-
Notifications
You must be signed in to change notification settings - Fork 8
Home
Daksh SCRA (Source Code Review Assist) is an open source tool designed to help with manual source code reviews by providing various information about the code base and identifying potential vulnerabilities. Unlike traditional code review tools, Daksh SCRA aims to assist a code reviewer in tedious manual tasks to confirm findings and be precise with the review. Although there are automated code review tools available, none of them offer a code base reconnaissance or provide useful insights to a code reviewer.
Daksh SCRA attempts to identify following key areas to aid the code review process.
- Technology / Platforms Used
- Functionalities
- Use Cases
- Point of interests (vulnerable patterns)
- Libraries Used and many more useful information
A typical code review tool has a database of vulnerable patterns to scan for in the code, but often generates a high number of false positives depending on the tool’s maturity. Filtering out false positives requires an experienced code reviewer or security-aware developer. In contrast, DakshSCRA is a reconnaissance tool designed to provide useful insights to code reviewers about the target code base, including identifying vulnerable patterns. Although still in its early stages, Daksh SCRA supports multiple languages/platforms and will include additional features with future releases.
Key Features:
-
Automated Area of Interest Identification: Daksh SCRA automates the identification of areas of interest, both within source files and in file paths. This enables code reviewers to focus their investigation on relevant areas for a more efficient review.
-
Intelligent Technology Reconnaissance: By intelligently identifying the technologies utilized in the project, Daksh SCRA enables code reviewers to perform scans using appropriate rules. This ensures a targeted and effective review process.
-
Comprehensive Reporting with Guidance: Daksh SCRA generates reports that provide guidance for both developers and code reviewers. This comprehensive output aids in understanding and addressing potential vulnerabilities discovered during the review.
Q: Is Daksh SCRA's code review purely based on rule matching?
A: No, Daksh SCRA stands out from traditional code review tools by employing a nuanced approach to identifying potential bugs. Instead of flagging everything that matches a specific rule pattern as a bug, the tool highlights points of interest that merit closer examination.
Q: How does Daksh SCRA identify potential bugs then?
A: The tool utilizes rules files for each supported platform to pinpoint areas requiring manual inspection. These rules files serve as guidelines for identifying potential bugs, rather than strict rules for flagging vulnerabilities.
Q: Can you provide an example of how this works?
A: Sure! For instance, if the tool detects the use of $_GET in PHP code, it will flag it as a point of interest for manual inspection. This prompts reviewers to examine the code closely to confirm the presence of any bugs related to the use of $_GET.
Q: How does this approach benefit code reviewers?
A: By focusing on identified points of interest, Daksh SCRA empowers code reviewers with greater control over accurate findings. This approach helps reduce false positives, especially as reviewers become more familiar with the codebase over time.
Q: Where can I find more information about Daksh SCRA's code review process?
A: You can refer to the generated report, which includes guidance notes for both developers and security reviewers. These notes direct attention to specific areas for potential bugs related to identified points of interest, providing valuable insights into the code review process.