Presentation is loading. Please wait.

Presentation is loading. Please wait.

Static code check – Klocwork

Published byMarlene Golden Modified over 9 years ago

Similar presentations

Presentation on theme: "Static code check – Klocwork"— Presentation transcript:

1 Static code check – Klocwork
Denisa Ivan

2 Contents: Overview Usage Cases Conclusions

3 Overview

4 Klocwork is a static code analysis tool that manages baselines and issues over a database. Klocwork analyses the code after capture of compilation Designed for C/C++, C# and Java code

5 Command-line tool Integrated in a IDE Standalone IDE

6 Used by both integrators and developers
Can be integrated into a IDE (e.g. Eclipse, Visual Studio, IntelliJ IDEA) Down-side: The code is read-only in the IDE viewer Users of text editors or unsupported IDEs have the option of Klocwork Desktop or command-line tools. Used by both integrators and developers Built-in checkers (200+) can be enabled/disabled at every static code check session.

7 Usage

8 Capture build settings : ./kwshell Run analysis: kwcheck run
Set up local project kwcheck create --url ( only the first time) Capture build settings : ./kwshell Run analysis: kwcheck run Display issues: kwcheck list -F detailed Automated build monitoring with kwshell kwshell -pn /space/testing/jlee/myproject/.kwlp make Unsupported compilers need additional steps

9 Ignore issues: Statuses:
kwcheck set-status status fix -c "top priority“ // issues number 22, 7, will be ignored Statuses: kwcheck list-statuses

10 Issue Statuses

11 Issue severity An issue severity is made up of a level from 1 through 10, plus a label such as Warning. Severities are displayed for detected issues in Klocwork Review and on the desktop. Each checker has a default severity. The available severity levels and their default labels are as follows: 1 - Critical 2 - Error 3 - Warning 4 - Review 5 - Severity Severity 10

12 Issue severity Checkers are assigned severities 1 through 4.
Custom checkers are assigned severity 4 by default. You can edit: the severity level for individual checkers the labels for each severity level

13 Examples of detected weaknesses
Buffer overflows Un-validated user input Injection Cross-site scripting Information leakage Infinite loops Memory and resource leaks Full description here

14 Built-in checkers for secure coding standards
CWE CWE/SANS Top 25 CERT OWASP DISA STIG (Defense Information Systems Agency - Security Technical Implementation Guide) MISRA (Motor Industry Software Reliability Association)

15 Preferences checkers for C/C++ language

16 Cases

17 Following are several C/C++ errors reported by Klocwork desktop

18 Buffer Overflow The “More information” link redirect to a complete help manual which helps understanding the origin and the solution for the problems

19 Infinite loop

20

21 NULL pointer dereferences
void setValue(int* p){ *p = 32;}

22 Resource leaks

23 Memory leaks / Usage of uninitialized data

24

25 Complete C and C++ checker reference: here
Complete Java checker reference: here Complete C# checker reference: here

26 Conclusions Unlike other static code analysis tools, Klocwork integrates into desktop IDEs Mirroring how code is developed, Klocwork prevents defects and finds vulnerabilities on-the-fly, as code is being written. Klocwork is a versatile tool for static code checking complex projects developed in C/C++/C# and Java

27 Customizing checkers, issue statuses and severities is possible
Issues monitoring along the project baselines is made easy because of the wide category of issue statuses. Klocwork can be a plugin for the IDE or a IDE itself and provide easy ways to find and solve issues

28 Questions?

Download ppt "Static code check – Klocwork"

Similar presentations

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.
Control System Studio (CSS)

Control System Studio (CSS)
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-732 Incorrect Permission Assignment for Critical Resource
Automation Testing Presentation Phil Hunter Phil Hunter - Automation Presentation 1.

Automation Testing Presentation Phil Hunter Phil Hunter - Automation Presentation 1.
© by Pearson Education, Inc. All Rights Reserved.

© by Pearson Education, Inc. All Rights Reserved.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Loupe /loop/ noun a magnifying glass used by jewelers to reveal flaws in gems. a logging and error management tool used by.NET teams to reveal flaws in.

Loupe /loop/ noun a magnifying glass used by jewelers to reveal flaws in gems. a logging and error management tool used by.NET teams to reveal flaws in.
Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.

Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.
Expediting Programmer AWAREness of Anomalous Code Sarah E. Smith Laurie Williams Jun Xu November 11, 2005.

Expediting Programmer AWAREness of Anomalous Code Sarah E. Smith Laurie Williams Jun Xu November 11, 2005.
PART A Emac Lisp   Emac Lisp is a programming language  Emacs Lisp is a dialect.

PART A Emac Lisp   Emac Lisp is a programming language  Emacs Lisp is a dialect.
TEST CASE DESIGN Prepared by: Fatih Kızkun. OUTLINE Introduction –Importance of Test –Essential Test Case Development A Variety of Test Methods –Risk.

TEST CASE DESIGN Prepared by: Fatih Kızkun. OUTLINE Introduction –Importance of Test –Essential Test Case Development A Variety of Test Methods –Risk.
Using Ant to build J2EE Applications Kumar

Using Ant to build J2EE Applications Kumar
Getting Started With Java Downloading and installing software Running your first program Dr. DwyerFall 2012.

Getting Started With Java Downloading and installing software Running your first program Dr. DwyerFall 2012.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.

©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Introduction COMP104: Fundamentals and Methodology.

Introduction COMP104: Fundamentals and Methodology.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Similar presentations

Ads by Google