15:30:01 UTC, Jonathan M. Wilbur
wrote:
Does anybody know of a SAST tool that can scan D code for
security vulnerabilities? In other words, does anybody know of
something that will analyze raw D source code for security
vulnerabilities that the human eye may have missed?
No. Besides analyzing D code is normally quite useless,
as the tool will be blind once it hits the first template.
Security vulnerabilities, are usually nothing which can be
caught by static analysis on source code.
As they are highly dependent on which shape the generate
machine code takes.
Meh. That's far from true.
My experience as a professional with experience in both
pentesting, static analysis and reverse engineering is that
finding vulnerabilities on compiled code is generally way *way*
less efficient, be it only because all vulnerabilities aren't at
the same level. It is by far the least efficient of the three
when considering the ratio number*criticality/analysis_time.
High-level things like missing authentication to access a given
resource are much easier to spot by static analysis. Same for
crypto mistakes, and about everything really.
Some vulnerabilities are easier to find dynamically (a recent
use-after-free in a multithreaded context comes to mind), but
saying that static analysis can't find useful things is
completely false. Besides, as "cool" as memory corruptions and
other integer overflow issues may be they're far from being the
only important vulnerabilities present in an application. I'll
take a /tmp/log.txt over a buffer overflow any day.
That said, no, I don't know of any software on the market working
with D code, and yeah, templates do make the task harder for an
automated tool. Not that I'd trust one over the eye of a
professional anyway. They're helpful but not as efficient.
