Link to this headingScanning Code

Collected Static Analysis Links

Link to this headingSyntax Parsers

Lightweight static analysis for many languages. Find and block bug variants with patterns that look like source code.
Parsing, analyzing, and comparing source code across many languages
SonarQube

Link to this headingSource Code Checking

Javascript:
A Static Code Analysis Tool for JavaScript

Java:
Source code static analyzer tool designed to spot security issues in Java applications.
graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep.

Ruby:
A static analysis security vulnerability scanner for Ruby on Rails applications

Smart Contracts:
An open source smart contract platform
Static Analyzer for Solidity
Manticore is a symbolic execution tool for analysis of smart contracts and binaries.

PHP:
PHP Static Analysis Tool - discover bugs in your code without running it!

Psalm is a static analysis tool that’s designed to improve large PHP codebases by identifying both obvious and hard-to-spot bugs.
Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.

Link to this headingDependency Checking

Identify and Track third party components and their vulnerabilities

DotNet:
Scanning DotNet modules for known vulns

Javascript:
Scanning JS modules for known vulns
Detect JS Lib versions

Python:
A collection of models, views, middlewares, and forms to help secure a Django project.
Checks Python Dependencies for Vulnerabilities

Link to this headingFindings Classification

Local Copy of searchable CVEs
OWASP Application Security Verification Standard

Link to this headingGrepable

Top 10 Developer Crypto Mistakes
How to Find Vulnerabilities in Code: Bad Words

Grep stringLook forLanguages
password, passwd, credential, passphrase Hardcoded passwords, insecure password storage, insecure password transmission, password policy, etc…. all
sql, query( sql injection (string concatenation) all
strcat, strcpy, strncat, strncpy, sprintf, gets dangerous C functions used in iOS iOS
setAllowsAnyHTTPCertificate, validatesSecureCertificate, allowInvalidCertificates, kCFStreamSSLValidatesCertificateChain disables TLS cert checking iOS
crypt hardcoded keys, fixed IVs, confusing encryption with message integrity, hardcoded salts, crypto soup, insecure mode of operation for symmetric cipher, misuse of a hash function, confusing a password with a crypto key, insecure randomness, key size too small. See Top 10 Developer Crypto Mistakes all
CCCrypt IV is not optional (Apple API documentation is wrong) if security is required iOS
md5, sha1, sha-1 insecure, deprecate hash function all
3des, des3, TripleDES insecure deprecate encryption function all
debuggable do not ship debugabble code android
WRITE_EXTERNAL_STORAGE, sdcard, getExternalStorageDirectory, isExternalStorageWritable check that sensitive data is not being written to insecure storage android
MODE_WORLD_READABLE, MODE_WORLD_WRITEABLE should never make files world readable or writeable android
SSLSocketFactory dangerous functionality — insecure API, easy to make mistakes java
SecretKeySpec verify that crypto keys are not hardcoded java
PBEParameterSpec verify salt is not hardcoded and iterations is at least 10,000 c#
PasswordDeriveBytes insecure password based key derivation function (PBKDF1) c#
rc4, arcfour deprectaed, insecure stream cipher all
exec( remote code execution if user input is sent in java
eval( remote code execution if user input is sent in javascript
http: insecure transport layer security, need https: all
ftp: insecure file transfer, need ftps: all
ALLOW_ALL_HOSTNAME_VERIFIER, AllowAllHostnameVerifier certificate checking disabled java
printStackTrace should not output stack traces (information disclosure) java, jsp
readObject( potential deserialization vulnerability if input is untrusted java
dangerouslySetInnerHTML dangerous React functionality (XSS) javascript
trustAsHtml dangerous Angular functionality (XSS) javascript
Math.random( not cryptographically secure javascript
java.util.Random not cryptographically secure java
SAXParserFactory, DOM4J, XMLInputFactory, TransformerFactory, javax.xml.validation.Validator, SchemaFactory, SAXTransformerFactory, XMLReader SAXBuilder, SAXReader, javax.xml.bind.Unmarshaller, XPathExpression DOMSource, StAXSource vulnerable to XXE by default java
controller MVC controller functionality: check for input validation c#, java
HttpServletRequest check for input validation java
request.getParameter check for input validation jsp
exec dynamic sql: potential for sql injection sql
getAcceptedIssuers If null is returned, then TLS host name verification is disabled iOS
isTrusted If returns true, then TLS validation is disabled java
trustmanager could be used to skip cert checking java
ServerCertificateValidationCallback If returns true, then TLS validation is disabled c#
checkCertificateName If set to false, then hostname verification is disabled c#
checkCertificateRevocationList If set to false, then CRLS not checked c#
NODE_TLS_REJECT_UNAUTHORIZED certificate checking is disabled javascript
rejectUnauthorized, insecure, strictSSL, clientPemCrtSignedBySelfSignedRootCaBuffer cert checking may be disabled javascript
NSExceptionDomains, NSAllowsArbitraryLoads, NSExceptionAllowsInsecureHTTPLoads allows http instead of https traffic iOS
kSSLProtocol3, kSSLProtocol2, kSSLProtocolAll, NSExceptionMinimumTLSVersion allows insecure SSL communications iOS
public-read publically readable Amazon S3 bucket — make sure no confidential data stored all
AWS_KEY look for hardcoded AWS keys all
urllib3.disable_warnings certificate checking may be disabled python
ssl_version can be used to allow insecure SSL comms python
cookie make sure cookies set secure and httpOnly attributes all
kSecAttrAccessibleAlways insecure keychain access iOS