Asked
Viewed
5.4k times

I am trying to find the best source code analyzer for C++ code. I am trying to analyze the security issues such as:

  • Buffer Overflows
  • Improper Access Control
  • Memory Information Leak
  • Dead pointers
  • Division by zero
  • Out of bounds
  • Uncaught Exceptions
  • SQL Injections
  • Pathname Exploits
  • Broken Authentication
  • Security Misconfigurations
  • Insecure Direct Object References

and anything else that could affect the security of an application. I downloaded some source code analyzer testing tools, but I don't know which one is the best. Before I start to analyze my project, I want to test the ability to find the security issues on a random open-source C++ project, especially programs with some network communication.

I would like to ask you if you know some webpage, where I can download some open-source C++ projects with an attached list of some known security bugs. I would import this open source project into my Eclipse or Microsoft Visual Studio (so it's also important that the code is compatible with one of the IDEs) and test the code with several code analyzers.

Afterward, I would try to understand all the warnings and errors found by the source code analyzers and compare them with those known by the author, in order to be able to find the best source code analyzing tool.

add a comment
1

2 Answers

  • Votes
  • Oldest
  • Latest
Answered

Fuzzgoat

This C program has been deliberately backdoored with several memory corruption bugs to test the efficacy of fuzzers and other analysis tools. Each vulnerability is clearly commented in fuzzgoat.c.

https://github.com/fuzzstati0n/fuzzgoat

Vulnerability Dataset

C/C++ test cases formatted for input to an LSTM for natural language processing. All test cases originally come from the SARD database.

https://github.com/JHahn42/vulnerabilitydataset

C/C++ SAST via Flawfinder

Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks, race conditions, potential shell metacharacter dangers, and poor random number acquisition.

https://github.com/IvanKuchin/SAST

VulDeePecker

Code Gadget Database that focuses on two types of vulnerabilities in C/C++ programs, buffer error vulnerability and resource management error vulnerability. It contains 61,638 code gadgets, including 17,725 code gadgets that are vulnerable and 49,913 code gadgets that are not vulnerable.

https://github.com/CGCL-codes/VulDeePecker

NIST Test Suites

Test cases in Software Assurance Reference Dataset SARD can be combined and form multiple test suites and include stand-alone suites in different languages including C/C++, C#, and Java. The purpose is to provide users, researchers, and developers with a known set of security flaws.

https://samate.nist.gov/SRD/testsuite.php

You can also download over 177184 test cases:

https://samate.nist.gov/SRD/view.php

Awesome Vulnerable

This is a curated list of vulnerable applications and systems which aims to help starters as well as pros. This one is a little more geared towards web applications, but I thought the resource was worth including for those that are building web applications.

https://github.com/kaiiyer/awesome-vulnerable

add a comment
0
Answered
Updated

I would not try to use someone else's code but focus on your own issues as they are likely to be very different. So even if you were to test these tools on an open-source project with known security flaws and issues, I wouldn't use this as a basis for how well it works with your own codebase.

A number of the comments posted are very good, especially about educating yourself about the issues (security). It has been my experience that no single code analysis tool does it all, and therefore you should use a combination of them.

If you are using VS Team System like we do here, the static analysis is built in to Visual Studio and will detect things like your buffer overruns, etc. and it works with unmanaged C++ as well. It does a pretty good job, but I also use an open source tool called cppcheck (sourceforge) and with some trickery, it will integrate into Visual Studio seamlessly and send its output to the IDE output window. Microsoft also has a free tool for detecting SqlInjection issues "Microsoft source code analyzer for SQL injection..."

add a comment
0