• Jonathan M. Wilbur (4/4) Apr 28 2018 Does anybody know of a SAST tool that can scan D code for
• Stefan Koch (8/12) Apr 28 2018 No. Besides analyzing D code is normally quite useless,
• Cym13 (22/34) Apr 28 2018 Meh. That's far from true.
• Vladimir Panteleev (14/18) Apr 28 2018 There is DScanner which does some linting, but it is not

Jonathan M. Wilbur <jonathan wilbur.space> writes:

Does anybody know of a SAST tool that can scan D code for 
security vulnerabilities? In other words, does anybody know of 
something that will analyze raw D source code for security 
vulnerabilities that the human eye may have missed?

Stefan Koch <uplink.coder googlemail.com> writes:

On Saturday, 28 April 2018 at 15:30:01 UTC, Jonathan M. Wilbur 
wrote:
 Does anybody know of a SAST tool that can scan D code for 
 security vulnerabilities? In other words, does anybody know of 
 something that will analyze raw D source code for security 
 vulnerabilities that the human eye may have missed?

No. Besides analyzing D code is normally quite useless,
as the tool will be blind once it hits the first template.

Security vulnerabilities, are usually nothing which can be
caught by static analysis on  source code.
As they are highly dependent on which shape the generate machine 
code takes.

Cym13 <cpicard openmailbox.org> writes:

On Saturday, 28 April 2018 at 16:01:44 UTC, Stefan Koch wrote:
 On Saturday, 28 April 2018 at 15:30:01 UTC, Jonathan M. Wilbur 
 wrote:
 Does anybody know of a SAST tool that can scan D code for 
 security vulnerabilities? In other words, does anybody know of 
 something that will analyze raw D source code for security 
 vulnerabilities that the human eye may have missed?

 No. Besides analyzing D code is normally quite useless,
 as the tool will be blind once it hits the first template.

 Security vulnerabilities, are usually nothing which can be
 caught by static analysis on  source code.
 As they are highly dependent on which shape the generate 
 machine code takes.

Meh. That's far from true.

My experience as a professional with experience in both 
pentesting, static analysis and reverse engineering is that 
finding vulnerabilities on compiled code is generally way *way* 
less efficient, be it only because all vulnerabilities aren't at 
the same level. It is by far the least efficient of the three 
when considering the ratio number*criticality/analysis_time.

High-level things like missing authentication to access a given 
resource are much easier to spot by static analysis. Same for 
crypto mistakes, and about everything really.

Some vulnerabilities are easier to find dynamically (a recent 
use-after-free in a multithreaded context comes to mind), but 
saying that static analysis can't find useful things is 
completely false. Besides, as "cool" as memory corruptions and 
other integer overflow issues may be they're far from being the 
only important vulnerabilities present in an application. I'll 
take a /tmp/log.txt over a buffer overflow any day.

That said, no, I don't know of any software on the market working 
with D code, and yeah, templates do make the task harder for an 
automated tool. Not that I'd trust one over the eye of a 
professional anyway. They're helpful but not as efficient.

Vladimir Panteleev <thecybershadow.lists gmail.com> writes:

On Saturday, 28 April 2018 at 15:30:01 UTC, Jonathan M. Wilbur 
wrote:
 Does anybody know of a SAST tool that can scan D code for 
 security vulnerabilities? In other words, does anybody know of 
 something that will analyze raw D source code for security 
 vulnerabilities that the human eye may have missed?

There is DScanner which does some linting, but it is not 
specifically security oriented.

Speaking strictly of memory safety, some parts of D are designed 
to make security audits much easier than C/C++:

- If your programs are  safe (i.e. the module starts with  safe: 
, as should be the case for a security-critical application), you 
only need to review  trusted code (and, as necessary, any  system 
code called by the  trusted code).

- Casts are done with an explicit keyword (cast) to make such 
auditing easier. (Code that uses casts to convert between 
non-reference types can use std.conv.to instead, to speed up  
future audits.)