Cargando…
Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis
The increasing complexity of web applications and systems, driven by ongoing digitalization, has made software security testing a necessary and critical activity in the software development lifecycle. This article compares the performance of open-source tools for conducting static code analysis for...
| Autores principales: | , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
MDPI
2023
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10535982/ https://www.ncbi.nlm.nih.gov/pubmed/37766033 http://dx.doi.org/10.3390/s23187978 |
| _version_ | 1785112758582247424 |
|---|---|
| author | Kuszczyński, Kajetan Walkowski, Michał |
| author_facet | Kuszczyński, Kajetan Walkowski, Michał |
| author_sort | Kuszczyński, Kajetan |
| collection | PubMed |
| description | The increasing complexity of web applications and systems, driven by ongoing digitalization, has made software security testing a necessary and critical activity in the software development lifecycle. This article compares the performance of open-source tools for conducting static code analysis for security purposes. Eleven different tools were evaluated in this study, scanning 16 vulnerable web applications. The selected vulnerable web applications were chosen for having the best possible documentation regarding their security vulnerabilities for obtaining reliable results. In reality, the static code analysis tools used in this paper can also be applied to other types of applications, such as embedded systems. Based on the results obtained and the conducted analysis, recommendations for the use of these types of solutions were proposed, to achieve the best possible results. The analysis of the tested tools revealed that there is no perfect tool. For example, Semgrep performed better considering applications developed using JavaScript technology but had worse results regarding applications developed using PHP technology. |
| format | Online Article Text |
| id | pubmed-10535982 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2023 |
| publisher | MDPI |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-105359822023-09-29 Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis Kuszczyński, Kajetan Walkowski, Michał Sensors (Basel) Article The increasing complexity of web applications and systems, driven by ongoing digitalization, has made software security testing a necessary and critical activity in the software development lifecycle. This article compares the performance of open-source tools for conducting static code analysis for security purposes. Eleven different tools were evaluated in this study, scanning 16 vulnerable web applications. The selected vulnerable web applications were chosen for having the best possible documentation regarding their security vulnerabilities for obtaining reliable results. In reality, the static code analysis tools used in this paper can also be applied to other types of applications, such as embedded systems. Based on the results obtained and the conducted analysis, recommendations for the use of these types of solutions were proposed, to achieve the best possible results. The analysis of the tested tools revealed that there is no perfect tool. For example, Semgrep performed better considering applications developed using JavaScript technology but had worse results regarding applications developed using PHP technology. MDPI 2023-09-19 /pmc/articles/PMC10535982/ /pubmed/37766033 http://dx.doi.org/10.3390/s23187978 Text en © 2023 by the authors. https://creativecommons.org/licenses/by/4.0/Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). |
| spellingShingle | Article Kuszczyński, Kajetan Walkowski, Michał Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis |
| title | Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis |
| title_full | Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis |
| title_fullStr | Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis |
| title_full_unstemmed | Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis |
| title_short | Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis |
| title_sort | comparative analysis of open-source tools for conducting static code analysis |
| topic | Article |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10535982/ https://www.ncbi.nlm.nih.gov/pubmed/37766033 http://dx.doi.org/10.3390/s23187978 |
| work_keys_str_mv | AT kuszczynskikajetan comparativeanalysisofopensourcetoolsforconductingstaticcodeanalysis AT walkowskimichał comparativeanalysisofopensourcetoolsforconductingstaticcodeanalysis |