Static Analysis / Code Scanning Tool (SAST) for D?

Vladimir Panteleev thecybershadow.lists at gmail.com
Sat Apr 28 16:49:33 UTC 2018


On Saturday, 28 April 2018 at 15:30:01 UTC, Jonathan M. Wilbur 
wrote:
> Does anybody know of a SAST tool that can scan D code for 
> security vulnerabilities? In other words, does anybody know of 
> something that will analyze raw D source code for security 
> vulnerabilities that the human eye may have missed?

There is DScanner which does some linting, but it is not 
specifically security oriented.

Speaking strictly of memory safety, some parts of D are designed 
to make security audits much easier than C/C++:

- If your programs are @safe (i.e. the module starts with @safe: 
, as should be the case for a security-critical application), you 
only need to review @trusted code (and, as necessary, any @system 
code called by the @trusted code).

- Casts are done with an explicit keyword (cast) to make such 
auditing easier. (Code that uses casts to convert between 
non-reference types can use std.conv.to instead, to speed up  
future audits.)



More information about the Digitalmars-d mailing list