Presentation is loading. Please wait.

Presentation is loading. Please wait.

Static code check – Klocwork

Similar presentations


Presentation on theme: "Static code check – Klocwork"— Presentation transcript:

1 Static code check – Klocwork
Denisa Ivan

2 Contents: Overview Usage Cases Conclusions

3 Overview

4 Klocwork is a static code analysis tool that manages baselines and issues over a database. Klocwork analyses the code after capture of compilation Designed for C/C++, C# and Java code

5 Command-line tool Integrated in a IDE Standalone IDE

6 Used by both integrators and developers
Can be integrated into a IDE (e.g. Eclipse, Visual Studio, IntelliJ IDEA) Down-side: The code is read-only in the IDE viewer Users of text editors or unsupported IDEs have the option of Klocwork Desktop or command-line tools. Used by both integrators and developers Built-in checkers (200+) can be enabled/disabled at every static code check session.

7 Usage

8 Capture build settings : ./kwshell Run analysis: kwcheck run
Set up local project kwcheck create --url ( only the first time) Capture build settings : ./kwshell Run analysis: kwcheck run Display issues: kwcheck list -F detailed Automated build monitoring with kwshell kwshell -pn /space/testing/jlee/myproject/.kwlp make Unsupported compilers need additional steps

9 Ignore issues: Statuses:
kwcheck set-status status fix -c "top priority“ // issues number 22, 7, will be ignored Statuses: kwcheck list-statuses

10 Issue Statuses

11 Issue severity An issue severity is made up of a level from 1 through 10, plus a label such as Warning. Severities are displayed for detected issues in Klocwork Review and on the desktop. Each checker has a default severity. The available severity levels and their default labels are as follows: 1 - Critical 2 - Error 3 - Warning 4 - Review 5 - Severity Severity 10

12 Issue severity Checkers are assigned severities 1 through 4.
Custom checkers are assigned severity 4 by default. You can edit: the severity level for individual checkers the labels for each severity level

13 Examples of detected weaknesses
Buffer overflows Un-validated user input Injection Cross-site scripting Information leakage Infinite loops Memory and resource leaks Full description here

14 Built-in checkers for secure coding standards
CWE CWE/SANS Top 25 CERT OWASP DISA STIG (Defense Information Systems Agency - Security Technical Implementation Guide) MISRA (Motor Industry Software Reliability Association)

15 Preferences checkers for C/C++ language

16 Cases

17 Following are several C/C++ errors reported by Klocwork desktop

18 Buffer Overflow The “More information” link redirect to a complete help manual which helps understanding the origin and the solution for the problems

19 Infinite loop

20

21 NULL pointer dereferences
void setValue(int* p){ *p = 32;}

22 Resource leaks

23 Memory leaks / Usage of uninitialized data

24

25 Complete C and C++ checker reference: here
Complete Java checker reference: here Complete C# checker reference: here

26 Conclusions Unlike other static code analysis tools, Klocwork integrates into desktop IDEs Mirroring how code is developed, Klocwork prevents defects and finds vulnerabilities on-the-fly, as code is being written. Klocwork is a versatile tool for static code checking complex projects developed in C/C++/C# and Java

27 Customizing checkers, issue statuses and severities is possible
Issues monitoring along the project baselines is made easy because of the wide category of issue statuses. Klocwork can be a plugin for the IDE or a IDE itself and provide easy ways to find and solve issues

28 Questions?


Download ppt "Static code check – Klocwork"

Similar presentations


Ads by Google