On Saturday, 28 April 2018 at 15:30:01 UTC, Jonathan M. Wilbur
wrote:
Does anybody know of a SAST tool that can scan D code for
security vulnerabilities? In other words, does anybody know of
something that will analyze raw D source code for security
vulnerabilities that the human eye may have missed?
There is DScanner which does some linting, but it is not
specifically security oriented.
Speaking strictly of memory safety, some parts of D are designed
to make security audits much easier than C/C++:
- If your programs are @safe (i.e. the module starts with @safe:
, as should be the case for a security-critical application), you
only need to review @trusted code (and, as necessary, any @system
code called by the @trusted code).
- Casts are done with an explicit keyword (cast) to make such
auditing easier. (Code that uses casts to convert between
non-reference types can use std.conv.to instead, to speed up
future audits.)
