Posted on

OWASP Top Ten and Software Composition Analysis (SCA)

One of the priority areas for PVS-Studio development is to cover categories from the OWASP Top Ten 2017 in the C# analyzer. We also plan to cover the Top Ten 2021 in the future. The most unusual for us is the A9:2017 category: Using Components with Known Vulnerabilities. This category has the A6 position in the preliminary version of OWASP 2021. The rule implementation for this category is an important task for our analyzer. It allows us to classify PVS-Studio as an SCA (Software Composition Analysis) tool. Which approach to implementation should we choose? Let's figure it out!

Using Components With Known Vulnerabilities

The A9 threat category (which turned into A6 in the preliminary OWASP 2021 version) is dedicated to using components with known vulnerabilities. These are the components that have the corresponding entries in the CVE database. CVE (Common Vulnerabilities and Exposures) is a database of records about real-life vulnerabilities in software, hardware, service components, etc.

Posted on

7 Continuous Code Quality and Automated Code Review Tools

What Is Continuous Code Quality? 

The static code analysis can be used to expose the areas of code that can be improved in terms of quality, and even higher, we can integrate this static analysis into the development workflow, and thus, tackle the code quality issues in the early stages of the development even before they reach the production. It is basically adding an extra stage to the continuous integration process such that every time a new pull request is made to merge new code, the CI server (or a 3rd party service) will begin the code quality analysis, dropping the result in the pull request itself which is available for the committer and code reviewers.

What Are Automated Code Review Tools?

An automated code review tool totally automates the code review process so that a reviewer has to only focus on the code. These tools integrate with the development cycle to start the code review when the new code is not even merged into the main codebase. There are several tools that you can choose to seamlessly integrate into your workflow according to the compatibility with your technology stack.

Posted on

Common Python Security Pitfalls and How to Avoid Them

Introduction

Python is undoubtedly a popular language. It consistently ranks among the most popular and most loved languages year after year. That's not hard to explain, considering how fluent and expressive it is. Its pseudocode-like syntax makes it extremely easy for beginners to pick it up as their first language, while its vast library of packages (including the likes of giants like Django and TensorFlow) ensure that it scales up for any task required of it.

Being such a widely-used language makes Python a very attractive target for malicious hackers. Let's see a few simple ways to secure your Python apps and keep the black-hats at bay.

Posted on

Building a Security-First Culture

Application Security Is Like Wearing a Mask

Wearing a face mask to prevent coronavirus is becoming the norm in my city. It was hit heavily by the COVID crisis, and now we have reached an unspoken consensus: wear masks wherever you go.

This is quite different from where we were just a few months ago. Face masks had a bad reputation, and the local health department had a hard time getting people to wear them. What was stopping people from wearing masks? It turns out, people hated masks because they make breathing difficult, make glasses foggy, and can look quite awkward. But the pros of masks outweigh the cons, and by wearing face masks, we protect ourselves and our communities from the virus.

Posted on

A Case Study on Spring Framework

The Spring Framework is a great application framework and inversion of control container for the Java platform. It is also a great example of high-quality software. Spring Framework is the foundation for all Spring projects. Collectively, the Spring Framework and the family of Spring projects is often referred to simply as "Spring." Spring provides everything required beyond the Java programming language for creating enterprise applications for a wide range of scenarios and architectures. It has been developed over 17 years.

We analyzed the Spring Framework with CodeMR. CodeMR is an architectural software quality and static code analysis tool. You can find  analysis report generated with CodeMR at: https://www.codemr.co.uk/case-reports/spring-framework/html/html_report_spring-core/htmlx/lbd/dashboard.html.

Posted on

Beginner’s Guide to JavaScript Static Code Analysis

Do you suffer from poorly written code? Is your codebase riddled with inconsistencies? Do you experience anxiety every time your code is being reviewed? If you answered 'yes' to any of these questions, static code analysis could help.

Static code analysis is the process of analyzing code before it is executed. It provides numerous advantages to developers, and integrating static code analyzers can supercharge your developer workflow.

Posted on

Big / Bug Data: Analyzing the Apache Flink Source Code

Applications used in the field of Big Data process huge amounts of information, and this often happens in real time. Naturally, such applications must be highly reliable so that no error in the code can interfere with data processing. To achieve high reliability, one needs to keep a wary eye on the code quality of projects developed for this area. The PVS-Studio static analyzer is one of the solutions to this problem. Today, the Apache Flink project developed by the Apache Software Foundation, one of the leaders in the Big Data software market, was chosen as a test subject for the analyzer.

So, what is Apache Flink? It is an open-source framework for distributed processing of large amounts of data. It was developed as an alternative to Hadoop MapReduce in 2010 at the Technical University of Berlin. The framework is based on the distributed execution engine for batch and streaming data processing applications. This engine is written in Java and Scala. Today, Apache Flink can be used in projects written using Java, Scala, Python, and even SQL.

Posted on

Top 7 Static Code Analysis Tools

What Is a Static Code Analysis?

Static code analysis or Source code analysis is a method performed on the ‘static’ (non-running) source code of the software with static code analysis tools that attempt to highlight potential vulnerabilities. Static code analyzers check source code for specific vulnerabilities as well as for compliance with various coding standards.

Why Use Static Analysis?

  • Get code insights before execution
  • Executes quickly compared with dynamic analysis
  • Code quality maintenance can be automated
  • Search for bugs can be automated at early stages (although not all)
  • Finding security problems can be automated at an early stage
  • You already use static analyzers if you use any IDE that already has static analyzers (like Pycharm uses pep8).

Now that we are aware of static code analysis, we must know the tools that are already leading the market. Without further ado, let's have a look at the tools that are popular for static code analysis:

Posted on

Setup Static Code Analysis for Python

Static code analysis is the technique of approximating the runtime behavior of a program. In other words, it is the process of predicting the output of a program without actually executing it. That’s what DeepSource does, statically analyzing your project and reporting to you the potential code quality issues which can be solved within no time.

This is what we will be doing here in this blog. We will try to integrate DeepSource over a forked repo, specifically on a Python project, and run analysis over it. We will further fix some of the issues with the auto-fix tool and let transformers fix some of the styling issues for our project.

Posted on

Looking Under the Hood of Apache Pulsar: How Good is the Code?

Apache Pulsar (incubating) is an enterprise-grade publish-subscribe (aka pub-sub) messaging system that was originally developed at Yahoo. Pulsar was first open-sourced in late 2016, and is now undergoing incubation under the auspices of the Apache Software Foundation. At Yahoo, Pulsar has been in production for over three years, powering major applications like Yahoo! Mail, Yahoo! Finance, Yahoo! Sports, Flickr, the Gemini Ads platform, and Sherpa, Yahoo’s distributed key-value store.

One of the primary goals of the open-source software movement is to allow all users to freely modify software, use it in new ways, integrate it into a larger project or derive something new based on the original. The larger idea being that through open collaboration, we can make a software the best version of itself. So, in the spirit of innovation and improvement, we peeked behind the curtain and ran Apache Pulsar through the free static code analysis tool Embold. The results are very interesting, both from an observer's and a learner's point of view.

Posted on

Analysis of Merge Requests in GitLab Using PVS-Studio For C#

Do you like GitLab and don't like bugs? Do you want to improve the quality of your source code? Then you've come to the right place. Today we will tell you how to configure the PVS-Studio C# analyzer for checking merge requests. Enjoy the reading and have a nice unicorn mood.

PVS-Studio is a tool designed to detect errors and potential vulnerabilities in the source code of programs, written in C, C++, C#, and Java. Works in 64-bit systems on Windows, Linux, and macOS. Can analyze the code meant for 32-bit, 64-bit, and embedded ARM platforms.