Abstract
Abstract
Many security vulnerabilities can be detected by static analysis. This paper is a case study and a performance comparison of four open-source static analysis tools and plugins (PMD, SpotBugs, Find Security Bugs, and SonarQube) on Java source code. Experiments have been conducted on the widely used Juliet Test Suite with respect to six selected weaknesses from the official Top 25 list of Common Weakness Enumeration. In this study, analysis metrics have been calculated for helping Java developers decide which tools can be used when checking their programs for security vulnerabilities. It turned out that particular weaknesses are best detected with particular tools.
Funder
European Union, European Social Fund
Subject
Computer Science Applications,General Materials Science,Modeling and Simulation,Civil and Structural Engineering,Software
Cited by
5 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. An Extensive Comparison of Static Application Security Testing Tools;Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering;2024-06-18
2. Comprehensive Evaluation of Static Analysis Tools for Their Performance in Finding Vulnerabilities in Java Code;IEEE Access;2024
3. Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java;Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering;2023-11-30
4. Mobile Health Application Security Assesment Based on OWASP Top 10 Mobile Vulnerabilities;2022 International Conference on Information Technology Systems and Innovation (ICITSI);2022-11-08
5. An empirical study on the effectiveness of static C code analyzers for vulnerability detection;Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis;2022-07-18