Fill a hole audit tool Daquan
The following link is currently more popular code audit recommended articles
http://www.freebuf.com/sectool/101256.html
https://www.owasp.org/index.php
https://www.dwheeler.com/essays/static-analysis-tools.htm
l https://github.com/mre/awesome-static-analysis
https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
Tutorial how to develop safety procedures https://www.dwheeler.com/secure-programs/3.71/Secure-Programs-HOWTO/index.html
0 × 01 PHP code audit
1, RIPS open an open-source, with automated code audit tools strong vulnerability discovery capabilities. It uses PHP language, for security audit static PHP code. Main features RIPS code security audit are as follows: 1) can detect XSS, SQL injection, documents leaked, local / remote file inclusion, remote command execution, and more types of vulnerabilities. 2) There are five levels of display options for debugging and auxiliary scan results. 3) marking lines vulnerable. 4) display of variables highlighted. 5) in the user-defined function may display a cursor hover function call. 6) Flexible jump between function definitions and calls. 7) detailing all user-defined functions (including the definition and calling), all entry points (user input), and all the scanned documents (including documents include). 8) to visualize the diagram shows the source code file, the file contains, and the function call. 9) in just a few mouse clicks you can create using CURL EXP for instance detected vulnerabilities. 10) a description of each vulnerability, for example, the PoC, patches and security functions are listed in detail. 11) 7 different syntax highlighting mode. 12) use of top-down or bottom-up manner retrospective scan results. 13) PHP supports a local server and browser can meet the demand. 14) regular search function. The current commercial version, but open source has been good enough, the latest version of the RIPS is 0.55,
Download links are as follows: https://sourceforge.net/projects/rips-scanner/ ,
0 × 02 Java code audit
Code quality: findbugs Security Code: findsecuritybugs FindSecurityBugs FindBugs static analysis tool is a Java plug-in, find the code in Java security vulnerabilities through a series of rules. This tool can be integrated in many IDE, including Eclipse or IntelliJ. Currently the project has received a lot of attention in the security community. The latest version of the tool also increases the vulnerability specifically for the Android terminal type products. Therefore, it is also a good mobile end security scanning tools. If you want more detailed understanding of it, you can go visit Download: http://findbugs.sourceforge.net/downloads.html https://www.jianshu.com/p/c43940c4e025
https://find-sec-bugs.github.io/
https://wiki.jenkins.io/display/JENKINS/FindBugs Plugin
0 × 03 other languages code audit
1 .net https://security-code-scan.github.io/
2.C++:
Code quality: cppcheck
Security Code: Flawfinder https://sourceforge.net/projects/flawfinder/
http://www.doc88.com/p-669125880049.html
https://sourceforge.net/p/flawfinder/feature-requests/4/ xml format support
3.JS:
Code quality: eslint
Security Code: https://github.com/ajinabraham/NodeJsScan
https://blog.csdn.net/yalishandalee/article/details/61916454
https://github.com/nodesecurity/eslint-plugin-security#rules
4.Go:
Code quality: golint, go tool vet
Security Code: Gas https://github.com/GoASTScanner/gas
5.Python:
Code quality: pylint
Security Code: Bandit, the Find-Py-Injection, PYT https://wiki.openstack.org/wiki/Security/Projects/Bandit
https://github.com/openstack/bandit
https://github.com/uber/py-find-injection
https://github.com/bit4woo/python_sec https://github.com/python-security/pyt
6. multilingual security code checking tool: SONAR https://docs.sonarqube.org/display/SONAR
https://www.sonarsource.com/products/codeanalyzers/sonarjava/rules.html#Vulnerability_Detection
https://github.com/SonarSource/sonarqub
7.ruby https://github.com/thesp0nge/dawnscanner
https://github.com/presidentbeef/brakeman
0x04 commercial code audit tools
In fact, online say bad, static analysis tools RISP, VCG, Fortify SCA and other dynamic tools have sky wolf 360 of Bird Brother taint. There are several static analysis: GitHub - wufeifei / COBRA: Cobra - Cobra IS A static ... This is a simple pass regular to find loopholes tools https://grepbugs.com/ taint and only supports php5.4 *. the previous version, the latest php is not supported.