Brendan Eich wrote: > And here we are. Anyone have experience with the Stanford Checker or > other static code analysis tools based on C/C++ compiler front ends?
Btw, I am not only interested in tools that are made only security in mind, but I would also be interested in learning about tools that measure complexity etc. because complex code is likelier to contain more bugs, some of which might be security bugs. If the tools are based on a compiler it would be a definite plus, because other approaches tend to generate lots of false positives which they can't screen out. Below are the three tools that we have used, RATS and Czech modified to check for Mozilla syntax as well. They are all pretty easy to use. * Flawfinder (http://www.dwheeler.com/flawfinder/) * RATS (http://www.securesoftware.com/rats.php) * Czech Cigital offers this free tool that is similar to the ones above in efficiency. They also have an expensive commercial tool whose name I don't remember. They claim it eliminates 90% false positives. * ITS4 (http://www.cigital.com/its4/) Splint only works on C-source. You will also need to tell it where to find include files etc. so it is not as easy to use as the ones above. * Splint (http://www.splint.org/) PC-Lint also requires lots of time to set up before it can scan the Mozilla tree. This is a commercial tool. * PC-Lint (http://www.gimpel.com/) We were unable to get this code analysis tool working. * CCCC (http://sourceforge.net/projects/cccc/) Dead SourceForge project...? * http://sourceforge.net/projects/cocoanalyze/ I think I am forgetting one or two promising tools that I have seen, but not tried... I have briefly eyed over a bunch of other tools as well, but nothing that I have seen has been interesting enough to try out. 5 mins of googling did not turn up very encouraging results regarding Stanford Checker. It is perhaps the meta-compiler project at Stanford, but the tool does not seem to be available. As far as I know it does not exactly scan for the kind of things we are looking for, but part of what it does find can be security problems. -- Heikki Toivonen
