Code Review for Delphi and Pascal

[lioson 0]

I have a pascal project and looking for a static scanning tool for security code review for the Pascal programming language.

All the tools out there that i found so far were only for performance code review and not for security.

Anyone knows a tools that can do the job?

Some scanning tool and I expect it to help me find security flaws in my project, but couldn't find a good security tool.

[Der schöne Günther 316]

There is a Delphi plugin for SonarCube which only does very basic analysis. It could probably be extended.

https://github.com/Embarcadero/SonarDelphi

 

Apart from that, I am not aware of anything else.

Edited March 12 by Der schöne Günther

[Darian Miller 361]

Sonar is a widely used tool.  This is the latest plug-in to use:  https://github.com/integrated-application-development/sonar-delphi   There are a handful of GitHub repos with sonar-delphi but this one has combined all the changes into one and is being actively developed.

 

Kiuwan is a specific tool for application security and it is an Idera brand...but they don't support Delphi code scanning.  I've asked them multiple times for Delphi support over the last few years, and it's always been 'on the radar' but no progress has been made as far as I can tell.  

https://www.kiuwan.com/   See their FAQ for programming language support: https://www.kiuwan.com/docs/display/K5/FAQs+-+Frequently+Asked+Questions

I believe they do offer Exe scans... I don't recall as it's been a year or so since I last looked at them.

 

The problem is that most of these advanced tools simply do not support Delphi and I haven't seen anyone else push to get support added.   (Another example: https://docs.snyk.io/getting-started/supported-languages-frameworks-and-feature-availability-overview)

 

There are companies out there where you can submit your Windows executable for runtime analysis.  They typically charge for each scan.  Most seem to be obscure, potentially hard to find, and expensive.

I just did a Google search and found these potentials (which I haven't used at all and do not necessarily recommend - but it should get you started.) 

https://secureteam.co.uk/services/application-penetration-testing/desktop-application-security-assessment/

https://cobweb-security.com/service/desktop-application-security-assessment/

https://roundsec.io/desktop-application-security-assessment/

 

 

One of the old-school leaders of software analysis is "Understand" from https://scitools.com/

Here is their supported languages list, which includes Delphi: https://support.scitools.com/support/solutions/articles/70000582794-supported-languages

 

If you are looking for general static code analysis, the best source for Delphi is: https://peganza.com/   

 

You can use static code analysis tools like Sonar, Understand, Peganza to satisfy some security audits as well as they want you to have some automation to trigger anomalies and non-standard coding practices.

 

The current trend is to build these tools into the IDE so that your code gets flagged for security issues while you are editing it and many of the obvious issues are mitigated before the code is committed.

For Delphi, this includes Pascal Expert (https://peganza.com/products.html#PEX) and FixInsight (https://www.tmssoftware.com/site/fixinsight.asp)

 

 

In general, some of the things to look for:

https://owasp.org/www-project-desktop-app-security-top-10/

[Darian Miller 361]

Note that Ian recently did a webinar on this topic with a guy from: https://dersecur.com/main

Apparently they have a Code Analysis security tool with support for Delphi.

 

 

 

 

[JonRobertson 72]

1 hour ago, Darian Miller said:

Apparently they have a Code Analysis security tool with support for Delphi.

Apparently is possibly accurate. Supposedly is more accurate, at least that was the case six months ago.

 

My rant on DerScanner