SEI CERT releases open-source Source Code Analysis Laboratory for pinpointing vulnerabilities

The Software Engineering Institute’s (SEI) CERT Division at Carnegie Mellon University released an open-source static analysis aggregator/correlator this week. Source Code Analysis application (SCALe) is designed to find vulnerabilities in application source code via multiple, independent static analysis tools.

Compatible with any source code language, this public release of SCALe provides alerts based on two code security standards: CERT Secure Coding Standards and MITRE’s Common Weakness enumeration, the organization explained. Alerts can be audited from a browser-based interface, which prioritizes alerts and provides relevant supplementary information that can help find fixes quickly.

Other features include the ability to be used for auditing software; support for C, C++, Java and Perl; a graphical user interface for analysis; and mappings for diagnostics.

“Using multiple static analysis tools can greatly increase the types of flaws found,” said Lori Flynn, senior software security researcher at the SEI. “The alerts must be examined by an expert who determines whether each alert represents an actual code defect. Typically there are too many alerts, and not all can be manually examined. The SCALe system is designed to make this process easier. We are researching ways to automate the process of accurate alert classification and sophisticated methods of alert prioritization, and this version of SCALe includes features added over the last three years intended to assist with that.”

More information about SCALe can be found at Carnegie Mellon University’s Software Engineering Institute project library, and source code and binaries are available at the project’s GitHub repository.