Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to build a static code analysis tool?

Tags:

I m in process of understanding and building a static code analysis tool for a proprietary language from a big company. Reason for doing this , I have to review a rather large code base , and a static code analysis would help a lot and they do not have one for the language so far.

I would like to know how does one go about building a static code analysis tool , for e.g. Lint or SpLint for C.

Any books, articles , blogs , sites..etc would help.

Thanks.

like image 682
codeanalyser Avatar asked Dec 17 '10 06:12

codeanalyser


People also ask

Which tool is used for static code analysis?

SonarQube is the popular static analysis tool for continuously inspecting the code quality and security of your codebases and guiding development teams during code reviews. SonarQube is used for automated code review with CI/CD Integration.

How is static code analysis implemented?

Static code analysis is the process of debugging by scanning source code for potential vulnerabilities like injections, broken authentication, broken access control, and insecure deserialization. Static application security testing (SAST) tools automate this process, which is quite extensive once code begins to scale.

How does static code analysis tool work?

Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure and can help ensure that the code adheres to industry standards.


1 Answers

I know this is an old post, but the answers don't really seem that satisfactory. This article is a pretty good introduction to the technology behind the static analysis tools, and has several links to examples.

A good book is "Secure Programming with Static Analysis" by Brian Chest and Jacob West.

like image 142
Tony Richards Avatar answered Dec 12 '22 15:12

Tony Richards