Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis-Reference-Cited by-同舟云学术

Comparative Analysis of Open-Source Tools for Conducting Static Code Analysis

Published:2023-09-19 Issue:18 Volume:23 Page:7978
ISSN:1424-8220
Container-title:Sensors
language:en
Short-container-title:Sensors

Author:

Kuszczyński Kajetan¹,Walkowski Michał¹^ORCID

Affiliation:

1. Department of Telecommunications and Teleinformatics, Wroclaw University of Science and Technology, 50-370 Wroclaw, Poland

Abstract

The increasing complexity of web applications and systems, driven by ongoing digitalization, has made software security testing a necessary and critical activity in the software development lifecycle. This article compares the performance of open-source tools for conducting static code analysis for security purposes. Eleven different tools were evaluated in this study, scanning 16 vulnerable web applications. The selected vulnerable web applications were chosen for having the best possible documentation regarding their security vulnerabilities for obtaining reliable results. In reality, the static code analysis tools used in this paper can also be applied to other types of applications, such as embedded systems. Based on the results obtained and the conducted analysis, recommendations for the use of these types of solutions were proposed, to achieve the best possible results. The analysis of the tested tools revealed that there is no perfect tool. For example, Semgrep performed better considering applications developed using JavaScript technology but had worse results regarding applications developed using PHP technology.

Funder

Wrocław University of Science and Technology

Publisher

MDPI AG

Subject

Electrical and Electronic Engineering,Biochemistry,Instrumentation,Atomic and Molecular Physics, and Optics,Analytical Chemistry

Link

https://www.mdpi.com/1424-8220/23/18/7978/pdf

Reference58 articles.

1. mObywatel (2023, August 12). Government Technology Website, Available online: https://info.mobywatel.gov.pl.

2. Pacjent (2023, August 12). Government Technology Website, Available online: https://pacjent.gov.pl/internetowe-konto-pacjenta/erecepta.

3. E-PIT (2023, August 12). Government Technology Website, Available online: https://www.podatki.gov.pl/pit/twoj-e-pit.

4. Mobile crowdsensing in software defined opportunistic networks;Li;IEEE Commun. Mag.,2017

5. (2023, August 12). Sast vs. Dast: What They Are and When to Use Them. CircleCI. Available online: https://circleci.com/blog/sast-vs-dast-when-to-use-them/.