[Experiment] To what extent can static code analysis tools detect bugs and vulnerabilities? ~ SonarQube

** How well can static code analysis tools detect bugs and vulnerabilities? ** **

Last time, I tried to analyze Web application full of bugs with FindBugs However, this time I analyzed it with ** SonarQube **.

mainsq.png

Verification content

A web application full of bugs (EasyBuggy 1.3.3) currently has the following 80 bugs and vulnerabilities. The type.

** Failure **

--Deadlock (Java) --Deadlock (SQL) --Waiting for a process that does not complete

Vulnerability

--XSS (Cross-site scripting) --SQL injection --LDAP injection --Code injection --OS command injection --Email header injection --Null byte injection --File upload with no size limit --File upload with no extension restrictions --Open redirectable login screen --Brute force attackable login screen --Login screen that allows session fixation attacks --Too kind authentication error message --Dangerous file include --Pastraversal --Unintentional file disclosure --CSRF (Cross Site Request Forgery) --Clickjacking --XEE (XML Entity Extension) --XXE (XML External Entity) --Delay due to regular expression analysis --Delayed string concatenation by plus operator --Delay due to unnecessary object creation

error

exception

How many problems can SonarQube 6.3 detect?

result

The result is as follows (the same source code is verified with FindBugs as well as the verification result with SonarQube).

bug SonarQube FindBugs(Maximum analytical power)
Deadlock(Java) × ×
Deadlock(SQL) × ×
Waiting for a process that does not complete × ×
infinite loop ×
Memory leak(Java heap area) × ×
Memory leak(Permanent area) × ×
Memory leak(C heap area) × ×
Network socket leak × ×
Database connection leak
File descriptor leak
Thread leak × ×
Garbled characters × ×
Integer overflow × ×
Rounding error × ×
Censoring error × ×
Information loss × ×
XSS (Cross-site scripting) × ×
SQL injection
LDAP injection × ×
Code injection × ×
OS command injection × ×
Email header injection × ×
Null byte injection × ×
File upload with no size limit × ×
File upload with no extension restrictions × ×
Open redirectable login screen × ×
Brute force attackable login screen × ×
Login screen that allows session fixation attacks × ×
Too kind authentication error message × ×
Dangerous file include × ×
Past traversal × ×
Unintended file disclosure × ×
CSRF (Cross-site request forgery) × ×
Clickjacking × ×
XEE (XML entity extension) × ×
XXE (XML external entity) × ×
Delay due to regular expression parsing × ×
Delayed string concatenation with plus operator
Delay due to unnecessary object creation × ×
AssertionError × ×
ExceptionInInitializerError / NoClassDefFoundError × ×
FactoryConfigurationError × ×
GenericSignatureFormatError × ×
NoClassDefFoundError × ×
OutOfMemoryError (Java heap space) × ×
OutOfMemoryError (Requested array size exceeds VM limit) × ×
OutOfMemoryError (unable to create new native thread) × ×
OutOfMemoryError (GC overhead limit exceeded) × ×
OutOfMemoryError (PermGen space) × ×
OutOfMemoryError (Direct buffer memory) × ×
StackOverflowError × ×
TransformerFactoryConfigurationError × ×
UnsatisfiedLinkError × ×
ArithmeticException ×
ArrayIndexOutOfBoundsException × ×
ArrayStoreException × ×
BufferOverflowException × ×
BufferUnderflowException × ×
CannotRedoException × ×
CannotUndoException × ×
ClassCastException × ×
ConcurrentModificationException × ×
EmptyStackException × ×
IllegalArgumentException × ×
IllegalMonitorStateException × ×
IllegalPathStateException × ×
IllegalStateException × ×
IllegalThreadStateException × ×
ImagingOpException × ×
IndexOutOfBoundsException × ×
InputMismatchException × ×
MalformedParameterizedTypeException × ×
MissingResourceException × ×
NegativeArraySizeException × ×
NoSuchElementException × ×
NullPointerException ×
NumberFormatException × ×
SecurityException × ×
UnsupportedCharsetException × ×
UnsupportedOperationException × ×

As a result, only 6 types were detected for 80 types of bugs. As you can see, there are some differences, but the detection ability is about the same as FindBugs. However, it is certainly a very useful tool because you can grasp simple mistakes and bad coding patterns by using a static analysis tool. By the way, the number of indications was 176, while the number of lines of code was about 4,700.

sq.png

Other things I noticed

One thing I was a little worried about when using SonarQube was the large number of false positives.

For example, the following code points out that there is an unused method, but this method is actually used, and removing it will result in a compilation error.

mis3.png

The following code points out SQL injection, but it's okay because no value other than "ʻasc" or " desc` "is added to the SQL statement.

mis2.png

The following code points out the possibility of NPE, but since I'm checking null in ʻorg.apache.commons.lang.StringUtils.isBlank (String) , the variable fileName` becomes null and NPE It can't be ("might be thrown", so I wonder if it's okay ...).

mis1.png

Remarks

How to use SonarQube is easy, but [blog](https://t246osslab.wordpress.com/2016/11/20/sonnarqube%e3%81%a7%e3%82%bd%e3%83% bc% e3% 82% b9% e3% 82% b3% e3% 83% bc% e3% 83% 89% e3% 81% ae% e5% 93% 81% e8% b3% aa% e3% 82% 92% Please refer to e8% a7% a3% e6% 9e% 90% e3% 81% 99% e3% 82% 8b /).

Recommended Posts

[Experiment] To what extent can static code analysis tools detect bugs and vulnerabilities? ~ SonarQube
[Experiment] To what extent can static code analysis tools detect bugs and vulnerabilities? ~ FindBugs
Easy code review to get started with Jenkins / SonarQube: Static analysis