Posted on

OWASP Top Ten and Software Composition Analysis (SCA)

One of the priority areas for PVS-Studio development is to cover categories from the OWASP Top Ten 2017 in the C# analyzer. We also plan to cover the Top Ten 2021 in the future. The most unusual for us is the A9:2017 category: Using Components with Known Vulnerabilities. This category has the A6 position in the preliminary version of OWASP 2021. The rule implementation for this category is an important task for our analyzer. It allows us to classify PVS-Studio as an SCA (Software Composition Analysis) tool. Which approach to implementation should we choose? Let's figure it out!

Using Components With Known Vulnerabilities

The A9 threat category (which turned into A6 in the preliminary OWASP 2021 version) is dedicated to using components with known vulnerabilities. These are the components that have the corresponding entries in the CVE database. CVE (Common Vulnerabilities and Exposures) is a database of records about real-life vulnerabilities in software, hardware, service components, etc.

Posted on

7 Continuous Code Quality and Automated Code Review Tools

What Is Continuous Code Quality? 

The static code analysis can be used to expose the areas of code that can be improved in terms of quality, and even higher, we can integrate this static analysis into the development workflow, and thus, tackle the code quality issues in the early stages of the development even before they reach the production. It is basically adding an extra stage to the continuous integration process such that every time a new pull request is made to merge new code, the CI server (or a 3rd party service) will begin the code quality analysis, dropping the result in the pull request itself which is available for the committer and code reviewers.

What Are Automated Code Review Tools?

An automated code review tool totally automates the code review process so that a reviewer has to only focus on the code. These tools integrate with the development cycle to start the code review when the new code is not even merged into the main codebase. There are several tools that you can choose to seamlessly integrate into your workflow according to the compatibility with your technology stack.

Posted on

Big / Bug Data: Analyzing the Apache Flink Source Code

Applications used in the field of Big Data process huge amounts of information, and this often happens in real time. Naturally, such applications must be highly reliable so that no error in the code can interfere with data processing. To achieve high reliability, one needs to keep a wary eye on the code quality of projects developed for this area. The PVS-Studio static analyzer is one of the solutions to this problem. Today, the Apache Flink project developed by the Apache Software Foundation, one of the leaders in the Big Data software market, was chosen as a test subject for the analyzer.

So, what is Apache Flink? It is an open-source framework for distributed processing of large amounts of data. It was developed as an alternative to Hadoop MapReduce in 2010 at the Technical University of Berlin. The framework is based on the distributed execution engine for batch and streaming data processing applications. This engine is written in Java and Scala. Today, Apache Flink can be used in projects written using Java, Scala, Python, and even SQL.

Posted on

Top 7 Static Code Analysis Tools

What Is a Static Code Analysis?

Static code analysis or Source code analysis is a method performed on the ‘static’ (non-running) source code of the software with static code analysis tools that attempt to highlight potential vulnerabilities. Static code analyzers check source code for specific vulnerabilities as well as for compliance with various coding standards.

Why Use Static Analysis?

  • Get code insights before execution
  • Executes quickly compared with dynamic analysis
  • Code quality maintenance can be automated
  • Search for bugs can be automated at early stages (although not all)
  • Finding security problems can be automated at an early stage
  • You already use static analyzers if you use any IDE that already has static analyzers (like Pycharm uses pep8).

Now that we are aware of static code analysis, we must know the tools that are already leading the market. Without further ado, let's have a look at the tools that are popular for static code analysis:

Posted on

Setup Static Code Analysis for Python

Static code analysis is the technique of approximating the runtime behavior of a program. In other words, it is the process of predicting the output of a program without actually executing it. That’s what DeepSource does, statically analyzing your project and reporting to you the potential code quality issues which can be solved within no time.

This is what we will be doing here in this blog. We will try to integrate DeepSource over a forked repo, specifically on a Python project, and run analysis over it. We will further fix some of the issues with the auto-fix tool and let transformers fix some of the styling issues for our project.

Posted on

Analysis of Merge Requests in GitLab Using PVS-Studio For C#

Do you like GitLab and don't like bugs? Do you want to improve the quality of your source code? Then you've come to the right place. Today we will tell you how to configure the PVS-Studio C# analyzer for checking merge requests. Enjoy the reading and have a nice unicorn mood.

PVS-Studio is a tool designed to detect errors and potential vulnerabilities in the source code of programs, written in C, C++, C#, and Java. Works in 64-bit systems on Windows, Linux, and macOS. Can analyze the code meant for 32-bit, 64-bit, and embedded ARM platforms.

Posted on

PVS-Studio: Analyzing Pull Requests In Azure DevOps Using Self-Hosted Agents

Static code analysis is most effective when changing a project, as errors are always more difficult to fix in the future than at an early stage. We continue expanding the options for using PVS-Studio in continuous development systems. This time, we'll show you how to configure pull request analysis using self-hosted agents in Microsoft Azure DevOps, using the example of the Minetest game.

pull request unicorn

Briefly About What We Are Dealing With

Minetest is an open-source cross-platform game engine containing about 200,000 lines of code in C, C++, and Lua. It allows you to create different game modes in voxel space. Supports multiplayer, and a lot of mods from community. The project repository is located here: https://github.com/minetest/minetest.

Posted on

Checking the .NET Core Libraries With the PVS-Studio Static Analyzer (Part Three)

See what's inside the .NET Core Libraries

In the third article in our three-part series, we further discuss the results of checking the .NET Core Libraries' source code with the PVS-Studio Static Analyzer. Part one of the series can be found here, part two can be found here

You may also like: .NET Core 3.0 Preview Now Available.

Issue 41

Going back to constructors with unused parameters: