11 replies to this topic

[david.dda]

Hi, I am trying to find the best source code analyzer for a C++ code. Basically, I am trying to analyze the security issues (buffer overflow, SQL injection etc.) of an application. Therefore, I downloaded some source code analyzer testing tools. But I don’t know which one is the best on. Therefore, before I start to analyze my project, I want to test the ability of finding the security issues on a random open source C++ project (especily programs with some network communication). I would like to ask you, if you know some webpage, where I can download some open source C++ projects with an attached list of some known security bugs. I would import this open source project into my Eclipse or Microsoft Visual Studio and test the code with several code analyzers, afterwards I will try to understand all the warnings and errors found by the source code analyzers and compare with those known by the author, in order to be able to find the best source code analyzing tool. Thank you a lot for your help. David

[WingedPanther]

Different source code analyzers do different things, and have different strengths/weaknesses.
List of tools for static code analysis - Wikipedia, the free encyclopedia

Additionally, your vulnerabilities will depend on what your code does and how. SQL Injection is not an issue if you don't use SQL in your project, or you have a library that is designed to protect against it, for example.

Buffer overflow is not likely to be an issue if you aren't using pointers, arrays, etc. Have you run your compiler with all warnings turned on?

[david.dda]

Hi, thank you for your reply. I am a student and I am working on a small part of a project. My department creates a C++ project, and my part of it is just the comparison of some source code analysis tools. So I don´t have to understand the code of this project, I just have to compare which testing tool can find which bugs or warnings and understand if those warnings are important or not. So by now, I should firstly find some open source C++ project and test it with those analyzers. There should be also a list of known bugs, so that I can compare if those selected testing tools have found some of them..

[WingedPanther]

sourceforge.net will have a LOT of C++ projects you can test.

[david.dda]

I already used this website sourceforge.net before. I tried to download some C++ projects, but wasn´t able to import the files into Microsoft Visual or Eclipse. Could you please have a look for example at this one:
qfastfileshare.sourceforge.net/
which files do I have to download in order of being able to open the project in MV or Eclipse? Thank you

[WingedPanther]

Many of them are probably designed to be compiled using Make and GCC. Since I don't use Visual Studio or Eclipse, I can't help you there.

[david.dda]

do you know, how can I find out if the project can be compiled with MV2008 or with Make and GCC - as you mentioned.

[WingedPanther]

Usually, you will need to download the project and look at the documentation that is included with it. Readme files, developer conversations, etc are all relevant. I would guess that a larger percentage of projects can be compiled with GCC, especially if they are cross-platform.

[david.dda]

ok, thank you. What do you mean by GCC? Is it a MV2008 compiler?

[WingedPanther]

GCC is completely different from MV2008. Since you're on Windows, you'll want the Windows port: MinGW
You will also want to download and install MSYS (from the same site) so you have configure and make available.

There are a lot of different C++ compilers, made by various groups. GCC is probably the best known free compiler (with all the FOSS meanings behind it).

[david.dda]

ok, so there is no chance to use GCC in MV2008? So, basically, with MV2008 I can import and build only projects that have been created by MV2008 or Visual C++? That means if I used for example Borland C++ to create a project, it cant be imported in MV2008, because Borland uses different compilers or different notations for C++ code?

[WingedPanther]

Borland C++ uses custom libraries that other compilers don't have access to. Many projects that can be compiled with GCC can also be compiled with VS2008.