Static Code Analysis

Before actually starting hacking and analyzing the application vulnerabilities, we can run the static code analysis. Static code analysis is a process of analyzing the source code of the application without actually running it. This is a very useful technique to obtain the initial idea about the application and its vulnerabilities.

Static Code Analysis Tools

There are many tools available to serve this purpose. They differ in their features and capabilities, whether they are free or commercial etc. Some of the popular tools are:

Snyk (opens in a new tab) (Free)
SonarQube (opens in a new tab) (Free)
Checkmarx (opens in a new tab) (Commercial)

ℹ️

For this tutorial, we will be using Snyk.

Snyk

Snyk also provides plugins for many IDEs, but we will be using the Snyk CLI because it is more powerful and independent of the IDE.

Snyk CLI

Snyk CLI is already installed in the remote machine. You can check it by running the following command:

snyk --version

Snyk Authentication

Snyk CLI requires authentication to work. You can authenticate by running the following command in the project directory:

snyk auth

⚠️

Sometimes, when Google Chrome has opened automatically after running the command, you might lose your internet connection. In that case, you can try to restart your connection or just close the VM with the option Save state and open it again. This should resolve this unpredictable issue.

You will be redirected to a web page, where you can login/register using your GitHub or Google account.

After successful login/registration, just click on Authenticate button and return to the terminal.

In the terminal, you will get a message:

Your account has been authenticated. Snyk is now ready to be used.

Snyk settings

Log in to the Snyk dashboard throught the official website (opens in a new tab)
To give Snyk access and permission to your whole codebase, you have to enable it in Settings->Snyk Code->Enable Snyk Code. Click the toggle to enable and save the changes.

💡

Now, you are all set to run the static code analysis through CLI commands

Analysis

Run the following command to view all commands available, with their description:

snyk

For the purpose of this demo, we will be using commands:

In the root directory of the project, run:

snyk code test

This command will run the static code analysis on the whole codebase and will show the results in the terminal.

When we want to analyze the dependencies, navigate to the directory where the dependencies are installed (server or client) and run:

snyk test

Alternatively, you can run:

snyk monitor

This command will continuously monitor the dependencies and will show the results in the browser.

ℹ️

Static code analysis reveals the vulnerabilities it was able to find in the codebase. It is a great start when you want to get the initial awareness, but as you will see later in the course, there are far more vulnerabilities than static code analysis was able to locate.
During the course, we will be addressing also the issues found by Snyk. By the end of the course, we should have fixed the majority of the vulnerabilities found by Snyk.

Init Burp Suite