Goanna 2.5 released

Posted in Blog, Uncategorized and tagged Goanna, release by Paul Steckler .

Goanna 2.5 is now available from the download page. Here’s a summary of what’s changed in this release.

- All versions

stored filenames are now specified as relative paths, allowing the Goanna database to be used in multiple locations
better support for Unicode source code
the ARR-inv-index check now allows for unbounded subscripts

– Goanna Central

license server options can be specified on the command line
the language choice, C or C++, can be given on the command line

– Visual Studio

clicking on a warning in a project summary navigates to the relevant code
better support for Win64 targets
partial compatibility with Intel Parallel Studio (on VS2005 and VS2008, Goanna does not work with projects converted to use the Intel C++ compiler)

As usual, feedback is welcome.

Meet Goanna at the Symposium of Cyber Terrorism

Posted in Blog, Life, Uncategorized and tagged defense, SAMATE, security by Ralf Huuck.

Do you want to know more about software security? Learn about cyber defense? Meet some of the team behind the Goanna technology from NCITA at DSR 2011 in Singapore, August 3-5. We will be giving an overview of at the Symposium on Cyber Terrorism titled “Cyber Security at Software Development Time” and highlighting some of our experiences from the NIST/SAMATE program.

Online Goanna demo

Posted in Blog, release, Uncategorized and tagged demo, Goanna, online, Web by Paul Steckler .

You don’t have to download Goanna to try out Goanna.

Once you have an account on redlizards.com, you can try out Goanna via the online demo at http://redlizards.com/products/demo.html. Just log in, paste in your code in the text box and click the “Analyze” button. The results will show up on the Web page.

We’ve limited the amount of code you can analyze in the demo to 250 lines (so you still might want to download Goanna for serious work).

Check descriptions

Posted in Blog, Uncategorized by Paul Steckler .

New feature for Visual Studio: For any Goanna warning in the VS ErrorList, right-click and choose “Describe Check”. You’ll get an editor tab filled with a description of the check that gave rise to the warning, the same text as in the User Guide. Coming soon to Eclipse.
Check description

CWE items mapped to Goanna checks

Posted in Blog, Uncategorized by Dominic Gurto.

Common Weakness Enumeration (CWE) is a widely accepted, community-developed list of general software vulnerabilities. The CWE website, which contains detailed definitions of each weakness, is here.

Over the last couple of weeks, I’ve been looking into how Goanna maps to the current CWE list. That is, for each of Goanna’s (currently) 100 checks, I’ve reported the CWE items that may be the cause of a warning. I’ve also reported on the mapping in the other direction: for each CWE item, the checks that may report on it are listed. These two mappings are tabulated below.

The table on the left lists all the CWE items that are identified by Goanna, along with each check that may warn about code with each weakness. Code with one of the listed weaknesses will not necessarily fail each associated check, but it may fail some. This table is useful for identifying the checks that are designed to find certain weaknesses. This may help identify the checks that should be enabled or disabled, in order to get the most useful feedback from Goanna.

The table on the right lists each check performed by Goanna, along with each CWE item that may cause the check to fail and yield a warning. The table can be useful for identifying the potential weaknesses in code, based on the warning that Goanna provides.

In the Goanna userguides with the next release, the relevant CWE IDs (from the table on the right) will appear with the detailed descriptions of each check. These two tables will also be included, and updated as more checks are added.

These results are comparable to thosee market-leading analysis tools, and while there is some overlap, there are many CWE items that some leading tools don’t find, such as mismatching the standard and array versions of the new and delete operators, dismissing return values of certain library functions, and the use of uninitialized pointers, just to name a few.

Goanna can currently identify 41 CWE items, including many of the most serious (null pointer dereferences, memory leaks and array index violations), and 61% of our current checks identify the existence of at least one of these vulnerabilities. Combine this with our relatively low rate of false positives compared to competing tools, and it’s easy to see that Goanna is essential for efficiently finding the most serious vulnerabilities in any software project.

(more…)

Why Static Analysis is Not Another Episode of CSI

Posted in Blog, Uncategorized and tagged agile, Goanna, sdlc, static analysis by Ralf Huuck.

Static analysis of the past has been like an episode of CSI. Some guys in specially marked uniforms enter the scene and photograph memory leaks, establish attack vectors and scrape some dangling pointers off the ceiling. Then they go back to the lab and try to figure out what happened. It’s a post-mortem investigation of something that went horribly wrong.

This could be the tale of a real mission critical bug in the wild or just something that slipped through until final system testing. By any means it probably indicates that someone or something got burned. While many of our customers use our Goanna static analysis tools to establish final code quality or to do some forensic analysis, there are also many opportunities for prevention available that are often overlooked.

We carefully designed Goanna Central and Goanna Studio for two different purposes: Goanna Central can be quickly integrated into the build process and invoked either nightly or at the finish of a project. In any case it gives you an accurate snapshot of your code confidence. This is a must. But ideally, you want your code as clean as possible before it moves upstream in the SDLC. Just imagine how much could be saved by only committing “non-lethal” code to your project; If developers are empowered and can fix code right when they produce it. No more blame games.

We at Red Lizard Software really believe that the maximum value of static analysis tools comes from their usage by developers on an everyday and even every minute base. We try to make deep static analysis ridiculously easy. Checks that still required dedicated severs a few years ago will run on simple laptops with Goanna Studio today.

The advantages are clear: Developers can fix bugs before they are committed, development-testing periods are drastically reduced and products can hit the market sooner with higher quality. Maybe one day we will not need the CSI guys at all.

Unicode support

Posted in Blog, Uncategorized and tagged Goanna, Unicode, UTF-8 by Paul Steckler .

Goanna now supports Unicode filenames in a principled way. Until now, we allowed Latin-1 names in the Visual Studio versions of Goanna by using an ad hoc encoding. While that approach was effective for many languages, it left us unable to support languages with non-Latin-1 character sets.

Thanks to the authors of the Camomile library for the OCaml language, which allows us to work with Unicode directly.

For Eclipse and command-line users of Goanna, you get Unicode support if your terminal program is set to use UTF-8. That seems to be the default in recent Linux distros.

Macro visualization

Posted in Blog, Uncategorized and tagged cpp, macro, preprocessor, squiggly, Visual Studio by Paul Steckler .

When Goanna reports a warning, sometimes a C preprocessor macro makes it hard to know what’s really going on in the code. I’ve added a new feature to the Visual Studio implementation that highlights each preprocessor macro invocation with a blue “squiggly”; the associated tooltip shows the (one-level) expansion of the macro. The context menu for the code document allows you to toggle between the macro markers and purple squigglies associated with Goanna warnings.

In the Goanna Central version, you’ll be able to dump all preprocessor macros in a file with an appropriate flag.

Windows command-line version of Goanna

Posted in Blog, Uncategorized by Paul Steckler .

We’ve created a command-line version of Goanna for Windows, tentatively called “GoRun”. It’s simple to use: on the command line, just invoke the tool with a Visual Studio solution file and optionally, the particular projects you’d like to analyze.

If you’d like to try out the tool, please send an email to me, paul.steckler AT redlizards.com. You need to have Goanna Studio v.2.1 for VS2005, VS2008, or VS2010 installed.

Experiments with F#

Posted in Blog, Development, Uncategorized and tagged F#, Ocaml, Visual Studio by Paul Steckler .

A couple of customers have asked for a command-line tool to run Goanna over their Visual Studio projects, similar to the way the Linux command-line tool works. The difficult bit for such a tool is to translate the information in a project file to the appropriate arguments to the core Goanna executable, goannacc.exe on Windows. We already have code to do just that in the Visual Studio extension.

The Goanna VS extensions for VS2005/2008/2010 are written in C#, because there’s a wizard that generates a simple extension in C#. From that starting point, we (meaning I) built the current extensions. If there hadn’t been the wizard, I would have written the extensions in F#, because I prefer the functional style of programming. So I decided to write the command-line tool, that was an opportunity to try out F# in earnest. I’d written a wee bit of F# before; here was a chance to try it out on production code.

When writing the command-line tool, my main concern was, how easy would it be to pull in the C# code that does the project-to-command-line translation. It was very easy: just add an F# project reference to the .DLL containing the code, open the namespace, and I was good to go. I had to make some C# classes explicitly public for visibility, but that was the only change I needed to make.

Programming in F# is very much like programming in OCaml, a language I’ve used off and on for maybe 15 years. Nice thing: instead of the clumsy “delegate” syntax of C#, you can just pass a function argument to another function. Not so nice: in VS2010, the editor does not seem to auto-format F# code, the way it does with C# code (the Ctrl-E F magic). And the editor’s Intellisense feature does not appear to suggest variable names that are in scope. Also: although there are surely good reasons for it, the F# list type is distinct from the C#/.Net System.Collections list type, which is slightly maddening. Finally: I have to build the tool for the various VS versions in slightly different ways, and the conditional compilation facility works for that — but why are there no boolean operations allowed, as you have in C#?

Here’s an example of code that uses .Net lists instead of F# lists:

  let expandedProjs = new System.Collections.Generic.List() in
  while projsIter.MoveNext() do
    expandedProjs.AddRange(ProjectUtil.expandProject(projsIter.Current  > EnvDTE.Project))
  done;

Ooof.

When the command-line tool starts, it fires up an instance of Visual Studio, no GUI. That way it can get information about solutions and projects from VS, like default include paths and configuration information, using code originally written for the extensions. Sometimes the calls to VS fail with COM retry errors, so those calls are done in a loop containing a try-with block. When the tool finishes, or the user hits Ctrl-C, it gracefully shuts down VS. I often run the tool from a Cygwin shell, and I haven’t yet found a way to trap Cygwin SIGKILL signals, so that VS is still running afterwards.

There’s still some work to do on the command-line tool, like deciding what kind of output it should produce, but it’s basically there. Let me know if you’d like to try it out before we make it generally available. The tool is tentatively called “GoRun”, and its syntax is:

  GoRun sln-file [projName ...] ...

That is, you supply one or more solution files, and for each solution file, zero or more project names. If you don’t supply project names, GoRun invokes Goanna on all the projects in the solution, otherwise only those specified.

A complaint: Soon after VS2010 was released, the MSDN site was updated with all-new documentation for the .Net libraries. But the only language there’s documentation for is C# (OK, sometimes J#) . In the type signatures, there are no hyperlinks for keywords (like public, final, etc.) and types. You can’t tell when a type is really a forall-quantified type variable. It wouldn’t be much harder to do these pages right.

One last comment: programming in F# doesn’t feel all that different than programming in C#, though the code is more concise. You definitely feel the presence of .Net every step of the way, and there’s statefulness lurking everywhere. Functional programming for the masses … sort of!