|
Management/MonitoringB
Leveraging the Eclipse and Visual Studio native interfaces for developer integration was key to provide true engineering-level value. From the Eclipse interface, we could easily navigate through the source tree from the Windows Explorer-like folder system, and see the associated identified vulnerabilities and issues.
Double-clicking an issue, such as one we found for null pointer dereferencing, opens the associated file directly at the line in question. You can modify and save the code in the IDE as usual, or right-click the issue at the bottom to obtain sample "bad code" and documentation on the potential vulnerability.
Post-installation management is still immature, as DOS batch files are used to start and stop the Klocwork servers on local installations. It is also recommended that you manually stop all of the Klocwork components prior to rebooting your machine.
Since Insight is not yet capable of reviewing JavaScript, PHP and ASP, it is not the tool of choice for Web 2.0 applications. (Support for scripting languages will be available in a future release, Klocwork says.)
ReportingA
We were blown away by Klocwork's reporting capabilities. The Web-based reporting interface, Insight Review, allows users to navigate through findings and reco...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
mmendations, and drill down into specific components.
You can select one of the current projects your teams set up during configuration--typically, each application, product or tool has a standalone project created in Insight.
Once you select a project, the interface changes into a robust report-creation engine, with the ability to flag and group issues by severity, status and state. These reports are dynamic and contain active links or hyperlinks that allow you to gain further detail on specifics issues. More than 300 issues were identified in one of the tests we ran, and creating the critical issues report took two minutes from start to finish. These issues were divided into logical code directories based upon the build structure.
All data views and graphical reports can be exported to PDF or CSV files, and detailed issue data broken down by file and line can be conveniently exported to XML.
Verdict
Klocwork's enterprise reporting and analysis techniques will help companies with structured programming ties to C/C++ and Java.applications.
Testing methodology: We tested Klocwork on a Windows XP Professional SP2 workstation and on a fully patched Windows 2003 Server against several open source, C/C++ and Java applications utilizing the Eclipse IDE developer plug-in.
|
 |
|
