To get a trial key
fill out the form below
Team License (a basic version)
Enterprise License (an extended version)
* By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
USD
EUR
RUB
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
Briefly about PVS-Studio as SAST a solu…

Briefly about PVS-Studio as SAST a solution

Apr 17 2019
Author:

PVS-Studio is a static application security testing tool (SAST). In other words, the PVS-Studio analyzer detects not only typos, dead code and other errors, but also potential vulnerabilities.

0625_Briefly_about_PVS_Studio_SAST/image1.png

There are two approaches to detecting vulnerabilities in code.

The first one implies that the analyzer searches dangerous fragments in code drawing on the base of common vulnerabilities CVE. It is similar to the work of antiviruses. This approach is effective for detecting known vulnerabilities, which could get in the project when using old libraries or due to the Copy-Paste method.

Nevertheless, this solution doesn't give the answer to the question what to do with newly written code and vulnerabilities that haven't been detected yet.

Therefore, there is the second approach when parts of code that contain security defects are preventively detected and fixed. This strategy is currently implemented in the PVS-Studio tool.

There is a Common Weakness Enumeration (CWE) base, which describes patterns of errors, which can be exploited as vulnerabilities under certain circumstances. Indeed, in practice, only a very small part of CWE-errors is dangerous. From a developer's point of view, it makes no sense to speculate whether a flaw can be used for an attack or not. You just need to fix all the defects, and thus improve the reliability of your application.

The PVS-Studio analyzer supports classification of errors according to CWE. If PVS-Studio issued a warning and matched that with one from CWE ID, it means that a potential vulnerability is detected and it has to be fixed.

0625_Briefly_about_PVS_Studio_SAST/image2.png

I recommend checking out another article on a similar topic -"How Can PVS-Studio Help in the Detection of Vulnerabilities?". It describes some vulnerabilities, which can be found using PVS-Studio at the stage of code writing.

Introduce the PVS-Studio static code analyzer in your development process to enhance the quality and reliability of the projects you develop.

Popular related articles
OWASP Top Ten and Software Composition Analysis (SCA)

Date: Oct 22 2021

Author: Nikita Lipilin

The OWASP Top Ten 2017 category A9 (which became A6 in OWASP Top Ten 2021) is dedicated to using components with known vulnerabilities. To cover this category in PVS-Studio, developers have to turn t…
How to use the OWASP diagnostic group in PVS-Studio

Date: Oct 14 2021

Author: Nikita Lipilin

The PVS-Studio static analyzer allows you to automatically find various problems in the source code. It can also detect code fragments that do not comply with the OWASP Application Security Verificat…
CWE Top 25 2021. What is it, what is it for and how is it useful for static analysis?

Date: Sep 28 2021

Author: Mikhail Gelvih

For the first time PVS-Studio provided support for the CWE classification in the 6.21 release. It took place on January 15, 2018. Years have passed since then and we would like to tell you about the …
MISRA C: struggle for code quality and security

Date: Sep 22 2021

Author: Konstantin Kochkin

A couple of years ago the PVS-Studio analyzer got its first diagnostic rules to check program code compliance with the MISRA C and MISRA C++ standards. We collected feedback and saw that our clients …
How Visual Studio 2022 ate up 100 GB of memory and what XML bombs had to do with it

Date: Sep 07 2021

Author: Sergey Vasiliev

In April 2021 Microsoft announced a new version of its IDE – Visual Studio 2022 – while also announcing that the IDE would be 64-bit. We've been waiting for this for so long – no more 4 GB memory lim…

Comments (0)

Next comments
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept