Static Analysis from wolfSSL with GrammaTech’s CodeSonar

*Jointly posted with GrammaTech 

wolfSSL is a lightweight embedded SSL/TLS library and we pride ourselves for being the best-tested crypto and SSL/TLS stack available on the market. From API unit testing to fuzz testing to continuous integration, we do it all to ensure we’re secure for our customers. Now we’re adding an additional static analysis tool to the arsenal, GrammaTech’s CodeSonar, for even more security assurance. 

Static analysis also known as static application security testing (SAST) is the process of using a tool to scan for bugs and defects in source code without actually running a program. CodeSonar’s analysis of our codebase helped reveal even more ways to ensure that all of our bases are covered and security is maximized. By displaying the defects through thorough descriptions and visualizations, CodeSonar allowed us to come up with quick and efficient fixes. Setting up the program was straight-forward and it took about 2 hours to scan through the wolfSSL code base. The figure below offers a brief summary of the warnings generated by the analysis.

We reviewed all the warnings and marked them appropriately. CodeSonar also now allows us to list the new warnings that are introduced by code changes and allows us to maintain our security posture easily.

These were the defects detected throughout the hundreds of thousands of lines of code in the wolfSSL code base. Most of the Buffer Overruns generated have safeguards around them to make certain that they don’t happen during execution. A majority of the Uninitialized Variable warnings are generated because of the way wolfSSL initializes keys and other structs (initialized by constructor methods instead of direct initialization). And, the Null pointer Dereferences are to guarantee that nothing in the code makes it past where it needs to be. 

CodeSonar did help us uncover possible leaks that we were able to fix within a day. With CodeSonar, our development team can take swift and methodical action whenever a problem is uncovered. We know that’s what customers like to hear! So if you’d like peace of mind knowing that your product incorporates a cutting-edge lightweight and secure TLS/Cryptography library, download wolfSSL.

Need more? Subscribe to our YouTube page for access to webinars.

Love it? Star us on GitHub!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.