SlideShare a Scribd company logo

Static code analysis

Download as PPTX, PDF
Christoforus Surjoputro
Christoforus Surjoputro

This document discusses static code analysis. Static code analysis involves analyzing computer software without executing the programs. It is usually done during code reviews to detect bugs, security vulnerabilities, and other issues. The document discusses techniques for static code analysis like data flow analysis and taint analysis. It also discusses tools for static code analysis like linters, SonarQube, and others. It provides steps for integrating a codebase into SonarQube for analysis. The goal of static code analysis is to improve code quality by detecting issues early.

1 of 29
Static Code Analysis
Christoforus Surjoputro Engineering Manager - Alterra
Tools Linter Outline Techniques SonarQube Definition
Definition is the analysis of computer software that is performed without actually executing programs. is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). https://en.wikipedia.org/wiki/Static_program_analysis https://owasp.org/www-community/controls/Static_Code_Analysis
Techniques - Data Flow Analysis is used to collect run-time (dynamic) information about data in software while it is in a static state. https://owasp.org/www-community/controls/Static_Code_Analysis https://en.wikipedia.org/wiki/Common_subexpression_elimination https://en.wikipedia.org/wiki/Live_variable_analysis
Techniques - Taint Analysis is a feature in some computer programming languages, such as Perl and Ruby, (or in static analysis tools), designed to increase security by preventing malicious users from executing commands on a host computer. https://en.wikipedia.org/wiki/Taint_checking https://www.cs.cmu.edu/~ckaestne/15313/2018/20181023-taint-analysis.pdf
Techniques - Others - Abstract interpretation - Hoare logic - Model checking - Symbolic execution - etc. https://en.wikipedia.org/wiki/Static_program_analysis
Tools https://eslint.org/ https://www.sonarqube.org/ https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer
Linter is a static code analysis tool used to flag programming errors, bugs, stylistic errors and suspicious constructs. https://en.wikipedia.org/wiki/Lint_(software)
Linter - vscode - no extension without go extension, vscode does not tell us any concern in this code although some point of code will never reached or executed. https://github.com/3mp3ri0r/cgomath
Linter - vscode - installation install go extension on vscode via marketplace. https://code.visualstudio.com/docs/languages/go
Linter - vscode - with extension with go extension, vscode tell us any concern in this code, does not like before. https://github.com/3mp3ri0r/cgomath
SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. https://en.wikipedia.org/wiki/SonarQube https://www.sonarqube.org/
SonarQube - running docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -m 2g -p 9000:9000 sonarqube:9.0.1-community docker logs -f sonarqube https://en.wikipedia.org/wiki/SonarQube https://docs.sonarqube.org/latest/setup/get-started-2-minutes/
SonarQube - first time access use admin on Login and Password field. SonarQube use admin as default username and password. https://docs.sonarqube.org/6.7/Authentication.html
SonarQube - first time access enter the old and new password. SonarQube force us to change default username and password on first time access. https://docs.sonarqube.org/6.7/Authentication.html
SonarQube - create new project create project manually by choosing “Manually” option. SonarQube can be integrated to many source version control like github or any other devops tools.
SonarQube - create new project enter project display name and project key with something that you like. In our case we use cgomath.
SonarQube - code integration choose Locally since we want to check our code manually and locally.
SonarQube - code integration put any name just to differentiate with other token.
SonarQube - code integration copy and keep it save as it will be used to push our code to project that we already create before.
SonarQube - code integration choose appropriate project that you are work on. In our case we use Go, so choose Other. choose OS you are using. In our case, we use macOS, so choose macOS.
SonarQube - code integration go test -v -coverpkg=./... -coverprofile=coverage.out ./... https://go.dev/blog/cover
SonarQube - code integration update this properties especially sonar.projectKey to match with project key that you put before when creating new project at SonarQube. In our case, we use cgomath.
docker run --rm -e SONAR_HOST_URL="http://localhost:9000" -e SONAR_LOGIN="13cf55024cfa7fc063f9b9ae49f5281f1a6b657a" -v "/Users/alt-christoforus/Personal/cgomath:/usr/src" --network host -m 1g sonarsource/sonar-scanner-cli SonarQube - code integration https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/
SonarQube - analyze code analyze your code through dashboard that we already set before. When everything got A means you have good quality code.
SonarQube - analyze code SonarQube has default quality standard for each parameter. You can create your own standard that fit your need or company goal.
The most dangerous kind of waste is the waste we do not recognize. ~ Shigeo Shingo https://proqc.com/blog/25-quotes-to-inspire-quality-success/
THANK YOU

Recommended

Backend engineer journey
Backend engineer journeyBackend engineer journey
Backend engineer journey
Christoforus Surjoputro
 
tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21
DicodingEvent
 
Life as software engineer at startup
Life as software engineer at startupLife as software engineer at startup
Life as software engineer at startup
Christoforus Surjoputro
 
Choosing a career goal as an IT graduate
Choosing a career goal as an IT graduateChoosing a career goal as an IT graduate
Choosing a career goal as an IT graduate
Tahsin Abrar
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Anju ML
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Prancer Io
 
A year of SonarQube and TFS/VSTS
A year of SonarQube and TFS/VSTSA year of SonarQube and TFS/VSTS
A year of SonarQube and TFS/VSTS
Matteo Emili
 
Continuous code quality_in_java
Continuous code quality_in_javaContinuous code quality_in_java
Continuous code quality_in_java
Manimekalai48
 

Recommended

Backend engineer journey
Backend engineer journeyBackend engineer journey
Backend engineer journey
Christoforus Surjoputro
 
tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21
DicodingEvent
 
Life as software engineer at startup
Life as software engineer at startupLife as software engineer at startup
Life as software engineer at startup
Christoforus Surjoputro
 
Choosing a career goal as an IT graduate
Choosing a career goal as an IT graduateChoosing a career goal as an IT graduate
Choosing a career goal as an IT graduate
Tahsin Abrar
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Anju ML
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Prancer Io
 
A year of SonarQube and TFS/VSTS
A year of SonarQube and TFS/VSTSA year of SonarQube and TFS/VSTS
A year of SonarQube and TFS/VSTS
Matteo Emili
 
Continuous code quality_in_java
Continuous code quality_in_javaContinuous code quality_in_java
Continuous code quality_in_java
Manimekalai48
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
Test parallelization using Jenkins
Test parallelization using JenkinsTest parallelization using Jenkins
Test parallelization using Jenkins
Rogue Wave Software
 
Extending Spira With Add-Ons
Extending Spira With Add-OnsExtending Spira With Add-Ons
Extending Spira With Add-Ons
Inflectra
 
Devops | CICD Pipeline
Devops | CICD PipelineDevops | CICD Pipeline
Devops | CICD Pipeline
Binish Siddiqui
 
How can agile help you in clearing the technical debt
How can agile help you in clearing the technical debtHow can agile help you in clearing the technical debt
How can agile help you in clearing the technical debt
Manu Pk
 
Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...
Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...
Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...
DicodingEvent
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
Amazon Web Services
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
 
Developer's QA Toolkit - 34th National IT Conference - Sri Lanka
Developer's QA Toolkit - 34th National IT Conference - Sri LankaDeveloper's QA Toolkit - 34th National IT Conference - Sri Lanka
Developer's QA Toolkit - 34th National IT Conference - Sri Lanka
Chamil Jeewantha
 
Xp conf-tbd
Xp conf-tbdXp conf-tbd
Xp conf-tbd
XP Conference India
 
Efficient mobile automation
Efficient mobile automationEfficient mobile automation
Efficient mobile automation
Vitaly Tatarinov
 
Test automation design patterns
Test automation design patternsTest automation design patterns
Test automation design patterns
Vitaly Tatarinov
 
Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...
Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...
Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...
OW2
 
Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0
Jasmine Conseil
 
Testing in DevOps world
Testing in DevOps worldTesting in DevOps world
Testing in DevOps world
Moataz Nabil
 
Code metrics in PHP
Code metrics in PHPCode metrics in PHP
Code metrics in PHP
Julio Martinez
 
DevOps checklist or how to understand where is your team in DevOps landscape ...
DevOps checklist or how to understand where is your team in DevOps landscape ...DevOps checklist or how to understand where is your team in DevOps landscape ...
DevOps checklist or how to understand where is your team in DevOps landscape ...
Mikalai Alimenkou
 
CI/CT/CD and Role of Quality Engineering
CI/CT/CD and Role of Quality EngineeringCI/CT/CD and Role of Quality Engineering
CI/CT/CD and Role of Quality Engineering
Sushma
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Qa in CI/CD
Qa in CI/CDQa in CI/CD
Qa in CI/CD
Adsmurai
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
scmGalaxy Inc
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 

More Related Content

What's hot

8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
Test parallelization using Jenkins
Test parallelization using JenkinsTest parallelization using Jenkins
Test parallelization using Jenkins
Rogue Wave Software
 
Extending Spira With Add-Ons
Extending Spira With Add-OnsExtending Spira With Add-Ons
Extending Spira With Add-Ons
Inflectra
 
Devops | CICD Pipeline
Devops | CICD PipelineDevops | CICD Pipeline
Devops | CICD Pipeline
Binish Siddiqui
 
How can agile help you in clearing the technical debt
How can agile help you in clearing the technical debtHow can agile help you in clearing the technical debt
How can agile help you in clearing the technical debt
Manu Pk
 
Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...
Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...
Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...
DicodingEvent
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
Amazon Web Services
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
 
Developer's QA Toolkit - 34th National IT Conference - Sri Lanka
Developer's QA Toolkit - 34th National IT Conference - Sri LankaDeveloper's QA Toolkit - 34th National IT Conference - Sri Lanka
Developer's QA Toolkit - 34th National IT Conference - Sri Lanka
Chamil Jeewantha
 
Xp conf-tbd
Xp conf-tbdXp conf-tbd
Xp conf-tbd
XP Conference India
 
Efficient mobile automation
Efficient mobile automationEfficient mobile automation
Efficient mobile automation
Vitaly Tatarinov
 
Test automation design patterns
Test automation design patternsTest automation design patterns
Test automation design patterns
Vitaly Tatarinov
 
Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...
Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...
Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...
OW2
 
Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0
Jasmine Conseil
 
Testing in DevOps world
Testing in DevOps worldTesting in DevOps world
Testing in DevOps world
Moataz Nabil
 
Code metrics in PHP
Code metrics in PHPCode metrics in PHP
Code metrics in PHP
Julio Martinez
 
DevOps checklist or how to understand where is your team in DevOps landscape ...
DevOps checklist or how to understand where is your team in DevOps landscape ...DevOps checklist or how to understand where is your team in DevOps landscape ...
DevOps checklist or how to understand where is your team in DevOps landscape ...
Mikalai Alimenkou
 
CI/CT/CD and Role of Quality Engineering
CI/CT/CD and Role of Quality EngineeringCI/CT/CD and Role of Quality Engineering
CI/CT/CD and Role of Quality Engineering
Sushma
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Qa in CI/CD
Qa in CI/CDQa in CI/CD
Qa in CI/CD
Adsmurai
 

What's hot (20)

8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
 
Test parallelization using Jenkins
Test parallelization using JenkinsTest parallelization using Jenkins
Test parallelization using Jenkins
 
Extending Spira With Add-Ons
Extending Spira With Add-OnsExtending Spira With Add-Ons
Extending Spira With Add-Ons
 
Devops | CICD Pipeline
Devops | CICD PipelineDevops | CICD Pipeline
Devops | CICD Pipeline
 
How can agile help you in clearing the technical debt
How can agile help you in clearing the technical debtHow can agile help you in clearing the technical debt
How can agile help you in clearing the technical debt
 
Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...
Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...
Play with Testing on Android - Gilang Ramadhan (Academy Content Writer at Dic...
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Developer's QA Toolkit - 34th National IT Conference - Sri Lanka
Developer's QA Toolkit - 34th National IT Conference - Sri LankaDeveloper's QA Toolkit - 34th National IT Conference - Sri Lanka
Developer's QA Toolkit - 34th National IT Conference - Sri Lanka
 
Xp conf-tbd
Xp conf-tbdXp conf-tbd
Xp conf-tbd
 
Efficient mobile automation
Efficient mobile automationEfficient mobile automation
Efficient mobile automation
 
Test automation design patterns
Test automation design patternsTest automation design patterns
Test automation design patterns
 
Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...
Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...
Implementing a Continuous Delivery pipeline using OW2 infrastructure, OW2con'...
 
Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0
 
Testing in DevOps world
Testing in DevOps worldTesting in DevOps world
Testing in DevOps world
 
Code metrics in PHP
Code metrics in PHPCode metrics in PHP
Code metrics in PHP
 
DevOps checklist or how to understand where is your team in DevOps landscape ...
DevOps checklist or how to understand where is your team in DevOps landscape ...DevOps checklist or how to understand where is your team in DevOps landscape ...
DevOps checklist or how to understand where is your team in DevOps landscape ...
 
CI/CT/CD and Role of Quality Engineering
CI/CT/CD and Role of Quality EngineeringCI/CT/CD and Role of Quality Engineering
CI/CT/CD and Role of Quality Engineering
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Qa in CI/CD
Qa in CI/CDQa in CI/CD
Qa in CI/CD
 

Similar to Static code analysis

Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
scmGalaxy Inc
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
postgres.pptx
postgres.pptxpostgres.pptx
postgres.pptx
ssuserf111e7
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
Jose Manuel Ortega Candel
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz
 
Continuous Integration and development environment approach
Continuous Integration and development environment approachContinuous Integration and development environment approach
Continuous Integration and development environment approach
Aleksandr Tsertkov
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
Graham Dumpleton
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
IDAPRO
IDAPROIDAPRO
IDAPRO
Matt Vieyra
 
mydevops.pptx
mydevops.pptxmydevops.pptx
mydevops.pptx
ssuserf111e7
 
report
reportreport
report
Diptika Shukla
 
Ensuring code quality
Ensuring code qualityEnsuring code quality
Ensuring code quality
MikhailVladimirov
 
Continuous Integration using Cruise Control
Continuous Integration using Cruise ControlContinuous Integration using Cruise Control
Continuous Integration using Cruise Control
elliando dias
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
sparkfabrik
 
Java Performance & Profiling
Java Performance & ProfilingJava Performance & Profiling
Java Performance & Profiling
Isuru Perera
 
.NET Recommended Resources
.NET Recommended Resources.NET Recommended Resources
.NET Recommended Resources
Greg Sohl
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
Mohammed Tanveer
 
Phonegap android angualr material design
Phonegap android angualr material designPhonegap android angualr material design
Phonegap android angualr material design
Srinadh Kanugala
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 

Similar to Static code analysis (20)

Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
postgres.pptx
postgres.pptxpostgres.pptx
postgres.pptx
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Continuous Integration and development environment approach
Continuous Integration and development environment approachContinuous Integration and development environment approach
Continuous Integration and development environment approach
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
IDAPRO
IDAPROIDAPRO
IDAPRO
 
mydevops.pptx
mydevops.pptxmydevops.pptx
mydevops.pptx
 
report
reportreport
report
 
Ensuring code quality
Ensuring code qualityEnsuring code quality
Ensuring code quality
 
Continuous Integration using Cruise Control
Continuous Integration using Cruise ControlContinuous Integration using Cruise Control
Continuous Integration using Cruise Control
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
Java Performance & Profiling
Java Performance & ProfilingJava Performance & Profiling
Java Performance & Profiling
 
.NET Recommended Resources
.NET Recommended Resources.NET Recommended Resources
.NET Recommended Resources
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
 
Phonegap android angualr material design
Phonegap android angualr material designPhonegap android angualr material design
Phonegap android angualr material design
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 

More from Christoforus Surjoputro

Deno Fundamentals
Deno FundamentalsDeno Fundamentals
Deno Fundamentals
Christoforus Surjoputro
 
Is it fun to become a software engineer?
Is it fun to become a software engineer?Is it fun to become a software engineer?
Is it fun to become a software engineer?
Christoforus Surjoputro
 
Unit testing ❤ pure function
Unit testing ❤ pure functionUnit testing ❤ pure function
Unit testing ❤ pure function
Christoforus Surjoputro
 
Google maps replacement with python
Google maps replacement with pythonGoogle maps replacement with python
Google maps replacement with python
Christoforus Surjoputro
 
How messenger bot work
How messenger bot workHow messenger bot work
How messenger bot work
Christoforus Surjoputro
 
Introduction to polymer project
Introduction to polymer projectIntroduction to polymer project
Introduction to polymer project
Christoforus Surjoputro
 
Better Code With Python
Better Code With PythonBetter Code With Python
Better Code With Python
Christoforus Surjoputro
 

More from Christoforus Surjoputro (7)

Deno Fundamentals
Deno FundamentalsDeno Fundamentals
Deno Fundamentals
 
Is it fun to become a software engineer?
Is it fun to become a software engineer?Is it fun to become a software engineer?
Is it fun to become a software engineer?
 
Unit testing ❤ pure function
Unit testing ❤ pure functionUnit testing ❤ pure function
Unit testing ❤ pure function
 
Google maps replacement with python
Google maps replacement with pythonGoogle maps replacement with python
Google maps replacement with python
 
How messenger bot work
How messenger bot workHow messenger bot work
How messenger bot work
 
Introduction to polymer project
Introduction to polymer projectIntroduction to polymer project
Introduction to polymer project
 
Better Code With Python
Better Code With PythonBetter Code With Python
Better Code With Python
 

Recently uploaded

Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
GohKiangHock
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Requirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional SafetyRequirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional Safety
Ayan Halder
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
Yara Milbes
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 

Recently uploaded (20)

Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Requirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional SafetyRequirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional Safety
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 

Static code analysis

  • 4. Definition is the analysis of computer software that is performed without actually executing programs. is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). https://en.wikipedia.org/wiki/Static_program_analysis https://owasp.org/www-community/controls/Static_Code_Analysis
  • 5. Techniques - Data Flow Analysis is used to collect run-time (dynamic) information about data in software while it is in a static state. https://owasp.org/www-community/controls/Static_Code_Analysis https://en.wikipedia.org/wiki/Common_subexpression_elimination https://en.wikipedia.org/wiki/Live_variable_analysis
  • 6. Techniques - Taint Analysis is a feature in some computer programming languages, such as Perl and Ruby, (or in static analysis tools), designed to increase security by preventing malicious users from executing commands on a host computer. https://en.wikipedia.org/wiki/Taint_checking https://www.cs.cmu.edu/~ckaestne/15313/2018/20181023-taint-analysis.pdf
  • 7. Techniques - Others - Abstract interpretation - Hoare logic - Model checking - Symbolic execution - etc. https://en.wikipedia.org/wiki/Static_program_analysis
  • 9. Linter is a static code analysis tool used to flag programming errors, bugs, stylistic errors and suspicious constructs. https://en.wikipedia.org/wiki/Lint_(software)
  • 10. Linter - vscode - no extension without go extension, vscode does not tell us any concern in this code although some point of code will never reached or executed. https://github.com/3mp3ri0r/cgomath
  • 11. Linter - vscode - installation install go extension on vscode via marketplace. https://code.visualstudio.com/docs/languages/go
  • 12. Linter - vscode - with extension with go extension, vscode tell us any concern in this code, does not like before. https://github.com/3mp3ri0r/cgomath
  • 13. SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. https://en.wikipedia.org/wiki/SonarQube https://www.sonarqube.org/
  • 14. SonarQube - running docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -m 2g -p 9000:9000 sonarqube:9.0.1-community docker logs -f sonarqube https://en.wikipedia.org/wiki/SonarQube https://docs.sonarqube.org/latest/setup/get-started-2-minutes/
  • 15. SonarQube - first time access use admin on Login and Password field. SonarQube use admin as default username and password. https://docs.sonarqube.org/6.7/Authentication.html
  • 16. SonarQube - first time access enter the old and new password. SonarQube force us to change default username and password on first time access. https://docs.sonarqube.org/6.7/Authentication.html
  • 17. SonarQube - create new project create project manually by choosing “Manually” option. SonarQube can be integrated to many source version control like github or any other devops tools.
  • 18. SonarQube - create new project enter project display name and project key with something that you like. In our case we use cgomath.
  • 19. SonarQube - code integration choose Locally since we want to check our code manually and locally.
  • 20. SonarQube - code integration put any name just to differentiate with other token.
  • 21. SonarQube - code integration copy and keep it save as it will be used to push our code to project that we already create before.
  • 22. SonarQube - code integration choose appropriate project that you are work on. In our case we use Go, so choose Other. choose OS you are using. In our case, we use macOS, so choose macOS.
  • 23. SonarQube - code integration go test -v -coverpkg=./... -coverprofile=coverage.out ./... https://go.dev/blog/cover
  • 24. SonarQube - code integration update this properties especially sonar.projectKey to match with project key that you put before when creating new project at SonarQube. In our case, we use cgomath.
  • 25. docker run --rm -e SONAR_HOST_URL="http://localhost:9000" -e SONAR_LOGIN="13cf55024cfa7fc063f9b9ae49f5281f1a6b657a" -v "/Users/alt-christoforus/Personal/cgomath:/usr/src" --network host -m 1g sonarsource/sonar-scanner-cli SonarQube - code integration https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/
  • 26. SonarQube - analyze code analyze your code through dashboard that we already set before. When everything got A means you have good quality code.
  • 27. SonarQube - analyze code SonarQube has default quality standard for each parameter. You can create your own standard that fit your need or company goal.
  • 28. The most dangerous kind of waste is the waste we do not recognize. ~ Shigeo Shingo https://proqc.com/blog/25-quotes-to-inspire-quality-success/