4 Lintering Flashcards
What is static code analysis?
Static program analysis is the analysis of computer software
without actually running programs.
It is usually performed as
part of a code review and
is carried out at the
implementation phase of
a security development
lifecycle.
Static code analysis is
performed early in
development, before
software testing begins.
Automated tools can assist
programmers and
developers in carrying out
static analysis.
What types of static code analyzers do you know of?
Static code analyzers can be divided
into:
* code style analyzers
* vulnerability scanning tools
* Code performance optimizers
What are style guide analyzers for?
Code style analyzers check code in accordance with best
practices so that real-world Ruby programmers can write code that
can be maintained by other real-world Ruby
programmers (Rubocop, reek).
What are vulnerability scanning tools for?
Vulnerability scanning tools scan web applications—normally
from the outside—to look for security vulnerabilities such as cross-site scripting, SQL injection, and command injection (Brakeman,
Bundle-audit).
What are code optimizers for?
Code performance improvers check speed idioms written in your
code and give advice on how to improve them (Bundle-leak, Fasterer)
What is RuboCop?
RuboCop is a Ruby static code analyzer used to check if code
complies with Ruby community guidelines.
Out of the box, it enforces many of the rules outlined in
the Ruby Style Guide.
What is The Ruby Style Guide?
This Ruby style guide recommends best practices so that real-world Ruby programmers can write code that can be maintained by other real-world Ruby programmers. A style guide that reflects real-world usage gets used, while a style guide that holds to an ideal that has been rejected by the people it is supposed to help risks not getting used at all - no matter how good it is.
How do you configure RuboCop?
bundle exec rubocop
How do you use auto-correct mode in RuboCop?
bundle exec rubocop -A
What extensions are there for RuboCop? Are they all
official?
Official Extensions:
* rubocop-performance—Performance
optimization analysis
* rubocop-rails—Rails-specific analysis
* rubocop-rspec—RSpec-specific analysis
* rubocop-minitest—Minitest-specific
analysis
* rubocop-rake—Rake-specific analysis
* rubocop-sequel—Code style checking for
Sequel gem
Third-party Extensions:
* rubocop-thread_safety—Thread-safety analysis
* rubocop-require_tools—Dynamic analysis for
missing require statements
* rubocop-i18n—i18n wrapper function analysis
(gettext and rails-i18n)
* Cookstyle—Custom cops and config defaults for Chef
Infra cookbooks
* rubocop-packaging—Upstream best practices and
coding conventions for downstream (e.g., Debian
packages) compatibility
* rubocop-sorbet—Sorbet-specific analysis
How do you install RuboCop extensions?
Add a line for it in your Gemfile
(setting the require option to false, as
it is a standalone tool).
gem ‘rubocop-performance’, require: false
Put this into your .rubocop.yml.
require: rubocop-performance
Then use the command bundle install in
the terminal.
What is a security vulnerability?
A vulnerability is a weakness that can be exploited by a threat actor, such
as an attacker, to cross privilege boundaries (i.e., perform unauthorized
actions) within a computer system. To exploit a vulnerability, an attacker
must have at least one applicable tool or technique for connecting to a
system weakness. In this regard, vulnerabilities are also known as the
attack surface.
The OWASP® Foundation works to improve the security of software
through its community-led open-source software projects. There are
hundreds of chapters worldwide—with tens of thousands of
members—that host both regional and international conferences.
How many types of vulnerabilities do you know of?
The Top 10 Web Application Security Risks in 2021
* Broken Access Control—Users cannot act outside of their intended permissions.
* Cryptographic Failures—Passwords, credit card numbers, health records, personal information,
and business secrets require extra protection.
* Injection—Attack technique data-driven applications, in which malicious SQL statements are
performed
* Insecure Design—Different weaknesses expressed as missing or ineffective control design
* Security Misconfiguration—Failing to implement all the security controls for an app
* Vulnerable and Outdated Components—If software is vulnerable, unsupported, or hasn’t
been updated
* Identification and Authentication Failures—Missing or ineffective multi-factor
authentication, weak passwords, etc.
* Software and Data Integrity Failures—Code and infrastructure that do not protect against
integrity violations
* Security Logging and Monitoring Failures—Application logs and APIs are not monitored
for suspicious activity.
* Server-Side Request Forgery—SSRF flaws occur whenever a web application fetches a
remote resource without validating the user-supplied URL.
What organization works to improve software security?
The OWASP® Foundation works to improve the security of software
through its community-led open-source software projects. There are
hundreds of chapters worldwide—with tens of thousands of
members—that host both regional and international conferences.
What is Brakeman?
Brakeman is a free vulnerability scannerspecifically designed for
Ruby on Rails applications. It statically analyzes Rails application
code to find security issues at any stageof development.
