InfoQ Homepage Static Analysis Content on InfoQ
-
GitHub Announces Code Scanning and Security Advisory Support for Swift
GitHub has launched code scanning support for Swift in beta and announced it will include Swift security advisories in its Advisory Database to extend the capabilities of its Dependabot vulnerability monitor.
-
JetBrains Adds Taint Analysis for PHP to Qodana Code Quality Platform
Qodana, JetBrains' code quality platform, now provides support for PHP taint analysis in early preview. The feature aims to allow developers to detect taints in their programs, i.e. spots that are vulnerable to malicious inputs.
-
Software Security Report Finds JavaScript Applications Have Fewer Flaws Than Java and .NET
Veracode's State of Software Security report for 2023 found that there is a 27% chance within a given month that security flaws will be introduced into an application. The report also found that JavaScript applications on average have fewer flaws and faster flaw resolution than Java and .NET applications.
-
Heuristic Static Analysis Tool GuardDog Used to Detect Several Malicious PyPi Packages
GuardDog is new open source tool aimed at identifying malicious Python Packages using Sempreg and package metadata analysis. Thanks to a set of source code heuristics, GuardDog can detect malicious packages never seen before and has been used to identify several malicious PyPi packages in the wild.
-
Infer New Deadlock Detector for Android Aims to Be Efficient for Large Codebases
In a joint research, London University College and Facebook researchers created a new deadlock detector for Android Java code now available as part of open-source Infer static analysis tool. The new analyzer is able to process large codebases efficiently thanks to its incremental approach specifically designed for integration in a CI pipeline.
-
Static Analyzer Rudra Found over 200 Memory Safety Issues in Rust Crates
Developed at the Georgia Institute of Technology, Rudra is a static analyzer able to report potential memory safety bugs in Rust programs. Rudra has been used to scan the entire Rust package registry and identified 264 new memory safety bugs.
-
JetBrains Debuts New Kotlin Compiler K2, Kotlin for WebAssembly, and More
At its recent Kotlin 2021 Premier event, JetBrains made a number of major announcements, including K2, the new, faster Kotlin compiler, support for WebAssembly, the Kotlin Symbol Processor, a new code coverage plugin, and improved static analysis.
-
Facebook Mariana Trench Helps Developers to Find Vulnerabilities in Android and Java Apps
Recently open-sourced by Facebook, Mariana Trench (MT) aims to help developers identify and prevent security and privacy bugs in Android and Java applications.
-
Infer# Brings Facebook's Infer Static Analyzer to C# and .NET
With Infer#, Microsoft extends the choice of static analyzers available within the .NET ecosystem by bringing Facebook Infer's inter-procedural static analysis capabilities to it.
-
GitHub Code Scanning Is out of Beta
One year ago GitHub announced the acquisition of Semmle, maker of a semantic code analysis engine powered by the Semmle QL query language. After a few months in beta, GitHub is now announcing the availability of its new CodeQL-based code scanning capability for all public and private repos.
-
Uber Open-Sources Tool to Automatically Clean Up Stale Code
Uber has open-sourced Piranha, their tool for automated clean up of stale code caused by feature flags that are no longer required. Piranha can be run within a pipeline to continually look for stale code to be cleaned up. Currently Piranha supports Java, Swift, and Objective-C.
-
Microsoft Releases Application Inspector, a Tool for Examining Code Security
In a recent blog post, Microsoft announced an open source tool that developers can use to detect security vulnerabilities in their software solutions. The tool is called Microsoft Application Inspector and is available on GitHub. As organizations try to reduce their time to market, oversights may occur. Application Inspector can be used to identify malicious code used in third-party libraries.
-
C# Static Analysis Tool Roslynator.Analyzers Now Has over 500 Ways to Improve Code
The new version 2.3.1 of the Roslynator.Analyzers package brings the number of analyzers, refactorings and fixes to over 500. Roslynator uses the open-source Roslyn .NET Compiler Platform to perform static analysis on your C# code. This analysis drives your IDE to display hints and actions to improve your code.
-
A Proposal for IDisposable and Static Analysis: DisposeUnused Attribute
When .NET was first created, there was uncertainty about how IDisposable should be used. As a result, IDisposable was applied in an overly aggressive fashion with many categories of classes requiring empty Dispose methods. This has led to problems with static analysis tools that cannot separate real cases of missing Dispose calls from false positives.
-
The Pure Attribute in .NET Core
The Pure attribute was added to .NET in version 4 as part of the Code Contracts initiative to help developers distinguish between code that free from side effects from other code. While the Code Contracts project is over, the Pure attribute continues to see life in .NET Core.