What Makes a Good Source Code Static Analysis Tool?

Useful software systems change [1]. The best practice in modifying software without prior knowledge of the source code is to methodically investigate the system rather than implementing an opportunistic approach [1]. Robillard, Coelho, and Murphy’s study showed that developers who do not know a system of software must take a focused approach to changing it.

But what about analyzing source code for potential problems? Chess and McGraw note that code review ranks very high on the list of software security best practices. Programmers make minor mistakes frequently—missing semicolons and extra parentheses are inevitable [2]. The compiler usually can catch and fix these problems with a very quick feedback. A static analysis tool aims to match code with a set of patterns or rules. These rules determine if the code is squeaky clean or needs more attention. Good static analysis tools should be easy to use and produce a limited number of false negatives and positives. If a tool catches all false negatives, it is said to be sound, but the problem with erring on the side of caution is a potentially paralyzing number of false positives [2]. A healthy balance is best.

Finding that right balance can be difficult, however. Although there is a great amount of literature on how to avoid and detect vulnerabilities in code, there are still few solutions codified into tools [3]. Researchers decided to take it upon themselves to create a tool that is able to statically scan Java source code, find problems, and then fix them. Jslint is a powerful tool. It works by scanning for “12 rules” the researchers developed. If a rule or pattern is found in the source code, the developer is notified that the vulnerability has been addressed and fixed. It is interesting to note that many static analysis tools, and Jslint in particular, work in the same way security software such as McAfee and Norton do. They scan files for vulnerabilities that match their database of thousands of rules. If a match is found, the threat is neutralized.

[1] M. P. Robillard, W. Coelho, and G. C. Murphy, “How effective developers investigate source code: An exploratory study,” IEEE Transactions on Software Engineering, vol. 30, pp. 889-903, Dec. 2004. http://bit.ly/1cgFBi8

[2] B. Chess, G. McGraw, “Static analysis for security,” IEEE Security and Privacy, vol. 2, pp. 76-79, Nov. 2004. http://bit.ly/1e19rW1

[3] J. Viega, G. McGraw, T. Mutdosch, and E. W. Felten, “Statically scanning java code: Finding security vulnerabilities,” IEEE Software, vol. 17, pp. 68-74, Sept. 2000. http://bit.ly/15co1Y4

Leave a Reply

Your email address will not be published.