Jump to: navigation, search


< Zaqar
Revision as of 12:10, 26 August 2013 by Thomas Biege (talk | contribs) (Code Scanning)

Code Scanning

Simple but always appearing software flaws can be found using static code analyzers or other code scanning tools. We are limited to freely available code scanners, some examples that need to be verified are

  1. rats (C, C++, Perl, PHP, Python)
  2. pylint quality checker (Python)
  3. PyChecker code checker (Python, last release 2011)
  4. FindBugs (Java)
  5. Yasca Meta-tool to leverage existing tools for scanning (also supports Python)
  6. brakeman Rails security code scanner, good integration in Jenkins (Ruby on Rails)
  7. more tools are listed at Wikipedia


Jenkins can be used to scan the source code after every code submit or on a regular basis (Zuul to schedule the job) to find simple vulnerabilities.

Deployment Scanning

Several security issues could be easily find using security test-suites that run against a deployed version of OpenStack.


During a discussion on #openstack-infra it was suggested to use Tempest as framework to hook the security test-suite in and let it run against a deployed OpenStack environment setup by DevStack Gate



  1. Gauntlt
  2. OWASP test-suite
  3. https://code.google.com/p/rough-auditing-tool-for-security/
  4. https://www.owasp.org/index.php/Category:OWASP_Yasca_Project