PMD
Anyone who has ever performed a code review of C or C++ code is probably familiar with tools such as Flawfinder and RATS, which rely on pattern matching and have some understanding of the target code. Unfortunately, these tools have vulnerability databases geared primarily toward C and C++ and they are limited in scope.[1]
PMD is a
static source code analysis tool for Java
maintained by Tom Copeland at http://pmd.sourceforge.net. It performs a
number of checks for poor coding practices, but it
doesn’t provide any rules for identifying common web
application vulnerabilities. A detailed explanation of how PMD works
is outside the scope of this chapter. Besides, Tom has already done a
good job of it (see http://www.onjava.com/pub/a/onjava/2003/02/12/static_analysis.html).
PMD’s analysis engine converts each Java source file
into a nodelike tree structure called an Abstract Syntax
Tree
(AST). Then rules can
traverse or “visit” the AST using
the Visitor
pattern, looking for object patterns
that represent problems in the code. The advantage of this technique
over pattern-matching tools is that the source is broken into logical
chunks or tokens
, allowing for
intelligent automated analysis of surrounding code.
[1] In addition to C and C++, RATS also scans Perl, PHP, and Python code.
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.