Static Code Analysis Tool
cIFrex is a web application written in PHP, which supports search for mistakes in the analysis of the source code. Using the database of filters based on regular expressions, you can quickly locating the code, in which the
probability of failure is high. You will just need to have the source code on a computer with the access to cIFrex in order to be able to fully benefit from the possibilities of the new methodology.
Each filter is based on maximum of nine patterns.
Regular expressions can be divided in three groups:
- (V) Value: Regular expression enabling retrieval of the sequences of signs and the attribution of retrieved values to the variable
<v1>, <v2> lub <v3> for example the name of array:
char name => char.* (?<v1>\w+)\[(\d+)\]
There is a possibility of using variables <v1>,
<v2> and <v3> to search for sequences that are interesting to us.
It allows us to use found values in the patterns of type T (Truth) and F (False).
- (T) Truth: Regular expression, which must be present in the code. for example:
- (F) False: Regular expression, which cannot be present in the code. for example:
Each expression fulfils given roles. The expressions of type (V) are used mainly to assign the variable names while the expression of type (T) and (F) are
mainly used to precise their usage. To put it simply, patterns of type V are used to catch names of variables, used in the unsuitable manner, for example all arrays (<V1>) of type CHAR used in the function strcpy()(<T1>)
without controlling the length through strlen()(<F1>).
CXSECURITY Bugtraq Support