Advantages and Disadvantages of JavaScript

Advantage of JavaScript

  • Client Side Execution
  • Validation on Browser
  • Easy Language

Disadvantage of JavaScript

  • Less Secure
  • No Hardware Access
  • JavaScript Enable Browsers
Tagged : / / /

Static vs dynamic code analysis: Advantages and Disadvantages

static-vs-dynamic-code-analysis-advantages-and-disadvantages

What are the advantages and limitations of static and dynamic software code analysis? Maj. Michael Kleffman of the Air Force’s Application Software Assurance Center of Excellence spelled it out.

Static code analysis advantages:

  1. It can find weaknesses in the code at the exact location.
  2. It can be conducted by trained software assurance developers who fully understand the code.
  3. It allows a quicker turn around for fixes.
  4. It is relatively fast if automated tools are used.
  5. Automated tools can scan the entire code base.
  6. Automated tools can provide mitigation recommendations, reducing the research time.
  7. It permits weaknesses to be found earlier in the development life cycle, reducing the cost to fix.

Static code analysis limitations:

  1. It is time consuming if conducted manually.
  2. Automated tools do not support all programming languages.
  3. Automated tools produce false positives and false negatives.
  4. There are not enough trained personnel to thoroughly conduct static code analysis.
  5. Automated tools can provide a false sense of security that everything is being addressed.
  6. Automated tools only as good as the rules they are using to scan with.
  7. It does not find vulnerabilities introduced in the runtime environment.

Dynamic code analysis advantages:

  1. It identifies vulnerabilities in a runtime environment.
  2. Automated tools provide flexibility on what to scan for.
  3. It allows for analysis of applications in which you do not have access to the actual code.
  4. It identifies vulnerabilities that might have been false negatives in the static code analysis.
  5. It permits you to validate static code analysis findings.
  6. It can be conducted against any application.

Dynamic code analysis limitations:

  1. Automated tools provide a false sense of security that everything is being addressed.
  2. Automated tools produce false positives and false negatives.
  3. Automated tools are only as good as the rules they are using to scan with.
  4. There are not enough trained personnel to thoroughly conduct dynamic code analysis [as with static analysis].
  5. It is more difficult to trace the vulnerability back to the exact location in the code, taking longer to fix the problem.
Tagged : / / / / / / / / / / / / / / /

Comparison Between UCC, CLOC, POWERSOFTWARE,EZ-Metrics and Metrixware

ucc-vs-cloc-vs-powersoftware-vs-ez-metrics-vs-metrixware

Unified CodeCount (UCC) CLOC POWERSOFTWARE EZ-Metrics Metrixware
Languages
C/C++, C#, Java, SQL, Ada, Perl, ASP, ASP.NET, JSP, CSS, HTML, JavaScript, VB, and VbScript YES – All ADA, Assembly, ASP, C#, C/C++, CSS, Fortran, IDL, HTML, Java, JavaScript, JSP, Perl, PHP, PL/SQL, PowerBuilder, Python, Ruby, ShellScript, Textfiles, VB6 / VB.NET / VBScript, VHDL, Windows Batch and XML YES ALL
Platforms
Windows & Linux Linux 2.6.9, Unix, Mac OS X, Windows 9x/Me/XP/Vista, Solaris BOTH Windows, Linux planned but no date Both
Baselines comparison
How the tool manages folder hierarchy changes? The tool tries to match files between two baselines using filenames. As such, two files having the same name in different folder structures can be matched. The tool also detects to match and compare files if the folder is changed while filenames of the files contained in the folder are kept the same. NA No information NA
How the tool manages files which are renamed? Currently, the tool does not handle files renamed. However, if the file is renamed but its content does not change, the tool considers it as a duplicate. NA No information NA
How the tool manages files or block swapping? We have not handled swapping blocks of code yet. If the code is copied from one place to another, it is considered as deleted and added. If files are swapped and its filename does not change, the tool can match and compare them. Available No information Available
What is the algorithm used for line change detection? For comparing between lines, we detect the number of common characters between them and determine whether they are modified or deleted using a threshold. This threshold can be specified through a parameter named –t. For detecting bulk of changed or added code, we implemented our own algorithm for detecting longest common sequences. I am sorry, it is quite complex to be described in this email. We are documenting it in detail, and if you are interested I can send you a copy after it is completed. SLOC, PERL Mod No information NA
Miscellaneous
GUI & CLI CLI CLI Both but separate products GUI
CSV & XML Output Only TXT XML HTML, CSV, RAW XML data YES
Provide Qualitative metrics? No. The tool is focused on software size metrics. NO yes but separate product YES
Price Open Source Open Source KEPM (which includes EPM) costs 1,995 USD for a single license or 4,995 for a 5-user license Commericial
Frequency of the releases No information in net Regular One minor/Major release per month or 2 months.
Date of last release December,2009 Apr-10 16-Mar-10
Press on the net Not many reviews available in net Nope
Integration with quality platform Provides different language source for the integration. Nope
Recommend NO Yes No No
Algorithm confidence The total sizing of analyzed source code files in terms the SLOC count contains the highest degree of confidence. However, the sizing information pertaining to the sub classifications (compiler directives, data lines, executable lines) has a somewhat lower level of confidence associated with them.

Misclassifications of the sub classifications of SLOC may occur due to:

(1) user modifications to the UCC tool,
(2) syntax and semantic enhancements to the parsed programming language,
(3) exotic usage of the parsed programming language, and
(4) integrity of the host platform execution environment.

SLOC algorithm with perl string handling features and SPAN mdoules NA
Advantages / Drawbacks / Comments Output not according to our need.
Limited Output Format
Delta is not useful
Low Processing speed
Output according to our need.
Output in many form(CSV, XML, TXT and Mysql)
Delta is useful according to our needs
Fast processing
I tried 30 days trial version. They given web based account/dashboard to add src file and generate output. Which was not functional and could not test it functionality in details. Basic functionality is not working.
Tagged : / / / / / / / / / / / / / / / /

SLOC Tools Comparison | SLOC Tools Differences | SLOC Tools Comparison Table

sloc-tools-comparison

Tool Open Source – Commercial URL
CAST Commercial www.castsoftware.com
Sonar Open Source www.sonarsource.org
SLOC Open Source -> Commercial http://www.dwheeler.com/sloccount/
RSM Commercial www.msquaredtechnologies.com
LocMetrics Commercial www.locmetrics.com
EZ-Metrics Commercial http://www.jamesheiresconsulting.com/Products.htm
Metrixware Commercial www.metrixware.com
Parasoft (Jtest) Commercial www.parasoft.com/
Squale Open Source www.squale.org/
KODERS Commercial www.koders.com
PRACTILINE www.practiline.com
POWERSOFTWARE Commercial http://www.powersoftware.com/
CLOC Open Source http://cloc.sourceforge.net/
Unified CodeCount (UCC) Open Source http://sunset.usc.edu/research/CODECOUNT/
Tagged : / / / / / / / / / / / / / / /