Skip to content

Source Code Analysis

Source code analysis is the process of examining and reviewing the code of a software program to identify errors, vulnerabilities, and potential improvements. This can be performed manually by developers or through automated tools that scan the code for issues like security risks, coding standard violations, and performance inefficiencies.

Semgrep

Install:

  • Ubuntu/WSL/Linux/macOS: python3 -m pip install semgrep
  • macOS: brew install semgrep
  • Docker:
    docker run -it -v "${PWD}:/src" semgrep/semgrep semgrep login
    docker run -e SEMGREP_APP_TOKEN=<TOKEN> --rm -v "${PWD}:/src" semgrep/semgrep semgrep ci
    

Semgrep rules:

SonarQube

Install

  • Docker: docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

Configuration

  • Go to localhost:9000
  • Login with admin:admin
  • Create a local project
  • Generate a token for the project
  • Use sonar-scanner-cli with the generated token

    docker run --rm -e SONAR_HOST_URL="http://10.10.10.10:9000" -v "/tmp/www:/usr/src" sonarsource/sonar-scanner-cli -Dsonar.projectKey=DDI -Dsonar.sources=. -Dsonar.host.url=http://10.10.10.10:9000 -Dsonar.token=sqp_redacted
    

⚠ remove dead symbolic links before scanning a folder.

CodeQL

TODO

Snyk

TODO

References