Source Code Review Using Static Analysis Tools

Abstract

Many teams at CERN, develop their own software to solve their tasks. This

software may be public or it may be used for internal purposes. It is of major

importance for developers to know that their software is secure. Humans are able

to detect bugs and vulnerabilities but it is impossible to discover everything when

they need to read hundreds’ lines of code. As a result, computer scientists have

developed tools which complete efficiently and within minutes the task of analysing

source code and finding critical bugs and vulnerabilities. These tools are called

static analysis and they are able to find, analyse and suggest solutions to the

programmer in the early stages of development.

The goal of this project is to evaluate and compare as many static analysis tools

as possible (both freeware and commercial) according to metrics decided by

CERN Security Team. The final result should not only be a selection of tools per

language that software developers should utilise but also an automated way to use

them and get useful reports that will help developers write better software.