5

I'm looking for good tools for analyzing and/or detecting security issues in a large software project written in Perl 5. It could be static or dynamic analysis. I know that Perl is undecidable, but I'm decided to try any tool that allow me to reduce the work need to review such a large amount of code.

I tested RATS, but it only looks for a very small and limited number of vulnerabilities.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
user1234299
  • 171
  • 1
  • 5

2 Answers2

6

CERT has create a CERT Perl Secure Coding Standard and there's been discussion of having Perl::Critic have a set of policies that match their standard. As far as I know, nothing's been done yet. Here's the start of the discussion on the Perl::Critic dev mailing list.

Andy Lester
  • 339
  • 2
  • 6
4

Try "Perl::Critic". I haven't used it yet but i came across the answer of a similar question in the below link:

https://stackoverflow.com/questions/1149447/perl-code-security-scanner-other-than-rats-must-be-static

link to the Perl::Critic details: http://search.cpan.org/~thaljef/Perl-Critic-1.118/lib/Perl/Critic.pm

Community
  • 1
afyo
  • 101
  • 4
  • A permanent link to Perl::Critic that isn't tied to a specific version is http://search.cpan.org/dist/Perl-Critic/ – Andy Lester Dec 21 '12 at 06:33
  • Perl::Critic mostly deals with the way you write your code. A huge legacy app would fail this miserably. There are IDEs like Komodo that have Critic support built-in, like syntax checking. it will squiggle things it deems wrong, depending on its configuration. But many of the default rules aren't very security-relevant. It's more a question of coding style really. A typical application would be to have a standard set of rules and let your git/svn check against these in a pre-commit hook. – simbabque Feb 27 '13 at 09:19