1.9 KiB
1.9 KiB
Source Code Analysis
Source code analysis is the process of examining and reviewing the code of a software program to identify errors, vulnerabilities, and potential improvements. This can be performed manually by developers or through automated tools that scan the code for issues like security risks, coding standard violations, and performance inefficiencies.
Semgrep
Install:
- Ubuntu/WSL/Linux/macOS:
python3 -m pip install semgrep - macOS:
brew install semgrep - Docker:
docker run -it -v "${PWD}:/src" semgrep/semgrep semgrep login docker run -e SEMGREP_APP_TOKEN=<TOKEN> --rm -v "${PWD}:/src" semgrep/semgrep semgrep ci
Semgrep rules:
- semgrep/semgrep-rules - Official Semgrep rules registry
- trailofbits/semgrep-rules - Semgrep queries developed by Trail of Bits
- Decurity/semgrep-smart-contracts) - Semgrep rules for smart contracts based on DeFi exploits
- 0xdea/semgrep-rules - A collection of Semgrep rules to facilitate vulnerability research.
SonarQube
Install
- Docker:
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
Configuration
-
Go to localhost:9000
-
Login with
admin:admin -
Create a local project
-
Generate a token for the project
-
Use
sonar-scanner-cliwith the generated tokendocker run --rm -e SONAR_HOST_URL="http://10.10.10.10:9000" -v "/tmp/www:/usr/src" sonarsource/sonar-scanner-cli -Dsonar.projectKey=DDI -Dsonar.sources=. -Dsonar.host.url=http://10.10.10.10:9000 -Dsonar.token=sqp_redacted
⚠️ remove dead symbolic links before scanning a folder.