https://crocs.fi.muni.cz @CRoCS_MUNI
PA193 - Secure coding principles and
practices
LAB: Static analysis of source code
Petr Švenda svenda@fi.muni.cz @rngsec
Centre for Research on Cryptography and Security, Masaryk University
https://crocs.fi.muni.cz @CRoCS_MUNI
Disclaimer
• The slides for this seminar (and part of the lecture) are taken from
newly created lecture for PV080.
– (you will also see pv080 on screenshots)
• If you already absolved this course, try to enjoy it again ☺
• But new content was created only this autumn and most of you
already absolved PV080 long before that (and GitHub introduced
decent support for static analysis only in Summer 2020)
• (for next years, I will update accordingly)
2 PA193 | LABS | Static checking
https://crocs.fi.muni.cz @CRoCS_MUNI
Idea of the seminar
• Prepare repo with vulnerable code (IS->buggycode.zip)
• Enable automatic static analysis via GitHub Actions
– Several providers of analysis environment (custom or standard tools)
• Trigger by commit, investigate warnings/errors found
• Fix it, review again
• (Analyze your own homework before submission)
• Warning: Code scanning Actions are relatively new to GitHub, they
may be glitches, UI bugs and tool failures
PA19
3 |
LABS
| 5
https://crocs.fi.muni.cz @CRoCS_MUNI
CODE SCANNING WITH GITHUB +
ACTIONS + CODACY
Basic analysis of C/C++ source code with various tools
PA193 | LABS | Static checking
6
https://crocs.fi.muni.cz @CRoCS_MUNI
Steps
1. Create repo on GitHub
2. Enable code analysis
3. Clone repo locally
4. Insert code with vulnerability, commit and push
5. Investigate results of analysis
6. Fix selected issue, rerun analysis
7. Repeat from step 5.
PA19
3 |
LABS
| 7
https://crocs.fi.muni.cz @CRoCS_MUNI
Create repo on GitHub
• Online at github.com
• Make repo public
– GitHub Actions are free only for public ones
• Add readme, .gitignore, license
– Generally good practice
• For start, don’t mix languages
– Put code of single lang in repo (e.g, c++)
– Makes automatic analysis more difficult
– E.g., ‘pv080_test_cpp’ & ‘pv080_test_java’
PA19
3 |
LABS
| 8
https://crocs.fi.muni.cz @CRoCS_MUNI
Enable code scanning actions
• Online at github.com
• Github→Repo→Security→Set up code scanning
• Select Codacy Security Scan (scroll down in offered scans)
– ‘Set up this workflow’ button
PA19
3 |
LABS
| 9
https://crocs.fi.muni.cz @CRoCS_MUNI
Commit configuration file for Codacy scan
10
• No changes required to codacy_analysis.yml
• Start commit →Commit new file
• Can be found at /.github/workflows/ codacy_analysis.yml for later edits
https://crocs.fi.muni.cz @CRoCS_MUNI
Prepare repo content
• Locally on your PC
• Clone repository on your PC
– GitHub Desktop File→Clone
– git checkout your_repository.git
• Copy example buggy code into
your repo and commit
– IS → Study materials, buggycode.zip
– Commit new files, push to repo
(Push origin)PA19
3 |
LABS
| 11
https://crocs.fi.muni.cz @CRoCS_MUNI
Analyze results I.
• Observe scheduled, running and finished
actions
• Online at github.com
• Github→Repo→Actions
• Re-run jobs if desired
– Done on same commit!
– Useful if Action failed due to external service
PA19
3 |
LABS
|
https://crocs.fi.muni.cz @CRoCS_MUNI
Analyze results II.
• Online at github.com
• Github→Repo→Security
– When actions are finished
• Code scanning alerts
– Sorted by tool (e.g., Cppcheck)
• Shown similarly to Issues
– Open, Closed
– Can be filtered (severity…)
– But visible only to repo developers
PA19
3 |
LABS
|
https://crocs.fi.muni.cz @CRoCS_MUNI
Update: 8.3.2021
14 PA193 | LABS | Static checking
• More bugs are reported currently (8.3.2021) than end of last year
– More analysis tools were added in meantime (e.g., Bandit)
https://crocs.fi.muni.cz @CRoCS_MUNI
Notes
• Standard Issues are used to report bugs or ask for / plan
enhancements and new features (usually opened manually)
• Code scanning alerts are similarly treated, but opened automatically,
visible only to developers
• Results from tool(s) are transformed to standardized ‘OASIS Static
Analysis Results Interchange Format (SARIF) TC’, which GitHub can
process, and display issues based on it
PA19
3 |
LABS
| 15
https://crocs.fi.muni.cz @CRoCS_MUNI
Analyze results III.
PA19
3 |
LABS
| 16
• Bug triage
– atm, bug properties cannot be changed
– (expect UI change in future)
• Can be dismissed (=> will not be fixed)
– E.g., if False positive, not relevant…
– Severity is set by original tools
• Expect unification in future
– Dismiss only bugs you are sure about!
https://crocs.fi.muni.cz @CRoCS_MUNI
Fix bug(s)
PA19
3 |
LABS
| 17
• Locate reported bug in source code
– (Note: for the moment, bug preview at Github is not working)
– Use file and line number to locate (e.g., fail.cpp#L7 => line 7 in fail.cpp)
• Fix bug
– E.g., Static[5]; → Static[101];
– (Note: not proper fix, check length instead)
• Commit, Push
– Will trigger analysis again
• Fixed issues are now in ‘Closed’ category
– Introducing and fixing commit is visible in history
https://crocs.fi.muni.cz @CRoCS_MUNI
ADDITIONAL SCANNING OF PYTHON
CODE WITH SHIFTLEFT SCANNER
Scanning of python source code with
PA193 | LABS | Static checking 18
https://crocs.fi.muni.cz @CRoCS_MUNI
Setup ShiftLeft actions on repo
• Create new repository (or reuse previous), clone locally
• Enable code scanning actions
– Set up more scanning tools – pick ‘Scan by ShiftLeft‘
• No need to change shiftleft-analysis.yml before commit
• Copy buggy python code to repo, push, analyze results
PA19
3 |
LABS
| 19
https://crocs.fi.muni.cz @CRoCS_MUNI
Notes
• ShiftLeft scan requires no special configuration (same as Codacy)
• Will find additional bug in Python code
• Provides better explanation of bug (results from tools are likely to
improve in future)
PA19
3 |
LABS
| 20
https://crocs.fi.muni.cz @CRoCS_MUNI
CODE SCANNING WITH GITHUB +
ACTIONS + CODEQL
Bit more advanced setup, CodeQL code analysis, configurable build steps
PA193 | LABS | Static checking 21
https://crocs.fi.muni.cz @CRoCS_MUNI
CodeQL basics
• Your source code → CodeQL code → rules executed on that canonical code
– Adding support for new language (e.g., Go) => just convert Go source code to CodeQL
canonical form and then use all already existing rules
• CodeQL uses own language to write analysis rules
– Many existing security rules are already written, you don’t need to learn this language or
write own rules to use it
• CodeQL is integrated in GitHub Actions or can be run for external CI
– We will use integrated option
– https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-
errors-in-your-code/enabling-code-scanning-for-a-repository
• Note: difference between dedicated tool (e.g., cppcheck) and CodeQL
– Single tool for single language – detection rules must be written again for new lang
– CodeQL – detection rules are written for canonical code, new lang requires only to write
conversion between lang code and canonical code
PA19
3 |
LABS
| 22
https://crocs.fi.muni.cz @CRoCS_MUNI
Setup CodeQL actions on repository
• Create new repository (e.g., pv080_test_python), clone locally
• Enable code scanning actions
– Pick CodeQL (instead of Codacy)
• Check codeql-analysis.yml before commit
– Modify set of target languages
• language: [ 'cpp']
• Copy buggy code to repo, push
PA19
3 |
LABS
| 23
https://crocs.fi.muni.cz @CRoCS_MUNI
Fixing build for CodeQL
• CodeQL Action may fail with:
• Reason
– Analysis for some languages works on the compiled code/bytecode (e.g.,
Java)
– Static analysis generally runs on unfinished code, but not always
– One shall not commit broken code to repo anyway
• Fix: tell CodeQL how to buildPA19
3 |
LABS
| 24
https://crocs.fi.muni.cz @CRoCS_MUNI
Fixing build for CodeQL I.
• GitHub CodeQL tries to compile your code
– But how it knows how to compile your project?
• Autobuild feature is only heuristic (=> can be wrong, can fail)
– https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-
and-errors-in-your-code/configuring-the-codeql-workflow-for-compiled-languages
– Depends on CI operating system
– Search for .sln or .vcxproj (MS Visual Studio), then call MSBuild.exe
– Search for build.bat, build.cmd, and build.exe, then run it
– Search for Makefile, then call make
– Starts in repo root, then try in subdirectories…
• Tip: Start with simplest example, make it work, then make more
complicatedPA19
3 |
LABS
| 25
https://crocs.fi.muni.cz @CRoCS_MUNI
Fixing build for CodeQL II.
• The solution depends on build system for your project
– Make, gradle, ant, maven…
– We will only discuss simple direct build with g++ and makefile
• Option 1: Makefile into repo root (g++ fail.cpp)
– Feel free to use improved makefile scripts
– Generally better solution than option 2
• Option 2: Direct specification in codeql-analysis.yml
– Disable autobuild by commenting it out with #
– Insert conditional statement based on language
• Example here for cpp and java
• Python is left with autobuild
– More flexibility in configuration, more changes to scripts
PA19
3 |
LABS
|
26
main:
g++ ./fail.cpp
https://crocs.fi.muni.cz @CRoCS_MUNI
CHECKING SECURITY OF
DEPENDENCIES GITHUB + DEPENDABOT
Setup Action to observe new vulnerabilities in your dependencies, notify you and even
propose automatic patch
PA193 | LABS | Static checking 27
https://crocs.fi.muni.cz @CRoCS_MUNI
Enable dependabot
• Enable Dependabot alerts
– You will receive notification about
vulnerable dependency
• Enable Dependabot security
updates
– You will receive automatic pull requests
fixing vulnerable dependency
– Always analyze automatic pull requests
for correctness
PA19
3 |
LABS
| 28
https://crocs.fi.muni.cz @CRoCS_MUNI
Notes
• Dependabot is well established feature of GitHub
• GitHub checks for vulnerabilities in major libraries (dependencies) and
notify you if tour repo use it
PA19
3 |
LABS
| 29
https://crocs.fi.muni.cz @CRoCS_MUNI
RUNNING TOOL(S) LOCALLY
Run cppcheck locally without Github Actions. Suitable for projects with proprietary code,
troubleshooting, execution with non-standard parameters etc.
PA193 | LABS | Static checking 30
https://crocs.fi.muni.cz @CRoCS_MUNI
Cppcheck for C++ files
• For small files, you may try cppcheck online
– https://cppcheck.sourceforge.net/demo/
– Paste fail.cpp into browser and Check
– Compare with errors as reported by Codacy
• Run cppcheck from command line
– Get latest release
• https://github.com/danmar/cppcheck/releases
– Run cppcheck --enable=all fail.cpp
• Run cppcheck via GUI
– Allows for analysis of folders, sorting by severity…PA19
3 |
LABS
| 31
https://crocs.fi.muni.cz @CRoCS_MUNI
Other tools
• There are many tools for different languages
• Codacy Action is “just” running preconfigured tools
• Try it!
PA19
3 |
LABS
| 32
https://crocs.fi.muni.cz @CRoCS_MUNI
STILL WANT MORE? TRY ON YOUR OLD
PB071 HOMEWORK ☺
PA193 | LABS | Static checking 33
https://crocs.fi.muni.cz @CRoCS_MUNI
TROUBLESHOOTING
Some hints on common issues
PA193 | LABS | Static checking 34
https://crocs.fi.muni.cz @CRoCS_MUNI
Troubleshooting
• Analysis is not finished yet
– Wait an hour, try to make another bogus commit (update file)
• Start from small working examples, then extend to larger project
– E.g., simple main.java, only later large java project via ant
• Analyze failed to start for specific language
– GitHub Actions usually requires code to be compilable
• Analysis for some languages works on the compiled code/bytecode (e.g., Java)
• (static analysis runs on unfinished code, but one shall not commit broken code to repo)
– Github will invoke autobuild feature
• Tries to build various languages as defined here
– https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-
code/configuring-the-codeql-workflow-for-compiled-languages
• Paths case sensitivity
– Linux is case-sensitive for path names while Windows isn’t
• /java/ and /Java/ are the same on Windows, but not on Linux
• Clicking on log of ‘Perform Code QL Analysis’ shows nothing
– Likely GitHub bug, click left on the Analyze (language), then again on ‘Perform Code QL Analysis’
• Makefile requires tabs, not spaces
PA19
3 |
LABS
| 35
https://crocs.fi.muni.cz @CRoCS_MUNI
Some tips
• Setup scanning tools at the beginning of new project
– And make sure all bugs are always fixed (similar to “compile cleanly” mantra)
• Look at the text logs produced by actions (click on named Action)
– What tool was executed, what configuration…
• Tools will improve over the time (detected bugs, visualization on
GitHub side)
PA19
3 |
LABS
| 36
https://crocs.fi.muni.cz @CRoCS_MUNI
NO HOMEWORK ASSIGNMENT THIS
WEEK ☺
PA193 | LABS | Static checking 37
https://crocs.fi.muni.cz @CRoCS_MUNI
CHECK-OUT
38 PA193 | LABS | Static checking
https://crocs.fi.muni.cz @CRoCS_MUNI
Checkout
• Which of the seminar parts you enjoyed most?
• Write three items you liked (ideally, single word)
• Write to sli.do when displayed
39 PA193 | LABS | Static checking
40 PA193 | LABS | Static checking
Write a topic from the seminar you enjoyed most
ⓘ Start presenting to display the poll results on this slide.
https://crocs.fi.muni.cz @CRoCS_MUNI
THANK YOU FOR COMING, SEE YOU
NEXT WEEK
41 PA193 | LABS | Static checking