Thread overview
Static Analysis / Code Scanning Tool (SAST) for D?
Apr 28, 2018
Jonathan M. Wilbur
Apr 28, 2018
Stefan Koch
Apr 28, 2018
Cym13
Apr 28, 2018
Vladimir Panteleev
April 28, 2018
Does anybody know of a SAST tool that can scan D code for security vulnerabilities? In other words, does anybody know of something that will analyze raw D source code for security vulnerabilities that the human eye may have missed?
April 28, 2018
On Saturday, 28 April 2018 at 15:30:01 UTC, Jonathan M. Wilbur wrote:
> Does anybody know of a SAST tool that can scan D code for security vulnerabilities? In other words, does anybody know of something that will analyze raw D source code for security vulnerabilities that the human eye may have missed?

No. Besides analyzing D code is normally quite useless,
as the tool will be blind once it hits the first template.

Security vulnerabilities, are usually nothing which can be
caught by static analysis on  source code.
As they are highly dependent on which shape the generate machine code takes.

April 28, 2018
On Saturday, 28 April 2018 at 16:01:44 UTC, Stefan Koch wrote:
> On Saturday, 28 April 2018 at 15:30:01 UTC, Jonathan M. Wilbur wrote:
>> Does anybody know of a SAST tool that can scan D code for security vulnerabilities? In other words, does anybody know of something that will analyze raw D source code for security vulnerabilities that the human eye may have missed?
>
> No. Besides analyzing D code is normally quite useless,
> as the tool will be blind once it hits the first template.
>
> Security vulnerabilities, are usually nothing which can be
> caught by static analysis on  source code.
> As they are highly dependent on which shape the generate machine code takes.

Meh. That's far from true.

My experience as a professional with experience in both pentesting, static analysis and reverse engineering is that finding vulnerabilities on compiled code is generally way *way* less efficient, be it only because all vulnerabilities aren't at the same level. It is by far the least efficient of the three when considering the ratio number*criticality/analysis_time.

High-level things like missing authentication to access a given resource are much easier to spot by static analysis. Same for crypto mistakes, and about everything really.

Some vulnerabilities are easier to find dynamically (a recent use-after-free in a multithreaded context comes to mind), but saying that static analysis can't find useful things is completely false. Besides, as "cool" as memory corruptions and other integer overflow issues may be they're far from being the only important vulnerabilities present in an application. I'll take a /tmp/log.txt over a buffer overflow any day.

That said, no, I don't know of any software on the market working with D code, and yeah, templates do make the task harder for an automated tool. Not that I'd trust one over the eye of a professional anyway. They're helpful but not as efficient.
April 28, 2018
On Saturday, 28 April 2018 at 15:30:01 UTC, Jonathan M. Wilbur wrote:
> Does anybody know of a SAST tool that can scan D code for security vulnerabilities? In other words, does anybody know of something that will analyze raw D source code for security vulnerabilities that the human eye may have missed?

There is DScanner which does some linting, but it is not specifically security oriented.

Speaking strictly of memory safety, some parts of D are designed to make security audits much easier than C/C++:

- If your programs are @safe (i.e. the module starts with @safe: , as should be the case for a security-critical application), you only need to review @trusted code (and, as necessary, any @system code called by the @trusted code).

- Casts are done with an explicit keyword (cast) to make such auditing easier. (Code that uses casts to convert between non-reference types can use std.conv.to instead, to speed up  future audits.)