I am working on a project to develop a SAST(static application security testing) scanner. Can people suggest best practices to read the code base quicker?
I got few ideas like using AST or BCEL.
Please suggest
Asked
Active
Viewed 40 times
0
-
Probably not worth a full answer, but if you haven't already, I'd recommend looking into semgrep https://semgrep.dev/ – Rory McCune May 11 '21 at 13:10
-
Thanks , let me look into – Bhuvaneshwari Iyer May 11 '21 at 13:19
-
That sounds like a huge project! I guess your first step will be to decide how you want your code scanning engine to work: will you build a simple regex-based engine? Will you build a full code parser that parses code into language trees and symbol tables (ie half way to a compiler)? Will you build a data flow analyzer? Each has their pros and cons as they are better or worse at detecting different kinds of security issues. – Mike Ounsworth May 11 '21 at 15:56