CERN Accelerating science

Source Code Review Using Static Analysis Tools

Date published: 
Tuesday, 1 September, 2015
Document type: 
Summer student report
S. Moiras
Abstract Many teams at CERN, develop their own software to solve their tasks. This software may be public or it may be used for internal purposes. It is of major importance for developers to know that their software is secure. Humans are able to detect bugs and vulnerabilities but it is impossible to discover everything when they need to read hundreds’ lines of code. As a result, computer scientists have developed tools which complete efficiently and within minutes the task of analysing source code and finding critical bugs and vulnerabilities. These tools are called static analysis and they are able to find, analyse and suggest solutions to the programmer in the early stages of development. The goal of this project is to evaluate and compare as many static analysis tools as possible (both freeware and commercial) according to metrics decided by CERN Security Team. The final result should not only be a selection of tools per language that software developers should utilise but also an automated way to use them and get useful reports that will help developers write better software.