Static Analysis / Code Scanning Tool (SAST) for D?
Vladimir Panteleev
thecybershadow.lists at gmail.com
Sat Apr 28 16:49:33 UTC 2018
On Saturday, 28 April 2018 at 15:30:01 UTC, Jonathan M. Wilbur
wrote:
> Does anybody know of a SAST tool that can scan D code for
> security vulnerabilities? In other words, does anybody know of
> something that will analyze raw D source code for security
> vulnerabilities that the human eye may have missed?
There is DScanner which does some linting, but it is not
specifically security oriented.
Speaking strictly of memory safety, some parts of D are designed
to make security audits much easier than C/C++:
- If your programs are @safe (i.e. the module starts with @safe:
, as should be the case for a security-critical application), you
only need to review @trusted code (and, as necessary, any @system
code called by the @trusted code).
- Casts are done with an explicit keyword (cast) to make such
auditing easier. (Code that uses casts to convert between
non-reference types can use std.conv.to instead, to speed up
future audits.)
More information about the Digitalmars-d
mailing list