Download presentation
1
Static code check – Klocwork
Denisa Ivan
2
Contents: Overview Usage Cases Conclusions
3
Overview
4
Klocwork is a static code analysis tool that manages baselines and issues over a database. Klocwork analyses the code after capture of compilation Designed for C/C++, C# and Java code
5
Command-line tool Integrated in a IDE Standalone IDE
6
Used by both integrators and developers
Can be integrated into a IDE (e.g. Eclipse, Visual Studio, IntelliJ IDEA) Down-side: The code is read-only in the IDE viewer Users of text editors or unsupported IDEs have the option of Klocwork Desktop or command-line tools. Used by both integrators and developers Built-in checkers (200+) can be enabled/disabled at every static code check session.
7
Usage
8
Capture build settings : ./kwshell Run analysis: kwcheck run
Set up local project kwcheck create --url ( only the first time) Capture build settings : ./kwshell Run analysis: kwcheck run Display issues: kwcheck list -F detailed Automated build monitoring with kwshell kwshell -pn /space/testing/jlee/myproject/.kwlp make Unsupported compilers need additional steps
9
Ignore issues: Statuses:
kwcheck set-status status fix -c "top priority“ // issues number 22, 7, will be ignored Statuses: kwcheck list-statuses
10
Issue Statuses
11
Issue severity An issue severity is made up of a level from 1 through 10, plus a label such as Warning. Severities are displayed for detected issues in Klocwork Review and on the desktop. Each checker has a default severity. The available severity levels and their default labels are as follows: 1 - Critical 2 - Error 3 - Warning 4 - Review 5 - Severity Severity 10
12
Issue severity Checkers are assigned severities 1 through 4.
Custom checkers are assigned severity 4 by default. You can edit: the severity level for individual checkers the labels for each severity level
13
Examples of detected weaknesses
Buffer overflows Un-validated user input Injection Cross-site scripting Information leakage Infinite loops Memory and resource leaks Full description here
14
Built-in checkers for secure coding standards
CWE CWE/SANS Top 25 CERT OWASP DISA STIG (Defense Information Systems Agency - Security Technical Implementation Guide) MISRA (Motor Industry Software Reliability Association)
15
Preferences checkers for C/C++ language
16
Cases
17
Following are several C/C++ errors reported by Klocwork desktop
18
Buffer Overflow The “More information” link redirect to a complete help manual which helps understanding the origin and the solution for the problems
19
Infinite loop
21
NULL pointer dereferences
void setValue(int* p){ *p = 32;}
22
Resource leaks
23
Memory leaks / Usage of uninitialized data
25
Complete C and C++ checker reference: here
Complete Java checker reference: here Complete C# checker reference: here
26
Conclusions Unlike other static code analysis tools, Klocwork integrates into desktop IDEs Mirroring how code is developed, Klocwork prevents defects and finds vulnerabilities on-the-fly, as code is being written. Klocwork is a versatile tool for static code checking complex projects developed in C/C++/C# and Java
27
Customizing checkers, issue statuses and severities is possible
Issues monitoring along the project baselines is made easy because of the wide category of issue statuses. Klocwork can be a plugin for the IDE or a IDE itself and provide easy ways to find and solve issues
28
Questions?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.