How to use YASCA static code analysis tool

-


Yasca which is an acronym for "Yet Another Source Code Analyzer" is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source programs, such as FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, Pixy, and RATS to scan specific file types. It also contains many custom scanners developed for Yasca. It is a command-line tool that generates reports in HTML, CSV, XML, MySQL, SQLite, and other formats.

Languages Scanned with Yasca
Yasca has at least one scanner for each of the following file types:
DotNET (VB.NET, C#, ASP.NET), ASP, C/C++, COBOL, ColdFusion, CSS, HTML
Java,JavaScript, Perl, PHP, Python, Raw HTTP Traffic, Visual Basic
In this post we will be looking at how to install and use Yasca source code analyser.

To understand more about source code analyzers click on this link to my previous post on Understanding Static Code Analysis
Download Yasca from
https://sourceforge.net/projects/yasca/?source=typ_redirect



Extract it to any location of your choice.

In this post I will be using C:\YASCA



You will need to download the following 11 plugins
1.       yasca-2.1-jlint.zip
2.       yasca-2.1-javascriptlint.zip
3.       yasca-2.1-fxcop.zip
4.       yasca-2.1-findbugs.zip
5.       yasca-2.1-rats.zip
6.       yasca-2.1-pmd.zip
7.       yasca-2.1-findbugs-plugin.zip
8.       yasca-2.1-pixy.zip
9.       yasca-2.1-phplint.zip
10.   yasca-2.1-cppcheck.zip
11.   yasca-2.1-clamav.zip

This can be downloaded from the following links:
https://sourceforge.net/projects/yasca/files/Yasca%202.x/Yasca%202.1/


Create a folder called STATIC_TOOLS and unzip the downloads into it.
For this post I will create a my STATIC_TOOLS folder in my C:\YASCA directory
So my final location for the static_tools folder is :
C:\YASCA\Static_tools\
Please note that all your plugins must be extracted to this location as we will point the Yasca engine to pick the plugins from this location.

Using YASCA
Usage is through command prompt as usual. I will guide you carefully.
Now that we have already extracted our plugins to our desired location we can begin.

We need to first of all point the YASCA engine to the location of the plugins to be used for the source code scan. This is done with the following commands

set SA_HOME=C:\YASCA\Static_tools\


The Yasca installation file has test source code that can be used for training which can be located at
resources\test
in mine the location is
C:\YASCA\resources\test



Now run the following command to perform the source code scan
yasca C:\YASCA\resources\test



Result of the source code scan will be reported in the directory given after the entire scan as can be seen in the highlighted part of the screen shot


This is a screen shot of my results

Open the HTML file and you will have a detailed report of the source code analysis


The coloured square dots are descriptive and can be clicked on. Please see the screen shot for what they stand for:



And that's how to use YASCA.

I hope you enjoyed this post and also hope it was value adding. I would appreciate your comments or contributions

Comments

  1. Yemi8 February 2019 at 14:30

    This is value add, programmers will not be able to hide any longer

    ReplyDelete

Post a Comment

Popular posts from this blog

Auditing Virtualization

-
Image
Virtualization is the process of creating virtual, representation of an entity, such as virtual applications, servers, storage and networks. It is the single most effective way to reduce IT expenses by reducing hardware footprint while boosting efficiency and agility for all size businesses. However good as it is, virtualization can create a single point of failure if poor implementation introduced a security flaw to the system. In this post I will be sharing with you how to audit virtualization.
Read more

How to Identify if the capacity of your FLASH storage device is genuine or counterfeit

-
Image
Have you at some time purchased a flash drive  or memory card that always stored corrupt data? You paid for a 64gig memory card and all you stored in it is simply just got corrupted. I have been a victim several times even with reputable retailers. These counterfeit flash storages are low capacity in nature, devices that have been maliciously altered so that they appear to have much more capacity than its original. An example is the 64 gig memory card I purchased which ended up having actual capacity of 2gig. So I actually paid for 2gig. Now I didn't get to know this on time because I actually copied a video file inside it as a test which checked out fine. The video file size was 1.5gb. I was able to play the video with no issue of corruption. Thus I "Assumed" the flash was genuine. Boy was I wrong. Later in the week I decided to do a major backup of my mobile phone since I was purchasing another one. After the backup, I formatted ...
Read more

Address Resolution Protocol (ARP): Understanding the basics

-
Image
Address resolution Protocol or ARP for short is basically used to resolve an IP address to a MAC address. A MAC address is a unique identifier for any device. And since we are talking networking today, The mac address we will be concentration on is that of a network device. Its important to note that, no two device can have the same mac address. Whenever a network device needs to communicate with another network device in a Local Area Network, it needs the MAC address of that device. This is where ARP comes to play. Lets take a look at the scenario bellow to clearly understand this concept: 1. There are 2 computers say A and B on the network. 2. They have both been assigned an IP address as seen below:        A: 192.168.0.1        B: 192.168.0.2 3. Computer A needs to communicate with computer B. 4. It looks at a list for the IP address to see if it has a corresponding MAC address. This list is called an ARP Cache. 5. If the en...
Read more