-=Mizo=- has asked for the wisdom of the Perl Monks concerning the following question:

Hello I am intresting in programming a code analyzer with perl which is going to be used to check for flaws in C codes and php so I really don't know how to start that I mean is there a specific module which would help or shall I do it with a database of signitures? I appreciate your help

Replies are listed 'Best First'.
Re: Code analyzing with perl?
by moritz (Cardinal) on Jun 18, 2008 at 16:39 UTC
    There are different approaches, and which one you want to use depends on your goals.

    You'll get the fastest results by using an existing tool such as lint or one of the million other static souce code checkers.

    If you want to invest much time, you could write your own tool like that, but the fact that you asked that question in the first place likely means that it's not the solution your are looking for. There has been quite some research in that area, it's worth looking at the results before writing your own tool.

    Finally you can just use a bunch or regexes to search for potentially dangerous stuff (search for system for example).

    But it all depends on what you want to achieve. If you tell us, we can help you better.

[reply]
[d/l]
      My goals is to make a project which detect vulnerabilities in c codes and php or one of them i am afraid that regular expressions would give many fault warnings,I mean about 60% of the results will be correct and the others will be fault i don't know if using AI will be a good choice or there is a simple and better way than using AI i really appreciate your reply
[reply]
        With that goal in mind I don't see how you can avoid parsing the files, and doing a "real" semantic analysis.
[reply]
Re: Code analyzing with perl?
by dragonchild (Archbishop) on Jun 18, 2008 at 19:02 UTC
    In other words, you want to write something that will lex, parse, and analyze C and PHP. Those are three separate (though somewhat related) problems. So, first lex and parse the C (or PHP) into a data structure. Then, you analyze that data structure for anything you consider to be a flaw. Take a look at PPI for how to lex and parse a language (in this case, Perl). Alternately, you'll want to use something like flex and yacc (Parse::Flex and Parse::Eyapp are good modules to start with).
    My criteria for good software:
    1. Does it work?
    2. Can someone else come in, make a change, and be reasonably certain no bugs were introduced?
[reply]
      The project will be checking the source for specific bugs like buffer overflows,heap overflow..etc in C codes and remote file include,local file include...etc in php codes I'll take a look at the 2 modules thank you alot for your help
[reply]

Back to Seekers of Perl Wisdom