Klocwork Releases Source-code Analysis Tool

On January 29th, Klocwork (klocwork.com) released a unique tool to detect defects and security vulnerabilities in source code.

The Klocwork Developer for Java (KDJ) is available as an Eclipse plug-in to seamlessly integrate with the most common Java developer environment. The goal of the plug-in is to provide static code analysis with the ability to do the following:

- Detect critical Java defects: detect hundreds of defects, including array bound violations, null object dereferences, resource leaks, and so on.

- Detect security vulnerabilities: detect potential security issues such as cross-site scripting, SQL injection, process creation injection, and vulnerabilities from the Open Web Application Security Project (OWASP) top 10 list.

- Reduce the footprint of Java applications

What I particularly like about the product is that Klocwork looked at other static source-code analysis tools, and studied developer psychology when dealing with them. The result is a well-thought out, and extremely useful, product. For instance, one common complaint with other analysis tools is the amount and verbosity of the output. You tend to get overwhelmed with trivial issues that the real problems become buried in output that must be combed through. One of Klocwork’s goals was to eliminate this issue.

The KDJ includes features that allow you to focus the analysis on all, or just portions, of your code. Simply right-click on an Eclipse project, a group of files, or a single file within it, and choose to analyze your code. A lot of effort was spent to ensure that the resulting analysis is accurate, thereby eliminating the useless or outright wrong information seen with other tools. Further, the KDJ provides a ranking of issues which allows you to focus on the top-priority problems or vulnerabilities first. You can re-rank certain issues as you desire; filter out results to focus on issues important to your specific project; and flag inaccurate results to ensure they don’t come up in the future.

State is maintained with each reported defect or issue. Therefore, if you re-rank a particular issue, that fact is remembered each time you perform the analysis, even if code changes are made to the particular project or file. When the time comes to address the issues reported, comprehensive help is available for each issue/defect type, along with suggestions to help fix the problem or vulnerability. I was particularly impressed with this feature as it went into good detail, and provided useful information and code samples.

Klocwork offers versions of the KDJ for both Java and C++. There are Developer and Enterprise offerings that provide different feature sets at two different price points. Additionally, there is a 30-day trial download available for the Java Developer edition. Try it for yourself and see if you agree that this product is a unique, useful, and necessary addition to your toolkit.

-EJB

Posted by Eric Bruno at 09:25 AM  Permalink