Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Programming

Ask Slashdot: Reviewing 3rd Party Libraries? 88

Posted by Soulskill
from the discovering-you-trusted-something-way-too-much dept.
Carcass666 writes "It is usually good to use existing libraries, rather than reinventing the wheel, especially with open source. Unfortunately, sometimes we have to work with closed source implementations. Recently, we were diagnosing a .NET assembly and, after getting nowhere with the vendor, ran it through a decompiler. The code was a morass of SQL concatenation, sloppy type conversions, and various things that are generally thought of as insecure.

My question is: What are Slashdot readers' preferred tools for analyzing .NET and Java compiled libraries (not source code) for potential security vulnerabilities? Ideally, I would like to know if a library is a security liability before I code against it. For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Reviewing 3rd Party Libraries?

Comments Filter:
  • Re:open source only (Score:2, Informative)

    by Anonymous Coward on Wednesday March 05, 2014 @05:18PM (#46413355)

    IIRC FxCop is a source-code analyser.

    No it is not.

    FxCop is a free static code analysis tool from Microsoft that checks .NET managed code assemblies

    http://en.wikipedia.org/wiki/FxCop

    FxCop actually works pretty well for what was asked for. Microsoft hasn't failed to update FxCop instead they integrated it more into Visual Studio. You can also write your own rules if you have to keep it updated. I would follow the ASP.NET source code project on codeplex, their build scripts integrate code analysis using nuget and a few other msbuild tricks but i do not think they have it setup to scan another assembly. It can't be hard to configure it too however.

    All that said i think everyone else's advice is better.

    Limit your use of 3rd party libraries as much as possible for many reasons let alone upgrade paths can be difficult.
    Use a tool like nuget to make sure they are updated properly.
    Follow the projects closely for changes.

  • FYI: FxCop (Score:5, Informative)

    by MobyDisk (75490) on Wednesday March 05, 2014 @05:25PM (#46413421) Homepage

    For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework

    FxCop is still under active development and ships with Visual Studio 2010, 2012, and 2013. They merely changed the name to "Code Analysis"
    http://blogs.msdn.com/b/visual... [msdn.com]

To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard

Working...