2

I have been breaking my head to find out real good Open-source Source Code Analysis tool which can uncover security vulnerabilities. I did an extensive search on web and found out three major links which lists open-source/commercial source code analysis tools: https://www.owasp.org/index.php/Source_Code_Analysis_Tools https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#Java https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

Afterwards I made a list of open-source tools which can scan for security vulnerabilities in Java code i.e. FindBugs, LAPSE+, SWAAT and Orizon by OWASP, VCG, Google CodeSearchDiggity, and YASCA as an aggregator of these tools. FindBugs and LAPSE+ are available as Eclipse plugins. VCG was more of bare backbone where you can add your custom rules and less to offer as it is and runs only on Windows platform. LAPSE+ require specific Eclipse version to run (Helios in my case).

I want to find at least OWASP Top 10 vulnerabilities by performing static source code analysis. Any way to do that?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
  • 1
    FindBugs seems to be the best. You may find my talk interesting: https://www.youtube.com/watch?v=CG0OcrrSC_0 – paj28 Nov 02 '15 at 20:05
  • Thanks @paj28 I will surely watch. Thanks for the lead. But I came to know that FindBugs is more about Code Quality bugs and lesser Security ones. I also came across FindSecurityBugs, do you mean that or FindBugs only. – Krishna Pandey Nov 03 '15 at 03:09
  • 1
    Oh yeah, should have said FindBugs with the FindSecurityBugs plugin. They're not at good as commercial tools (VeraCode/CheckMarx) but the best open source I've seen. – paj28 Nov 03 '15 at 04:38
  • Krishna - The problem isn't with the wording of your question. The problem is that product recommendations are off-topic for this site. You may want to try https://softwarerecs.stackexchange.com/ or https://www.reddit.com/r/security – Neil Smithline Nov 03 '15 at 04:41
  • @NeilSmithline Thanks for pointing me to other sites. I will visit them. However, if there is anyway possible to find out security vulnerabilities without use of tool/software, I am curious to know that. What should be approach in that case. For the software part, I already have working experience of many such commercial tools. Also as my question is specific to Open Source solutions, I feel it does not favor or promote any vendors. – Krishna Pandey Nov 03 '15 at 05:23

0 Answers0