This shows you the differences between two versions of the page.
|
tools [2013/05/30 16:11] coreycb |
tools [2026/03/13 15:09] (current) twiggy |
||
|---|---|---|---|
| Line 10: | Line 10: | ||
| ==== Clang ==== | ==== Clang ==== | ||
| Compiler with static analysis capabilities for C/C++. | Compiler with static analysis capabilities for C/C++. | ||
| + | |||
| + | [[http://clang-analyzer.llvm.org/]] | ||
| [[http://clang.llvm.org/]] | [[http://clang.llvm.org/]] | ||
| Line 24: | Line 26: | ||
| A tool for matching and fixing source code for C, C++, and other languages. | A tool for matching and fixing source code for C, C++, and other languages. | ||
| - | [[http://coccinelle.lip6.fr/]] | + | [[https://coccinelle.gitlabpages.inria.fr/website/]] |
| ==== Coverity ==== | ==== Coverity ==== | ||
| Provides static analysis tools for C, C++, and other languages (requires license). | Provides static analysis tools for C, C++, and other languages (requires license). | ||
| - | [[http://www.coverity.com/]] | + | [[https://www.synopsys.com/software-integrity.html]] |
| + | |||
| + | Free scanning for open source C/C++ and Java projects (no license required): | ||
| + | |||
| + | [[https://scan.coverity.com/]] | ||
| ==== cppcheck ==== | ==== cppcheck ==== | ||
| Line 54: | Line 60: | ||
| The gcc compiler has extensive warning flags that can, among other things, find possible security vulnerabilities by locating variables that are used before being set, dangerous printf formats, mismatches between printf formats and arguments, and so forth. For example, you can use: | The gcc compiler has extensive warning flags that can, among other things, find possible security vulnerabilities by locating variables that are used before being set, dangerous printf formats, mismatches between printf formats and arguments, and so forth. For example, you can use: | ||
| - | WARNINGS = -g -O -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wendif-labels -Wformat=2 -Winit-self -Wswitch-enum -Wdeclaration-after-statement -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wjump-misses-init -Wlogical-op -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Werror | + | WARNINGS = -g -O -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wendif-labels -Wformat=2 -Winit-self -Wswitch-enum -Wdeclaration-after-statement -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wjump-misses-init -Wlogical-op -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wundef -Wformat-security -Werror |
| with GCC (4.6 or later). Many of those are not security-related, of course, but -Wformat=2 certainly is, and some of the -Wall and -Wextra warnings are as well. | with GCC (4.6 or later). Many of those are not security-related, of course, but -Wformat=2 certainly is, and some of the -Wall and -Wextra warnings are as well. | ||
| [[http://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html]] | [[http://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html]] | ||
| - | |||
| ==== JLint ==== | ==== JLint ==== | ||
| A static analysis tool to find race conditions, locking errors, null pointer uses, | A static analysis tool to find race conditions, locking errors, null pointer uses, | ||
| Line 81: | Line 86: | ||
| [[http://www.debian.org/security/audit/examples/pscan]] | [[http://www.debian.org/security/audit/examples/pscan]] | ||
| + | |||
| + | ==== Pylint ==== | ||
| + | Pylint is a Python static analysis tool. | ||
| + | |||
| + | [[http://www.pylint.org/]] | ||
| ==== RATS ==== | ==== RATS ==== | ||
| Line 271: | Line 281: | ||
| [[http://sourceware.org/insight/]] | [[http://sourceware.org/insight/]] | ||
| + | |||
| + | ===== Vulnerability Management ===== | ||
| + | |||
| + | ==== Faraday ==== | ||
| + | With [[https://github.com/infobyte/faraday|Faraday]] you may focus on discovering vulnerabilities while we help you with the rest. Just use it in your terminal and get your work organized on the run. Faraday was made to let you take advantage of the available tools in the community in a truly multiuser way. | ||
| + | Faraday aggregates and normalyzses the data you load, allowing exploring it into different visualizations that are useful to managers and analyst alike. | ||
| ===== Others ===== | ===== Others ===== | ||