Peking University Cobot Software Source Code Static Analysis Tool (CoBOT SAST for short) uses a variety of international advanced code analysis and deep learning technologies to develop a source code detection system that meets the organization's source code detection needs without changing the existing development of the organization. Under the premise of the testing process, seamlessly connect with source code management systems (Git, SVN, etc.), defect management systems (such as Jira, Bugzilla, Zen Tao, etc.), continuous integration tools (such as Jenkins, Zen Tao), and source code The detection is integrated into the R&D process of the enterprise, realizing source code coding rule detection, runtime defect detection, security vulnerability detection, measurement statistics, clone detection, and automatic generation of reverse architecture diagrams, and provides functions such as the independent research and development interface of the detector, helping organizations quickly Build an independent inspection system and capabilities for source code security.
In 2015, it passed the CWE compliance certification and became the first software security testing tool in China to pass the certification, breaking the monopoly of foreign products in the field of software defect detection and security vulnerability analysis. It has driven the development of the domestic software code security testing industry.
The main technical indicators of Kubo Kubo
| project |
Support |
| language support |
Supports about ten mainstream development languages such as C/C++, Java, and Go |
| security breach |
OWASP TOP 10、CWE/SANS TOP 25等 |
| defect |
CWE (Common Weakness Enumeration) more than 200 types of defects |
| Coding Standards |
MISRA 2004、MISRA 2008、MISRA 2012、GJB 5369、GJB 8114等。 In particular, rule set customization is supported. |
| Compilers supported |
Dozens of compilers such as ARM C/C++, Borland C++, GNU GCC C++, Intel C++, Keil compilers, SUN CC, etc. |
| compatible platform |
Support the detection of source codes developed by Windows, Linux, Kylin and other mainstream general-purpose operating systems |
| Bug management system |
Bugzilla, Jira, TFS, Zen Tao |
| IDE plugin |
Eclipse、VsCode等 |
| Scalability |
Custom detection rules, detection reports |
| Detection efficiency |
Average 1 million rows/hour |
1. Code defect detection
CoBOT SAST can fully scan the code without running the program, and quickly report vulnerabilities in the software, including those with complex boundary conditions, which is an effective supplement to dynamic testing. In terms of defect detection, it supports defect detection of software source codes in more than 10 mainstream development languages such as C/C++, Java, Android, PHP, JSP, HTML, C#, Swift, JavaScript, Python, Kotlin, Scala, and Go. The types of detectable defects include buffer overflow, SQL injection, cross-site scripting, etc. 74 major categories and more than 2000 subcategories. Compatible with CWE (Common Weakness Enumeration), OWASP TOP 10, CWE/SANS TOP 25, ISO 17961, CERT Java, MISRA series, GB/T series, GJB series, SJ/T series and other international and domestic standards.
You can directly check the project, or create a scheduled task to check the project regularly. When multiple items are tested at the same time, the items can be queued for testing.
You can use more than 2,000 detection items to detect the source code and get the results, and you can also export reports in PDF, Word, Excel and other formats. The list of detection results is as follows:
2. Source code metrics
In order to improve the maintainability of the code, it is necessary to understand the measurement indicators of the software from various angles such as code lines, cyclomatic complexity, and fan-in and fan-out degrees. CoBOT SAST supports measurement of more than 30 types at the project level, file level, and function level, and assigns unqualified files and functions to corresponding developers for modification. The source code metrics are shown in the following diagram:
3. Source code clone analysis
CoBOT SAST supports code clone analysis to identify code that has the same function as the source code but has been modified. Since the third-party software used or the internal code of the enterprise may be modified during reuse, it is necessary to use clone detection to find the source of the code and find the software inconsistency caused by code cloning. The cloning analysis of CoBOT SAST can be applied to code plagiarism detection, same-origin vulnerability detection, etc. The clone analysis results are shown in the figure below:
4. Graphical display of source code analysis
CoBOT SAST supports reverse generation of program architecture diagrams based on source code, such as: function control flow diagram, file function call diagram, project function call diagram, inheritance relationship diagram, UML class diagram, etc. Provides export in formats including PNG, SVG, etc. The source code analysis graph is shown in the following figure:
5. Performance Statistics
CoBOT SAST supports obtaining submission records by connecting to code management systems such as SVN and Git, combined with source code defect detection, source code measurement, and source code clone analysis, to analyze and count the software quality of developers and projects ((level and number of problems) , work difficulty (reliability, maintainability, complexity), work efficiency/capability (code submission amount, problem repair amount and repair rate, problem density) and other information, provide developers (Key Performance Index) assessment Important basis. The performance statistics are shown in the figure below:
6. Timing detection
CoBOT SAST not only supports local source code detection, but also supports acquisition of source code from SVN, Git and other code management systems for detection, and supports scheduled automatic detection. Users can associate CoBOT SAST with the code base and configure a scheduled detection plan. The task setting automatically obtains the source code in the code base for detection on a regular basis. The detection results can be automatically assigned to the relevant responsible persons according to the submission records of the code base, and the relevant responsible persons can be reminded by email.
7. Product advantages
A variety of advanced static analysis techniques are used to ensure the efficiency and accuracy of the analysis. Combining the pattern mining technology of deep learning, it ensures that the code analysis engine adds defect patterns and ensures the breadth of analysis. It includes three types of coding rules, defects, and loopholes, thousands of types of detectors, and completes various types of detections. It integrates multiple tool features and reduces costs for enterprises. The analysis engine interface of the tool is provided, and users can conduct customized research and development according to their own defect types.