Static Code Analysis

Static Code Analysis

What is Static Code Analysis?

Static Analysis helps development teams under pressure—quality releases need to be delivered promptly. Compliance and coding standards are required to be met. And mistakes are not a choice. That is why development teams are utilizing static analysis tools. Here, we discuss static Analysis and the advantages of using a static code analysis tool.

Table of Content:

  1. Definition of Static Analysis 
  2. Meaning of Static Analysis Code 
  3. At What Stage is Static Code Analysis Performed? 
  4. What Are The Advantages of Static Code Analysis?
  5. How To Pick a Static Code Analysis Tool. 
  6. Tool Types. 

Definition of Static Analysis 

Static Analysis is best described as debugging by automatically examining source code before a program is run.

Definition of Static Analysis Code 

Static analysis and static code analysis are used interchangeably and source code analysis. Static code analysis is a debugging methodologies that examines source code before a program is run. It’s done by analyzing a code set against a set (or multiple sets) of coding rules and plug-ins.  This kind of Analysis addresses weaknesses in source code that might lead to vulnerabilities. Of course, you may also achieve this via manual code reviews. However, using automated tools is much more effective for your business. Static Analysis is generally used to comply with coding guidelines like MISRA. And it is often used for complying with industry standards — such as ISO 26262.

At What Stage is Static Code Analysis Performed?

Stage Static Code Analysis Is Performed

Static code analysis is performed in the initial point of the development prior to software testing begins. For organizations practicing DevOps, static code analysis occurs during the “Create” phase of the development process. Static code analysis also supports DevOps through the creation of an automated feedback loop. Application developers will be made aware early on of any issues in their code. At that point, it will be easier to fix those challenges.

Dynamic Analysis Vs. Static Analysis 

So, what is the differentiating factor between Static Analysis and Dynamic Analysis? Both types detect defects. The big difference is where they find bugs or weaknesses in the development lifecycle.  Static Analysis identifies weaknesses before running a program (For instance, between coding and unit testing). Dynamic code analysis identifies defects after running a program (for example, during unit testing). But some coding errors might not be made known during unit testing. Hence, there are defects that dynamic testing might miss that static code analysis can find.

Static Code Analysis (also referred to as the static Source Code Analysis) is often performed as part of a Code Review (also called white-box testing). It is carried out at the Implementation phase of SLD (Security Development Lifecycles). Static Code Analysis usually refers to running Static Code Analysis tools that attempt to highlight vulnerabilities within ‘static’ (non-running) source code by utilizing techniques like Data Flow Analysis and Taint Analysis.

In the ideal situation, such tools would automatically find security flaws with high confidence that what is seen is indeed a flaw. However, this is beyond state of the art for many types of application security flaws. Hence, such tools frequently serve as aids for an analyst to help them zero in on security-relevant portions of the piece of code so they can find spots more efficiently, rather than a tool that searches for flaws automatically such as runtime errors.

A few tools are starting to move into the Integrated Development Environment (IDE). For the types of problems detected during the software development phase, this is a decisive phase in the development lifecycle to use such tools. It offers immediate feedback to the developer on challenges they might be introducing into the open source code during code development itself. This immediate feedback is instrumental in finding weaknesses much later in the development cycle. There is a visual studio such as Microsoft Visual Studio or OWASP top or Github that is utilized for varying software development like web apps,  mobile apps, and computer programs. They can help you enhance the code security, no matter the code complexity, baring in mind any dead code or redundant code. The code review tool you use ensures that you have code quality metrics on the code snippet provided in the software development lifecycle or software development processes.  

The UK Defense Standard (00-550) expects that Static Code Analysis be utilized on all ‘safety-related software in defense equipment.

Static Code Analysis Techniques

techniques to analyze static source code

These tools may combine various techniques to analyze static source code for potential vulnerabilities into a singular solution. These techniques are often designed from compiler technologies.

Data Flow Analysis

Data flow analysis collects runtime (dynamic) information about data in software while it is in a static state.

There are three standard terms utilized in basic block (the code), data flow analysis, Control Flow Path (the path the data takes), and Control Flows Analysis (the workflow of data):

Basic block: This block is a sequence of consecutive instructions in which control enters at the start of a block, control leaves at the end of a partnership, and the block cannot branch or halt out except at its end. 

Example PHP basic block:

$a = 0;

$b = 1;

if ($a == $b)

{ # start of block

  echo “a and b are the same”;

} # end of block

else

{ # start of block

  echo “a and b are different”;

} # end of block

Control Flow Graph (CFG)

This abstract graph representation of software uses nodes that represent basic blocks. A node in a graph acts as a representative of a partnership; directed edges represent paths or jumps from one block to the next. If a node characteristic is it only has an exit edge, this is called an ‘entry’ block; if a node only has an entry edge, this is known as an ‘exit’ block. For example Control Flow Graph; ‘node 1’ represents the entry block, and ‘node 6’ represents the exit block.

Control Flow Analysis

Taint Analysis

Taint Analysis is used in an attempt to identify variables that have been ‘tainted’ with user-controllable input and traces them to the possible vulnerable functions, also referred to as a ‘sink.’ If it so happens that the tainted variable gets passed to a sink without first being sanitized, it is flagged down as a weakness. For instance, some programming languages, Ruby and Perl, have Taint Checking built into them and enabled in accepting data through CGI.

Lexical Analysis

Lexical Analysis turns source code syntax into ‘tokens’ of information to abstract the source code and makes it easier to manipulate.

Pre-tokenized PHP source code:

<?php $name = “Ryan”; ?>

Post tokenized PHP source code:

T_OPEN_TAG

T_VARIABLE

=

T_CONSTANT_ENCAPSED_STRING

;

T_CLOSE_TAG

Strengths and Weaknesses

Static Code Analysis Strengths and Weaknesses

Strengths

Scales Well ( it can be run on lots of software and can repeatedly be (like in nightly builds)

They are great for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws.

Weaknesses

  • Many types of security vulnerabilities are challenging to find automatically, such as access control issues, authentication problems, insecure use of cryptography. 
  • Tools of this kind are getting better, however. Right now the state of the art only permits such devices to find a relatively small percentage of application security flaws automatically.
  • A large number of false positives.
  • Often it can not find configuration problems since they are not represented in the code.
  • Hard to ‘prove’ that an identified security challenge is an actual weakness.
  • Several of these tools have difficulty analyzing code that can not be compiled. Analysts often can not compile code because they don’t have the correct code, libraries, compilation instructions.

Limitations

False Positives

A static code analysis tool or a static code analysis solution often produces false-positive results where the device reports a possible vulnerability. This usually occurs because the agency cannot ensure the integrity and security of data as it flows via the application from input to output. The software metrics are designed to give you safer code and enhance the software architecture but sometimes your software development teams have tools that can not secure software or secure code as expected. False-positive results might be reported when analyzing an application that interacts with closed source components or external systems because without the source code, it is impossible to trace the flow of data in the external system and thus ensure the software security and integrity of the data.

False Negatives

The utility of static code analysis tools can also result in false-negative results where vulnerabilities result, but the agency does not report them. This might occur if a new weakness is discovered in an external component or if the analysis tool does not know the runtime environment and whether it is securely configured. This can occur with any number of potential errors such as syntax error or run-time errors or complex security vulnerabilities

Important Selection Criteria

Requirement: 

The tool must support your language; however, it is not commonly a key factor in analysis of code once it does.

The kinds of weaknesses it can detect in your codes.

Does the tool require a completely buildable set of sources?

Can it run against binaries instead of the original?

Is it possible to integrate it into the developer’s IDE? You want to also determine the level of continuous integration (CD Pipeline).

The license cost for the tool. (Some are sold per org, per user, per app, per line of code analyzed. Consulting licenses are frequently different than end-user licenses.)

Does it support Object-oriented programming (OOP)?

What are the Limitations?

Static Code Analysis Limitations

Static code analysis is utilized for a particular goal within a specific development phase. However, there are a few limitations of a static code analysis tool.

No Understanding of Developer Intent

int calculateArea(int length, int width)

{

    return (length + width);

}

A static analysis tool might detect any kind of overflow in this calculation. However, it can not determine that a function fundamentally does not do what is expected. 

Rules That Are Not Statically Enforceable

A few coding rules depend on external documentation. Or they are made open to subjective interpretation.

For example: 

CERT-C MSC04:

Utilize comments consistently and in a readable means.

Possible Defects may Lead to False Negatives and False Positives.

In several situations, a tool can only report a potential defect. 

int divide(void)

{

    int x;

    if(foo())

    {

        x = 0;

    }

    else

    {

        x = 5;

    }

    return (10/x);

}

If we know nothing about foo(), we do not understand what value x will have. That means that the tools may report defects that do not exist (false positives). Or they may fail to inform fundamental weaknesses (false negatives). The result is undecidable.

What Are The Advantages of Static Code Analysis?

The Advantages of Static Code Analysis

There are several benefits of static code analysis tools — especially if you need to comply with an industry standard.

The best static code analysis tools offer depth, accuracy, and speed. 

Speed

It takes some time for engineers to do manual code reviews. Automated tools are much faster in this regard. Static code checking addresses challenges early on. And it pinpoints exactly where the issue is in the code. So, you will be able to fix those problems faster. Additionally, coding errors found earlier are less pricey to repair.

Depth

Testing can not cover every possible code base execution path. However, a static code analyzer is able to. It checks the code as your QA works on your build. You will get an in-depth analysis of where there might be potential problems in your code based on the rules you’ve applied.

Accuracy

Manual code reviews are more likely to be affected by human error. Automated tools, on the other hand, are not. The automated tools scan all the lines of code. This is to identify potential challenges that may come up. This helps your engineer ensure the highest-quality code is in place — before testing begins. After all, quality is critical when you’re complying with a coding standard. 

How To Pick a Static Code Analysis Tool

How To Pick a Static Code Analysis Tool

Below are a few things to consider when you are picking which tool is correct for you.

  1. The Programming Language Analyzers are designed for many varying programming languages. So, it’s essential to choose a tool that supports your language.
  2. Standards – One of the primary functions of static analyzers is to help you to comply with security standards. So, if you are in a regulated industry that needs a coding standard, you will want to ensure your tool supports that standard through a static application security testing with an appsec.

Why Pick a Perforce Static Code Analysis Tool?

Static code analysis solutions have been relied on for over 30 years to offer the most precise and accurate results to mission-critical project teams across various industries. And they provide fewer false positives and false negatives. Misra C for C, Helix QAC for C++/C, while Klocwork for Java, C, C++, JavaScript, python, php, and C# is certified to comply with compliance mandates and coding standards. 

Tool Types

The Object Management Group (OMG) has published a study about the types of software analysis required for software quality measurement and assessment.

Unit Level – The analysis takes place within a specific program or subroutine without connecting to the context of that program.

Technology Level – The analysis considers interactions between unit programs to get a more holistic and semantic view of the overall program to find issues and avoid obvious false positives. For instance, it is possible to analyze the Android technology stack to find permission errors statically.

System Level – The analysis considers the interactions between unit programs without being limited to one specific technology or programming language.The system can define a different level of software analysis.

Mission/Business Level – The analysis considers the business/mission layer terms, rules, and processes implemented while in the operating system or software system for its operation as part of enterprise or mission/program layer activities. These elements are implemented, which is done without being limited to one specific programming language or technology. In many cases, they are distributed across multiple languages but are statically extracted and analyzed for system understanding for mission assurance.

Scroll to Top