, Coverity overview
Coverity was founded by leading Stanford University scientists in 2002. The core technology of the product was developed in the Stanford University Computer Systems Laboratory from 1998 to 2002 to solve one of the most difficult problems in the field of computer science. In 2003 Released the first system that can help open source projects such as Linux, FreeBSD, etc. detect a large number of critical defects. The comprehensive development and testing platform launched by Coverity, based on a new generation of static analysis technology that does not do code rule checking and only focuses on detecting bugs in the code, can better help developers find and fix security defects when writing code. Shorten time to market and reduce risk. Coverity is the only static analysis tool vendor ranked among IDC's top 10 software quality tool vendors, and is rated as a leader in static source code analysis by VDC.
2. Advantages of using Coverity
Since 2006, Coverity, together with the U.S. Department of Homeland Security, has developed the Coverity SCAN project to ensure the security and integrity of open source software. Coverity SCAN analyzed more than 290 open source projects, including Linux, Apache, PHP, and Android. The following table shows the most common defect types in open source software, and commercial software is similar.
Frequency of occurrence in SCAN projects Level of risk
Null pointer references in 27.60%
Resource leakage 23.19% high
Wrong expression in 9.76%
Uninitialized variables 8.41% high
Use 5.91% higher after release
Buffer Overflow 5.52% High
Defect types like null pointer references, resource leaks, and buffer overflows often present serious quality and security risks. Using Coverity, it is easier to find such defects than traditional testing methods.
在开发阶段使用Coverity,一方面开发人员可以对产品的质量更有信心,另一方面,测试人员可以把更多的精力放在业务逻辑的测试上面,而不是花大量精力去确认一些要在特殊条件下才可能出现的BUG(典型的如空指针引用),从而可以提高测试的效率。
三、Coverity典型缺陷说明
1、空指针引用(Null pointer dereferences)
描述:程序调用值为null的指针的任何方法,会引发空指针异
可能的后果:程序Crash,exit, restart,执行未授权代码或命令
Checker:FORWARD_NULL
Checker: NULL_RETURNS
2、资源泄漏(Resource leaks)
描述:程序未释放资源,或程序错误地释放了资源
可能的后果:Dos攻击,敏感数据泄漏,资源消耗
Checker: RESOURCE_LEAK
3、内存破坏(Memory - corruptions)
描述:
读写预期边界以外的内存缓冲区
使用未初始化的变量
函数/功能调用过程中使用了错误的参数取值
重复使用释放后的内存
可能的后果:程序Crash,exit, restart,执行未授权代码或命令
Checker: OVERRUN
4、内存非法访问(Memory - illegal accesses)
描述:
使用未初始化的变量
使用释放后的资源(CPU、内存、Socket、文件等)
函数返回堆栈变量的地址
可能的后果:程序Crash,exit, restart,资源消耗等
Checker: OVERRUN
Checker: USE_AFTER_FREE
Checker: RETURN_LOCAL
5、错误的表达式(Incorrect expression)
描述:使用错误的变量,不正确的类型转换
可能的后果:不符合预期的输出值,程序逻辑错误,运行时错误
Checker: COPY_PASTE_ERROR
6、未初始化变量(Uninitialized variables)
描述:变量使用前未初始化
可能的后果:程序逻辑不正确,产生错误的数据,程序Crash
Checker: UNINIT
四、Coverity支持的语言和能检测出的缺陷列表
Coverity支持以下语言和框架:
C/C++ C# Java JavaScript PHP Python ASP.NET Objective-C JSP Node.js Ruby Android
支持检测的主要缺陷类型列表:
- API usage errors
- Best practice coding errors
- Build system issues
- Buffer overflows
- Class hierarchy inconsistencies
- Code maintainability issues
- Concurrent data access violations
- Control flow issues
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Deadlocks
- Error handling issues
- Hard-coded credentials
- Incorrect expression
- Insecure data handling
- Integer handling issues
- Integer overflows
- Memory – corruptions
- Memory – illegal accesses
- Null pointer dereferences
- Path manipulation
- Performance inefficiencies
- Program hangs
- Race conditions
- Resource leaks
- Rule violations
- Security best practices violations
- Security misconfigurations
- SQL Injection
- Uninitialized members
Coverity更多详细信息参见:
https://www.synopsys.com/software-integrity/resources/datasheets/coverity.html#CWEcoverage