To get a trial key
fill out the form below
Team License (a basic version)
Enterprise License (an extended version)
* By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
USD
EUR
RUB
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
PVS-Studio as SAST solution

PVS-Studio as SAST solution

Jul 25 2018
Author:

Until recently, in our articles we have positioned PVS-Studio as a tool for detecting errors in code. While we almost never regarded PVS-Studio in a security context. We will try to remedy this situation and take a look at the tool in terms of testing of security applications and DevSecOps practices.

0577_SAST/image1.png

PVS-Studio is a static application security testing tool (SAST). In other words, the PVS-Studio analyzer detects not only typos, dead code and other errors, but also security weaknesses (potential vulnerabilities).

The tool works in Windows, Linux, macOS environments and analyzes program code written in C,C++ and C#. We're also planning to support the Java language by the end of 2018.

For the convenience of specialists who will use PVS-Studio as a SAST tool, the analyzer provides mappings for its warnings to Common Weakness Enumeration, SEI CERT Coding Standards, and also supports MISRA standard (currently in development).

Mapping tables of PVS-Studio diagnostics to different standards:

The most widespread classification of SAST tool warnings is Common Weakness Enumeration (CWE). Let's see, using the language of CWE, how the PVS-Studio analyzer helps to prevent vulnerabilities.

If we refer to a list of entries of publicly known information security vulnerabilities (CVE), it turns out that often the reason of vulnerabilities in applications is not any defects in the security system, but ordinary programming errors. National Institute of Standards and Technology (NIST) confirms this by stating that 64% of vulnerabilities in applications relate to errors in code.

It is such errors, described in CWE, that potentially can lead to vulnerabilities. Accordingly, if an error can be classified as CWE, it is possible that it may be exploited as a vulnerability and ultimately be added to the list of CVE. For clarity, we can use an image of the funnel:

0577_SAST/image2.png

There is a great variety of errors. Some of them are dangerous from a security point of view and therefore are classified according to CWE. Some CWE-errors can be exploited and they represent vulnerabilities.

Indeed, in practice, only a very small part of discovered CWE-errors is dangerous and represents vulnerabilities. However, if you are developing security-critical applications and care about the security of users, you should consider these errors very seriously. Eliminating the CWE-errors, you protect your application from many vulnerabilities.

Now the relation between errors, PVS-Studio and vulnerabilities becomes apparent. PVS-Studio analyzer finds errors and classifies many of them as CWE. By fixing these errors, you make your application more reliable. The discovery of vulnerability in the product can seriously affect its reputation. By fixing the analyzer errors, you can significantly alleviate this risk at the earliest development stage - when you are writing the code.

PVS-Studio analyzer, like any other tool, does not guarantee that there are no vulnerabilities in your code. However, if PVS-Studio prevents, for example, 50% of potential vulnerabilities, this is wonderful.

Additionally we offer you to get acquainted with the article "How Can PVS-Studio Help in the Detection of Vulnerabilities?", showing the errors that led to vulnerabilities and which could have been avoided in case of using the PVS-Studio tool in the development process.

Start using PVS-Studio as a SAST solution: download PVS-Studio.

Popular related articles
OWASP Top Ten and Software Composition Analysis (SCA)

Date: Oct 22 2021

Author: Nikita Lipilin

The OWASP Top Ten 2017 category A9 (which became A6 in OWASP Top Ten 2021) is dedicated to using components with known vulnerabilities. To cover this category in PVS-Studio, developers have to turn t…
How to use the OWASP diagnostic group in PVS-Studio

Date: Oct 14 2021

Author: Nikita Lipilin

The PVS-Studio static analyzer allows you to automatically find various problems in the source code. It can also detect code fragments that do not comply with the OWASP Application Security Verificat…
CWE Top 25 2021. What is it, what is it for and how is it useful for static analysis?

Date: Sep 28 2021

Author: Mikhail Gelvih

For the first time PVS-Studio provided support for the CWE classification in the 6.21 release. It took place on January 15, 2018. Years have passed since then and we would like to tell you about the …
MISRA C: struggle for code quality and security

Date: Sep 22 2021

Author: Konstantin Kochkin

A couple of years ago the PVS-Studio analyzer got its first diagnostic rules to check program code compliance with the MISRA C and MISRA C++ standards. We collected feedback and saw that our clients …
How Visual Studio 2022 ate up 100 GB of memory and what XML bombs had to do with it

Date: Sep 07 2021

Author: Sergey Vasiliev

In April 2021 Microsoft announced a new version of its IDE – Visual Studio 2022 – while also announcing that the IDE would be 64-bit. We've been waiting for this for so long – no more 4 GB memory lim…

Comments (0)

Next comments
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept