Posted on

Apache Kafka’s Code Under the Scanner

Apache Kafka is the open-source distributed event streaming platform built for data-driven apps that needs real-time handling of the data. Kafka was open-sourced by LinkedIn in 2011. Its use-cases are endless and it's used by thousands of companies for various operations to process real-time data. Kafka provides several [APIs] to process the data streams in real-time with low latency and high throughput. It's used in major companies like Airbnb, Netflix, LinkedIn, etc. It includes publish (write), subscribes (read), store and processes the stream of events for various operations according to the use-case of the application. It uses Binary protocol over TCP for Communication. Since it is open-source licensed under Apache License 2.0, it helps us to examine the code further to explore the inner workings and structure of Apache Kafka with the free static code analyser tool Embold

The results are surprisingly interesting. 

Posted on

Common Python Security Pitfalls and How to Avoid Them

Introduction

Python is undoubtedly a popular language. It consistently ranks among the most popular and most loved languages year after year. That's not hard to explain, considering how fluent and expressive it is. Its pseudocode-like syntax makes it extremely easy for beginners to pick it up as their first language, while its vast library of packages (including the likes of giants like Django and TensorFlow) ensure that it scales up for any task required of it.

Being such a widely-used language makes Python a very attractive target for malicious hackers. Let's see a few simple ways to secure your Python apps and keep the black-hats at bay.

Posted on

Beginner’s Guide to JavaScript Static Code Analysis

Do you suffer from poorly written code? Is your codebase riddled with inconsistencies? Do you experience anxiety every time your code is being reviewed? If you answered 'yes' to any of these questions, static code analysis could help.

Static code analysis is the process of analyzing code before it is executed. It provides numerous advantages to developers, and integrating static code analyzers can supercharge your developer workflow.

Posted on

Running SonarQube Inside a Docker Container

Prerequisite

To follow this article, one will need to make sure that they have docker installed in their machine. I assume you know using docker containers. I will be analyzing a maven project, so please make sure that you've one maven project with some code that you can analyze.

Introduction

Sonarqube is a prevalent tool for analyzing bugs, Vulnerabilities, Security hotspots, and some other programming standards. You can use this tool to analyze your project's source code to keep your code standing with programming standards. Using SonarQube is very easy. You can download the sonar server from the official site, but we will be running SonarQube inside a docker container to analyze our source code in this article. 

Posted on

Top 7 Static Code Analysis Tools

What Is a Static Code Analysis?

Static code analysis or Source code analysis is a method performed on the ‘static’ (non-running) source code of the software with static code analysis tools that attempt to highlight potential vulnerabilities. Static code analyzers check source code for specific vulnerabilities as well as for compliance with various coding standards.

Why Use Static Analysis?

  • Get code insights before execution
  • Executes quickly compared with dynamic analysis
  • Code quality maintenance can be automated
  • Search for bugs can be automated at early stages (although not all)
  • Finding security problems can be automated at an early stage
  • You already use static analyzers if you use any IDE that already has static analyzers (like Pycharm uses pep8).

Now that we are aware of static code analysis, we must know the tools that are already leading the market. Without further ado, let's have a look at the tools that are popular for static code analysis:

Posted on

Running IntelliJ IDEA in Jenkins

Get the IDEA.

It may be argued that IntelliJ IDEA has the most advanced static Java code analyzer, whose capabilities leaves "veterans" like Checkstyle and Spotbugs far behind. Its many “inspections” check various aspects of the code, from coding style to certain kinds of bugs.

You may also enjoy:  IntelliJ IDEA Essentials (RefCard)

However, as long as the results of the analysis are visible only to a sole developer in her IDE, they are of little use in the software delivery process. Static analysis should be performed as the first step of the delivery pipeline, and the build should fail if the results of this step don’t pass quality gates. JetBrains' TeamCity CI is known to be integrated with IDEA. Less known is the fact that even if you are not using TeamCity, you may run IDEA inspections on any other CI server. Let’s see how this may be done using the IDEA Community Edition, Jenkins, and the Warnings NG plugin.

Posted on

How to Analyze Your Code Quality in 10 Minutes With Sonarqube and Docker

Introduction

All of us might have authored some code in various languages and might have shared the code in various platforms like Github or StackOverflow. We often just see whether the code is working but do not analyze the code using static code analysis tools because of the complexity of setting it up. Not anymore! In this article, I will show you how you can quickly setup Sonarqube with Docker in less than ten minutes and check your code quality. 

Steps for Analyzing Your Code

Setup Docker

Install the latest version of Docker. Since I have a Windows 10 Home machine, I have used Docker Toolbox for Windows. 

Posted on

Quick Start Guide to SonarQube for Static Code Analysis

SonarQube Installation and Configuration

Installation Prerequisites

The following are the essential requirements to get started with SonarQube.

  • RAM with at least 2 GB
  • Disk Space – Depends on how much code you analyze with SonarQube

Note: For enterprise-grade SonarQube versions additional hardware is needed.

Posted on

How Much Testing Is Enough?

A frequently asked question in software testing is: “is that enough testing, or should we do more?” Whether you’re writing unit tests for your programs or finding bugs in closed-source third-party software, knowing what code you have and have not covered is an important piece of information. In this article, we’ll introduce bncov, an open-source tool developed by ForAllSecure (available at on GitHub), and demonstrate how it can be used to answer common questions that arise in software testing.

At its core, bncov is a code coverage analysis tool. While there are several well-known tools that offer visibility into code coverage, we wanted to build a solution that enhanced and/or extended functionality in the following areas:

Posted on

The Growing Importance of an Open-Data Commons for Mobility

Public transit data was one of the first data sets in what’s known today as “smart cities” or the “Internet of Things” (IoT). The simple reason was that publishing a transit schedule in machine-readable format, or providing real-time tracking over a cellular data connection, is pretty cheap, relative to the cost of a subway train or bus.

Transit quickly became one of the best examples of open data. Civic leaders at transit agencies, like Portland’s TriMet, found that if they packaged data in a standard format, developers could use it to make better user experiences than transit agencies could offer. The GTFS (General Transit Feed Specification) standard for transit schedules was originally created by TriMet and Google to solve the problem of sharing data between agencies and developers. Now, many agencies worldwide use the same data standard.