WP2 DIGIT B1 - EP Pilot Project 645 Deliverable 9: List of Requirements for Code Reviews Specific contract n°226 under Framework Contract n° DI/07172 – ABCIII April 2016 DIGIT Fossa WP2 – Governance and Quality of Software Code – Auditing of Free and Open Source Software. Deliverable 9: List of requirements for code reviews Author: Disclaimer The information and views set out in this publication are those of the author(s) and do not necessarily reflect the official opinion of the Commission. The content, conclusions and recommendations set out in this publication are elaborated in the specific context of the EU – FOSSA project. The Commission does not guarantee the accuracy of the data included in this study. All representations, warranties, undertakings and guarantees relating to the report are excluded, particularly concerning – but not limited to – the qualities of the assessed projects and products. Neither the Commission nor any person acting on the Commission’s behalf may be held responsible for the use that may be made of the information contained herein. © European Union, 2016. Reuse is authorised, without prejudice to the rights of the Commission and of the author(s), provided that the source of the publication is acknowledged. The reuse policy of the European Commission is implemented by a Decision of 12 December 2011. Document elaborated in the specific context of the EU – FOSSA project. Reuse or reproduction authorised without prejudice to the Commission’s or the authors’ rights. Page 2 of 51 DIGIT Fossa WP2 – Governance and Quality of Software Code – Auditing of Free and Open Source Software. Deliverable 9: List of requirements for code reviews Contents CONTENTS............................................................................................................................................. 3 LIST OF TABLES ................................................................................................................................... 5 LIST OF FIGURES ................................................................................................................................. 6 ACRONYMS AND ABBREVIATIONS ................................................................................................... 7 1 INTRODUCTION .............................................................................................................................. 8 1.1. OBJECTIVE OF THIS DOCUMENT AND INTENDED AUDIENCE ............................................................. 8 1.2. SCOPE ........................................................................................................................................ 8 1.3. DOCUMENT STRUCTURE .............................................................................................................. 9 1.4. KEY SUCCESS FACTORS .............................................................................................................. 9 1.5. DELIVERABLES .......................................................................................................................... 10 2 METHODOLOGICAL APPROACH TO BUILDING THE ANALYSIS ........................................... 11 2.1. IDENTIFICATION OF THE REQUIREMENTS FOR THE CODE REVIEW METHODOLOGY (CODE REVIEW PROCESS) ........................................................................................................................................... 11 2.2. IDENTIFICATION OF THE REQUIREMENTS FOR THE PRE-SELECTION OF THE CODE REVIEW TOOLS .. 12 2.3. IDENTIFICATION OF THE REQUIREMENTS FOR THE SELECTION OF THE CODE REVIEW TOOLS ......... 12 2.4. PRE-SELECTION OF CODE REVIEW TOOLS .................................................................................. 12 2.5. EVALUATION OF CODE REVIEW TOOLS ....................................................................................... 13 3 REQUIREMENTS FOR CODE REVIEW METHODOLOGY ......................................................... 14 3.1. REQUIREMENTS FOR THE PLANNING PHASE ................................................................................ 14 3.2. REQUIREMENTS FOR THE CODE REVIEW PHASE .......................................................................... 17 3.2.1. INFORMATION GATHERING ...................................................................................................... 17 3.2.2. AUTHENTICATION MANAGEMENT ............................................................................................. 18 3.2.3. AUTHORIZATION (ACCESS CONTROL) ...................................................................................... 21 3.2.4. DATA/INPUT VALIDATION OF DATA FROM ALL UNTRUSTED SOURCES & ENCODING .................... 22 3.2.5. CRYPTOGRAPHY .................................................................................................................... 24 3.2.6. USER AND SESSION MANAGEMENT ......................................................................................... 25 3.2.7. ERROR AND EXCEPTION HANDLING/INFORMATION LEAKAGE ..................................................... 26 3.2.8. AUDITING AND LOGGING ......................................................................................................... 26 3.2.9. BUSINESS LOGIC TESTING ...................................................................................................... 27 4 REQUIREMENTS FOR CODE REVIEW TOOLS ......................................................................... 29 4.1. PRE-SELECTION REQUIREMENTS ................................................................................................ 29 Document elaborated in the specific context of the EU – FOSSA project. Reuse or reproduction authorised without prejudice to the Commission’s or the authors’ rights. Page 3 of 51 DIGIT Fossa WP2 – Governance and Quality of Software Code – Auditing of Free and Open Source Software. Deliverable 9: List of requirements for code reviews 4.2. SELECTION REQUIREMENTS FOR CODE REVIEW TOOLS ............................................................... 31 4.2.1. REQUIREMENTS FOR THE CODE REVIEW PLANNING PHASE ...................................................... 31 4.2.2. REQUIREMENTS FOR THE CODE REVIEW PHASE ...................................................................... 32 4.2.2.1. INFORMATION GATHERING ................................................................................................... 32 4.2.2.2. AUTHENTICATION MANAGEMENT .......................................................................................... 33 4.2.2.3. DATA/INPUT VALIDATION OF DATA FROM ALL UNTRUSTED SOURCES & ENCODING ................. 33 4.2.2.4. CRYPTOGRAPHY ................................................................................................................. 35 4.2.2.5. ERROR AND EXCEPTION HANDLING/INFORMATION LEAKAGE ................................................. 36 4.3. REQUIREMENTS FOR THE RESULTS OF CODE REVIEW PHASE ...................................................... 37 4.3.1. REQUIREMENTS FOR MANDATORY FEATURES .......................................................................... 37 4.3.2. REQUIREMENTS FOR OPTIONAL FEATURES .............................................................................. 37 5 PRE-SELECTION AND EVALUATION OF CODE REVIEW TOOLS .......................................... 39 5.1. PRE-SELECTION OF TOOLS ......................................................................................................... 39 5.1.1. TOOLS TO EVALUATE .............................................................................................................. 39 5.1.2. EVALUATION AND PRE-SELECTION OF TOOLS ........................................................................... 40 5.1.3. RESULTS OF THE PRE-SELECTION ........................................................................................... 42 5.2. EVALUATION OF CODE REVIEW TOOLS ....................................................................................... 43 5.2.1. FINDBUGS ............................................................................................................................. 43 5.2.2. PMD ..................................................................................................................................... 44 5.2.3. RIPS ..................................................................................................................................... 44 5.2.4. SONARQUBE .......................................................................................................................... 45 5.2.5. VCG ..................................................................................................................................... 46 5.2.6. YASCA ................................................................................................................................... 47 5.3. CONCLUSIONS ........................................................................................................................... 47 6 BIBLIOGRAPHICAL REFERENCES ............................................................................................ 49 7 ANNEXES ...................................................................................................................................... 50 7.1. DESCRIPTION OF THE OWASP VERIFICATION LEVELS ................................................................. 50 Document elaborated in the specific context of the EU – FOSSA project. Reuse or reproduction authorised without prejudice to the Commission’s or the