(SAST) Tool for C, C++, C#, Java, and Javascript

Home , AVR32, Fujitsu FR, Klocwork, M32R, Microware, Perforce

DATASHEET Static Application Security Testing (SAST) Tool for C, C++, C#, Java, and JavaScript

Overview DEVOPS READY

Klocwork SAST for C, C++, C#, Java, and JavaScript Klocwork tools are designed with Continuous Integration identifies software security, quality, and reliability issues and Continuous Delivery foremost in our thinking, which helping to enforce compliance with standards. makes it easy to include static code analysis as part of your CI/CD pipelines. Built for enterprise DevOps and DevSecOps, Klocwork scales to projects of any size, integrates with large com- Differential Analysis: Using system context data from plex environments, a wide range of developer tools, and the Klocwork Server, it is possible to analyze only the files provides control, collaboration, and reporting. that changed providing differential analysis results as if the entire system had been analyzed and the shortest Klocwork’s Differential Analysis engine provides instant possible analysis times. analysis results, while maintaining accuracy, and integrates seamlessly with CI/CD pipelines to automate Easy to Automate: Klocwork tools have common com- Continuous Compliance — safeguarding your software mand line interfaces, and all defect data is accessible via from vulnerabilities with every commit. a REST API using standard output formats, such as XML, JSON, and PDF. Key Features Containerized Builds: Klocwork can be run within FIND SECURITY VULNERABILITIES WITH SAST containerized and Cloud build systems and supports the provisioning of machine instances as required. Providing Our security-focused static analysis engine identifies maximum flexibility and opportunity to use on-premise or security vulnerabilities as they are introduced – helping to external Cloud services for code analysis. find and fix vulnerabilities early, and provide compliance

to internationally and industry recognized security stan- CONTROL, COLLABORATION, AND REPORTING dards, as well as your own organizational requirements. The Klocwork Compliance and Application Security Testing

(CAST) Portal is a centralized store of analysis data, trends,

metrics, and configurations for codebases across the

organization — accessed through a web browser.

www.perforce.com Klocwork by Perforce © Perforce Software, Inc. All trademarks and registered trademarks are the property of their respective owners. (0720TP21) The dashboard is highly customizable, enabling your developers, managers, and other stakeholders to:

• Define global or project-specific QA and security objectives and rule configurations. • Control access permissions and approval workflows. • View trending and metrics data for project quality and compliance. • Produce compliance and security reports. • Prioritize defects based on severity, location, and lifecycle. • Use Smart Rank to assist developers in prioritizing fixes based on defect likelihood, which when combined with issue severity, provides an overall vulnerability risk score. • Distinguish new issues from legacy code issues. • Push backlog issues to Change Control systems. • Import and Integrate Helix QAC findings to the Klockwork SAC to view and manage consolidated analysis results in a single dashboard.

DESIGNED FOR DEVELOPERS

By seamlessly integrating static code analysis with the rest of your development toolset, Klocwork will shift-left defect detec- tion and improve developer adoption as a tool for developer training and increasing productivity.

No User Configuration: Klocwork provides out of the box support for hundreds of compilers and cross-compilers.

Easy to Use: Plugins for popular IDEs (including Microsoft Visual Studio, Eclipse, IntelliJ, and more).

Connected Desktop: Local code changes made using the Klocwork plugins provide immediate differential analysis results within IDEs.

Detailed Feedback and Help: Defects and coding violations are identified by severity, location and risk. Each defect report is further enhanced with detailed traceback information and rich, context-sensitive help and guidance on remediation. Facilitat- ing understanding and learning.

Custom Rules: A graphical custom checker creation tool makes the implementation of project- or organization-specific rules quick and easy — further enriching the learning opportunities.

Architectural Analysis: Klocwork integrates with architectural visualization and enforcement tools like Structure 101 to allow users to further improve the overall quality and maintainability of their codebase through clean and correct dependencies.

Technical Specifications

SUPPORTED LANGUAGES

• C • C# • Java • C++ • JavaScript

www.perforce.com Klocwork by Perforce © Perforce Software, Inc. All trademarks and registered trademarks are the property of their respective owners. (0720TP21) SUPPORTED FRAMEWORKS

C/C++ Java

• AUTOSAR • Android • JAX RS • Boost • Java SE/ EE • JAX WS • Microsoft .Net • Junit • ReactiveX • POSIX • Hibernate ORM • Vert.x • QT • Apache Cocoon • WS XML-RPC • STL • Apache Commons JavaScript • WinAPI • Apache ECS • Apache Struts • TypeScript C# • Apache Tomcat • JSX • .NET Framework • log4j • React • .NET Core • Eclipse SWT • Vue • Mono • JDOM • Xamarin • Spring Framework • Unity • GWT • Universal Windows • Java Persistence API Platform

SUPPORTED CODING STANDARDS

Security: • CERT (SEI) • OWASP • PCI DSS • CWE (SANS) • DISA STIG • TS 17961 (ISO/IEC) • CWE (SANS) Top 25

Saftey: • MISRA C 2004 • MISRA C 2012 AMD 1 • AUTOSAR C++ 14 • MISRA C 2012 • MISRA C++ 2008 • JSF AV C++ • TS 17961 (ISO/IEC) Quality: • NASA’s 10 Rules • Klocwork Quality

Custom: • Create Your Own Standard • Create Your Own Rules

SUPPORTED FUNCTIONAL SAFTEY STANDARDS *TÜV-SÜD certified for compliance.

• IEC 61508* • EN 50128* • DO-178B/C • ISO 26262* • IEC 62304*

www.perforce.com Klocwork by Perforce © Perforce Software, Inc. All trademarks and registered trademarks are the property of their respective owners. (0720TP21) SUPPORTED PLATFORMS

• Windows • Linux • Mas OS X

SUPPORTED IDES

• CLion • Microsoft Visual Studio • IBM Rational Application • Eclipse • Microsoft Visual Studio Code Developer • Wind River Workbench • QNX Momentics • WebSphere • Android Studio • JetBrains Intelilj IDEA

*Snapshot views are not supported for Base ClearCase SUPPORTED SOURCE CODE MANAGEMENT SYSTEMS **Subversion 1.4.x is not supported by the Visual Studio plug-ins

• Base ClearCase 7.x* • TFS 2010 • Subversion 1.4.x**, 1.6.x, • CVS 1.12.x • Perforce server 2005.2 1.7.x, 1.8.x • Git 1.7.x or higher

CRITICAL CHECKS

• API Usage Errors • Memory — Corruptions • Stylistic Issues • Dangerous Coding Practices • Memory — Illegal Accesses • SQL Injections • Buffer Overflows • Missing Authentication for • Suspicious Code Practices • Exposed Fields, Identifier Critical Function • Suspicious Encapsulation Name Clashes • Missing Authorization Checks • Suspicious Scoping • Code Complexity • No Configuration for a • Uninitialized Members, • Code Maintainability Issues Critical Resource Use of Uninitialized Fields • Concurrent Data Access • No Configuration for a and Variables Violations Protect Resource • Unnecessary Code • Concurrency Issues • Null Pointer Dereferences • Unreachable Code • Cross-Site Request Forgery • Object-oriented • Unsafe Code Practices Programming Issues (CSRF) Vulnerabilities • Unused Code • Path Manipulation • Cross-Site Scripting (XSS) • Unused Local Variable Vulnerabilities • Performance Issues • Unvalidated User Input, • Dangerous Implicit Conversions • Portability Issues Path/File/Process • Dead Code • Possible Runtime Failures Injection, Tainted Data • Error Handling Issues • Process and Path Injection • Use of Freed Resources • Hard-Coded Credentials • Pseudorandom Number • Use of Hard-Coded • Improper Certificate Validation Generation Issues Credentials • Improper Encapsulation • Redundant Code • Use of ldap Anonymous Bind • Incorrect Error Handling • Resource Leaks • Use of Weak Cryptographic Algorithm • Indeterminate Value Warnings • Rule Violations • Vulnerable Coding Practices • Information Leakage • Security Best Practices Violations • XML External Entity Attack • Invalid Arithmetic Operations • Security Misconfigurations • XXE Vulnerabilities • Maintainability Issues

www.perforce.com Klocwork by Perforce © Perforce Software, Inc. All trademarks and registered trademarks are the property of their respective owners. (0720TP21) SUPPORTED C/C++ COMPILERS

• Analog Devices Blackfin • IAR RL78 • Renesas R32C and TigerSHARC • IAR SH • Renesas R8C • Archelon • IAR STM8 • Renesas RH850 • Archelon CSR Kalimba • IBM XL • Renesas RX • ARM CC • ImageCraft AVR • Renesas SuperH • ARM TI tms470 • ImageCraft Intel • Renesas V850 • CADUL C for Intel 80X86 • ImageCraft M8C • Rowley Crossworks • CEVA (NVIDIA) • Intel iC-386 MSP430 • Clang • Keil CA51, C166 and C251 • Sony SN Systems PS2, PS3 and PSVita • CodeWarrior Freescale S12 • Marvell • Sony Orbis Clang PS4 • Compiler caching tools • MetaWare • Sun Studio • Cosmic • Metrowerks CodeWarrior • Synopsys ARC MetaWare • Embarcadero • Microchip MPLAB C18 • Target Chess • Fujitsu FR • Microchip MPLAB pic24 • Tasking 68K • GNU • Microchip MPLAB pic32 • Tasking ARM • Green Hills • Microchip MPLAB XC8 C • Tasking Classic C166 • Hexagon Tools • Microchip MPLAB XC16 • Tasking DSP56X • HI-CROSS+ Motorola HC16 • Microsoft Visual Studio • Tasking IFX SLE88 • HI-TECH C • Microtec • Tasking SLE88 • Hitachi ch38 • Microware Ultra C for OS-9 • Tasking Tricore • HiveCC • Mono Headset SDK • Tasking VX C166 • IAR 78K • Motorola DSP563 • Tensilica Xtensa • IAR 8051 • Nintendo Cafe Platform • TI ARP32 • IAR ARM • Nvidia CUDA • TI msp430 • IAR Atmel AVR • NXP StarCore Freescale • TI tms320C55x • IAR AVR32 • Panasonic • TI tms320C3x • IAR CR16C • Panasonic MN101E/ • IAR Hitachi H8 MN101L • TI tms320C4x • IAR M16C • Paradigm • TI tms320c28x • IAR M32C • Plan 9 • TI tms320c6x • IAR MAXQ • QNX qcc • TriMedia tmcc • IAR MSP430 • Renesas 78K0R • Watcom • IAR NEC V850 • Renesas CC-RL RL78 • WinAVR • IAR Renesas R32C • Renesas CX • Wind River Diab • IAR Renesas RX210 • Renesas M16C • Wind River GCC • IAR RH850 • Renesas M32R • ZiLOG eZ80

Try Klocwork Free Get Started with your free trial of Klocwork today. perforce.com/products/kw/free-static-code-analyzer-trial

www.perforce.com Klocwork by Perforce © Perforce Software, Inc. All trademarks and registered trademarks are the property of their respective owners. (0720TP21)