Change search
ReferencesLink to record
Permanent link

Direct link
Evaluating the ability of static code analysis tools to detect injection vulnerabilities
Umeå University, Faculty of Science and Technology, Department of Computing Science.
2016 (English)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE creditsStudent thesis
Abstract [en]

Identifying and eliminating security vulnerabilities in programs can be very time consuming. A way to automate and speed up the process is to integrate static code analysis tools in the development process. Choosing a static code analysis tool for a project is not an easy task since different tools have their own strengths and performance characteristics. One way of testing the qualifications of a tool for finding flaws is to test them against a test suite, constructed for the specific purpose of static code analysis tool testing. In this paper the tools Visual Code Grepper, FindBugs and SonarQube are tested for their ability to detect SQL, OS command and LDAP injection vulnerabilities against the Juliet test suite v1.2 for Java and the performance of the tools are evaluated. Since the tools have their own techniques for finding errors and vulnerabilities, diverse results are obtained where the tools show their strengths and weaknesses which are presented in tables and graphs. In general, the FindBugs tool seems to be the most suitable tool for detecting potential injections, however further studies including more test cases should be conducted to cover more of what the tools are capable of detecting. To cover most of the vulnerabilities in a program, it would be ideal to use as many tools as possible to locate the maximum amount of flaws

Place, publisher, year, edition, pages
2016. , 17 p.
Series
, UMNAD, 1065
National Category
Engineering and Technology
Identifiers
URN: urn:nbn:se:umu:diva-128302OAI: oai:DiVA.org:umu-128302DiVA: diva2:1051148
Educational program
Bachelor of Science Programme in Computing Science
Supervisors
Examiners
Available from: 2016-12-01 Created: 2016-12-01 Last updated: 2016-12-01Bibliographically approved

Open Access in DiVA

fulltext(380 kB)4 downloads
File information
File name FULLTEXT01.pdfFile size 380 kBChecksum SHA-512
21ec4b7454a52b91cde86e9d75f93b8b225bf0c756b2cd979f90f137ba5bac03f2fa5796065a2cfaf225032dd366d05abea9d259a3368b85550f0fc1fc0a88ac
Type fulltextMimetype application/pdf

By organisation
Department of Computing Science
Engineering and Technology

Search outside of DiVA

GoogleGoogle Scholar
Total: 4 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 4 hits
ReferencesLink to record
Permanent link

Direct link