Static code analysis
Download as PPTX, PDF0 likes289 views
This document discusses static code analysis. Static code analysis involves analyzing computer software without executing the programs. It is usually done during code reviews to detect bugs, security vulnerabilities, and other issues. The document discusses techniques for static code analysis like data flow analysis and taint analysis. It also discusses tools for static code analysis like linters, SonarQube, and others. It provides steps for integrating a codebase into SonarQube for analysis. The goal of static code analysis is to improve code quality by detecting issues early.
Static code analysis
- 2. Christoforus Surjoputro Engineering Manager - Alterra
- 4. Definition is the analysis of computer software that is performed without actually executing programs. is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). https://en.wikipedia.org/wiki/Static_program_analysis https://owasp.org/www-community/controls/Static_Code_Analysis
- 5. Techniques - Data Flow Analysis is used to collect run-time (dynamic) information about data in software while it is in a static state. https://owasp.org/www-community/controls/Static_Code_Analysis https://en.wikipedia.org/wiki/Common_subexpression_elimination https://en.wikipedia.org/wiki/Live_variable_analysis
- 6. Techniques - Taint Analysis is a feature in some computer programming languages, such as Perl and Ruby, (or in static analysis tools), designed to increase security by preventing malicious users from executing commands on a host computer. https://en.wikipedia.org/wiki/Taint_checking https://www.cs.cmu.edu/~ckaestne/15313/2018/20181023-taint-analysis.pdf
- 7. Techniques - Others - Abstract interpretation - Hoare logic - Model checking - Symbolic execution - etc. https://en.wikipedia.org/wiki/Static_program_analysis
- 9. Linter is a static code analysis tool used to flag programming errors, bugs, stylistic errors and suspicious constructs. https://en.wikipedia.org/wiki/Lint_(software)
- 10. Linter - vscode - no extension without go extension, vscode does not tell us any concern in this code although some point of code will never reached or executed. https://github.com/3mp3ri0r/cgomath
- 11. Linter - vscode - installation install go extension on vscode via marketplace. https://code.visualstudio.com/docs/languages/go
- 12. Linter - vscode - with extension with go extension, vscode tell us any concern in this code, does not like before. https://github.com/3mp3ri0r/cgomath
- 13. SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. https://en.wikipedia.org/wiki/SonarQube https://www.sonarqube.org/
- 14. SonarQube - running docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -m 2g -p 9000:9000 sonarqube:9.0.1-community docker logs -f sonarqube https://en.wikipedia.org/wiki/SonarQube https://docs.sonarqube.org/latest/setup/get-started-2-minutes/
- 15. SonarQube - first time access use admin on Login and Password field. SonarQube use admin as default username and password. https://docs.sonarqube.org/6.7/Authentication.html
- 16. SonarQube - first time access enter the old and new password. SonarQube force us to change default username and password on first time access. https://docs.sonarqube.org/6.7/Authentication.html
- 17. SonarQube - create new project create project manually by choosing “Manually” option. SonarQube can be integrated to many source version control like github or any other devops tools.
- 18. SonarQube - create new project enter project display name and project key with something that you like. In our case we use cgomath.
- 19. SonarQube - code integration choose Locally since we want to check our code manually and locally.
- 20. SonarQube - code integration put any name just to differentiate with other token.
- 21. SonarQube - code integration copy and keep it save as it will be used to push our code to project that we already create before.
- 22. SonarQube - code integration choose appropriate project that you are work on. In our case we use Go, so choose Other. choose OS you are using. In our case, we use macOS, so choose macOS.
- 23. SonarQube - code integration go test -v -coverpkg=./... -coverprofile=coverage.out ./... https://go.dev/blog/cover
- 24. SonarQube - code integration update this properties especially sonar.projectKey to match with project key that you put before when creating new project at SonarQube. In our case, we use cgomath.
- 25. docker run --rm -e SONAR_HOST_URL="http://localhost:9000" -e SONAR_LOGIN="13cf55024cfa7fc063f9b9ae49f5281f1a6b657a" -v "/Users/alt-christoforus/Personal/cgomath:/usr/src" --network host -m 1g sonarsource/sonar-scanner-cli SonarQube - code integration https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/
- 26. SonarQube - analyze code analyze your code through dashboard that we already set before. When everything got A means you have good quality code.
- 27. SonarQube - analyze code SonarQube has default quality standard for each parameter. You can create your own standard that fit your need or company goal.
- 28. The most dangerous kind of waste is the waste we do not recognize. ~ Shigeo Shingo https://proqc.com/blog/25-quotes-to-inspire-quality-success/
- 29. THANK YOU