Session du 10 Janvier 2018 En chaque développeur a sommeillé un jour ce rêve d'écrire son propre compilateur pour un language de domaine ou voir même pour créer un nouveau language de programmation. Or le développement d'un analyseur de code ressemble étrangement au développement du front-end d'un compilateur. Durant cette session, Freddy présentera les différentes étapes du développement d'un analyseur de code jusqu'à la capacité à exécuter symboliquement tous les chemins d'exécutions. Ce concept avancé d'interprétation abstraite est un pré-requis à la détection des bugs et vulnérabilités les plus profonds dans tous les languages. Quizz en ligne 20 minutes pour jouer ensemble et mettre à l'épreuve nos connaissances des principales failles de sécurité applicatives et notre capacité les détecter des bugs dans du code Java et JavaScript. Speaker Freddy est le créateur de la plateforme SonarQube et est co-fondateur de SonarSource. Après de nombreuses années de développement en Java, il joue désormais le role de Product Manager pour les analyseurs de code SonarSource.

1. GenevaJug
@sonarqube
@sonarlint
#sonarcloud
DIY:
Java Static Analysis
Freddy Mallet - @FreddyMallet

2. Ego boost
● Freddy Mallet
○ CoFounder@SonarSource
○ Father of the COBOL Code Analyzer
○ Run marathon in 4h05
○ Flat Organization Advocate

3. SonarLint: The Missing Piece
Fewer slides, more code!

4. What is Static Analysis ?
Analyzing code,
without executing it!

5. Detecting Code Smells,
Bugs and Vulnerabilities
A Mean to an End

6. 20+ Languages

7. The Mainstream Code Analyzers

8. Code Analyzers at SonarSource
Back Story

9. Let’s Write a Code Analyzer

10. Lexical Analysis
Only two things are infinite, the universe and human
stupidity, and I am not sure about the former.

11. Lexical Analysis
Only two things are infinite, the universe and human
stupidity, and I am not sure about the former.
Albert E.definite articlesverbs

12. Lexical Analysis
class A {
int b;
}

13. Lexical Analysis
class A {
int b;
}
keywords
Identifiers
punctuators

14. Syntactic Analysis
Define the grammar (BNF) of your language
<class_declaration> ::= ‘class’ identifier <class_body>
<class_body> ::= ‘{‘ <field_declaration> ‘}‘
<field_declaration> ::= <type> identifier ‘;’
<type> ::= identifer
class A {
int b;
}

15. What’s the Purpose of a Parser ?
Grammar Tokens
Abstract Syntax Tree
The most famous parser generator is ANTLR

16. Abstract Syntax Tree
class_declaration
class_body
field_declaration
type
identifier:Aclass
{ }
;identifier:b
identifier:int

17. Syntactic Analysis
class A {
int b;
foo(int b) {
this.b = b;
}
}

18. Semantic Analysis
Only two things are infinite, the universe and human
stupidity, and I am not sure about the former.
Albert E.

19. Semantic Analysis
Only two things are infinite, the universe and human
stupidity, and I am not sure about the former.
Albert E.

20. Semantic Analysis
class A {
int b;
A(int b) {
this.b = b;
}
}

21. Java Pop Quizz
interface F1 {
}
interface F2 {
}

22. Java Pop Quizz
class A<T extends F1 & F2>{
void fun(F1 f1){}
void fun(T t){}
}

23. Java Pop Quizz
class A<T extends F2 & F1>{
void fun(F1 f1){}
void fun(T t){}
}

24. Java Pop Quizz
The erasure of a type
variable is the erasure of
its leftmost bound.

25. How Do You Know That ?
JLS is your best friend
https://docs.oracle.com/javase/specs/jls/se9/html/index.html

26. But Semantic Analysis Is Not Enough

27. Beyond Semantic: Symbolic Execution
Context-Sensitive
Path-Sensitive
Data Flow Analysis

28. Beyond Semantic: Symbolic Execution
Object myObject = new Object();
if(a) { myObject = null; }
...
if( !a ) { ... }
else { myObject.toString(); } //NPE

29. Beyond Semantic: Symbolic Execution
Object myObject = new Object();
if(a) { myObject = null; }
...
if( !a ) { … }
else { myObject.toString(); } //NPE
Program State#0
myObject != null

30. Beyond Semantic: Symbolic Execution
Object myObject = new Object();
if(a) { myObject = null; }
...
if( !a ) { … }
else { myObject.toString(); } //NPE
Program State#0
myObject != null
Program State#1
myObject != null
a = false
Program State#2
myObject = null
a = true

31. Beyond Semantic: Symbolic Execution
...
if( !a ) { … }
else {
myObject.toString(); // NPE
}
Program State#1
myObject != null
a = false
Program State#2
myObject = null
a = true

32. Beyond Semantic: Symbolic Execution
...
if( !a ) { … }
else {
myObject.toString(); // NPE
}
Program State#1
myObject != null
a = false
Program State#2
myObject = null
a = true
Program State#3
...

33. Beyond Semantic: Symbolic Execution
...
if( !a ) { … }
else {
myObject.toString(); // NPE
}
Program State#1
myObject != null
a = false
Program State#2
myObject = null
a = true
Program State#3
...

34. Beyond Semantic: Symbolic Execution
...
if( !a ) { … }
else {
myObject.toString(); // NPE
}
Program State#1
myObject != null
a = false
Program State#2
myObject = null
a = true

35. Beyond Semantic: Symbolic Execution
...
if( !a ) { … }
else {
myObject.toString(); // NPE
}
Program State#1
myObject != null
a = false
Program State#2
myObject = null
a = true

36. Beyond Semantic: Symbolic Execution
...
if( !a ) { … }
else {
myObject.toString(); // NPE
}
Program State#1
myObject != null
a = false
Program State#2
myObject = null
a = true
Program State#4
myObject = null
a = true

37. Explosion of States
if(a) {...} else {...}
if(b) {...} else {...}
if(c) {...} else {...}
foo(); //evaluated 8 times

38. Complex Arithmetic Expressions
if(a + 1 < (b* 10 - 39) ) {
if( b > a/10 + 4 ) { … }
}
See https://fr.wikipedia.org/wiki/Satisfiability_modulo_theories

39. Replay The Symbolic Execution

40. Interprocedural Analysis
Object foo(boolean a) {
if(a) return null;
return new Object();
}
void bar() {
foo(true).toString(); // NPE
}

41. Method Behavior
Object foo(boolean a) {
if(a) return null;
return new Object();
}
[a -> true, return null ]
[a ->false, return !null ]

42. Match of Method Yield
void bar() {
foo(true).toString(); // NPE
}
[a -> true, return null ]
[a ->false, return !null ] <- Not possible

43. What is Static Analysis ?
Analyzing code,
without executing it.
by (symbolically) executing
all possible paths!

44. A New Paradigm To
Manage Code Quality

45. ▪ Total amount of TD can be depressing
▪ How to get a budget to fix old TD?
▪ Risk of injecting functional regression
▪ This is not fun!
This is Hard

46. ▪ Too late
▪ Pushback from teams
▪ Lack of ownership
▪ Heterogeneous requirements
▪ Quality gate
Challenges

48. Reimbursing the Debt

49. ▪ No new bugs
▪ No new vulnerabilities
▪ Coverage on new code > 80%
▪ Technical Debt on new code < 5%
Changing the Game

50. Want to apply at SonarSource ?
Drop me an email : freddy.mallet@sonarsource.com

51. GenevaJug
THANKS !
@sonarqube
@sonarlint
@FreddyMallet