Jump to content
lioson

Code Review for Delphi and Pascal

Recommended Posts

I have a pascal project and looking for a static scanning tool for security code review for the Pascal programming language.

All the tools out there that i found so far were only for performance code review and not for security.

Anyone knows a tools that can do the job?

Some scanning tool and I expect it to help me find security flaws in my project, but couldn't find a good security tool.

Share this post


Link to post

Sonar is a widely used tool.  This is the latest plug-in to use:  https://github.com/integrated-application-development/sonar-delphi   There are a handful of GitHub repos with sonar-delphi but this one has combined all the changes into one and is being actively developed.

 

Kiuwan is a specific tool for application security and it is an Idera brand...but they don't support Delphi code scanning.  I've asked them multiple times for Delphi support over the last few years, and it's always been 'on the radar' but no progress has been made as far as I can tell.  

https://www.kiuwan.com/   See their FAQ for programming language support: https://www.kiuwan.com/docs/display/K5/FAQs+-+Frequently+Asked+Questions

I believe they do offer Exe scans... I don't recall as it's been a year or so since I last looked at them.

 

The problem is that most of these advanced tools simply do not support Delphi and I haven't seen anyone else push to get support added.   (Another example: https://docs.snyk.io/getting-started/supported-languages-frameworks-and-feature-availability-overview)

 

There are companies out there where you can submit your Windows executable for runtime analysis.  They typically charge for each scan.  Most seem to be obscure, potentially hard to find, and expensive.

I just did a Google search and found these potentials (which I haven't used at all and do not necessarily recommend - but it should get you started.) 

https://secureteam.co.uk/services/application-penetration-testing/desktop-application-security-assessment/

https://cobweb-security.com/service/desktop-application-security-assessment/

https://roundsec.io/desktop-application-security-assessment/

 

 

One of the old-school leaders of software analysis is "Understand" from https://scitools.com/

Here is their supported languages list, which includes Delphi: https://support.scitools.com/support/solutions/articles/70000582794-supported-languages

 

If you are looking for general static code analysis, the best source for Delphi is: https://peganza.com/   

 

You can use static code analysis tools like Sonar, Understand, Peganza to satisfy some security audits as well as they want you to have some automation to trigger anomalies and non-standard coding practices.

 

The current trend is to build these tools into the IDE so that your code gets flagged for security issues while you are editing it and many of the obvious issues are mitigated before the code is committed.

For Delphi, this includes Pascal Expert (https://peganza.com/products.html#PEX) and FixInsight (https://www.tmssoftware.com/site/fixinsight.asp)

 

 

In general, some of the things to look for:

https://owasp.org/www-project-desktop-app-security-top-10/

  • Like 3
  • Thanks 1

Share this post


Link to post
1 hour ago, Darian Miller said:

Apparently they have a Code Analysis security tool with support for Delphi.

Apparently is possibly accurate. Supposedly is more accurate, at least that was the case six months ago.

 

My rant on DerScanner

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×