WHAT IS XCALSCAN?
Xcalscan is a next generation source code analysis tool for Static Application Security Testing (SAST). Xcalscan analyses software applications by using in-depth compiler level technology to inspect data flows, giving greater accuracy in defect detection.
Xcalscan lets you quickly and easily develop high quality code, identify vulnerabilities, and allows adherence to software and corporate compliance standards.
Highly accurate and intuitive, Xcalscan identifies issues much earlier in the Software Development Life Cycle (SDLC). In effect, you can ‘shift left’ in the testing process within the development timeline, making you far more efficient. Xcalscan not only enhances productivity, it also analyzes source code to identify defects that cause memory corruption, core dumps, buffer overflows, illegal operations, null pointers and a lot more.
Xcalscan gives you fast remediation times which shorten developer feedback loops. It not only highlights errors, it gives you guidance to understand the defect. You can use Xcalscan at different points during the coding and testing phases and it works hand-in-hand with manual code reviews and other testing methods such as white box, black box or unit testing.
Whether you’re a Developer, Security Professional, Quality Assurance Manager or IT leader, Xcalscan helps you create a ‘quality-first’ mindset. You can count on Xcalscan to increase productivity, reduce costs and get your application to market faster. Xcalscan is available on-premise and for added convenience in either Chinese or English interfaces.
- Programming Languages supported: C/ C++, Java
- CI/CD integration with Jenkins
- IDE integration with VSCode
- Source code control: GitHub, GitLab & Gerrit
- – Xcalibyte’s proprietary ruleset to identify many known serious vulnerabilities
- – SEI CERT C
- – SEI CERT C++
- – SEI CERT JAVA
- Support for:
- – OWASP TOP 10
- – CWE
- – CVE
- – MISRA
- On-premise deployment
- Chinese and English interfaces
WHAT ARE THE MAIN BENEFITS OF XCALSCAN?
IN-DEPTH COMPILER OPTIMIZATION TECHNOLOGY
Errors can affect many parts of your code, in ways that are not immediately obvious. Xcalscan goes beyond ordinary code pattern analysis working not only at the Abstract Syntax Tree (AST) level but also analyzing at the Intermediate Representation (IR) level, to provide more accurate defect detection and to generate comprehensive reports that highlight all errors. By analyzing code further down the compiler process, we are able to identify defects that would only have otherwise be seen during runtime.
FIND HARD-TO-FIND BUGS
There are many defects that are hard to trace such as Null Pointer Dereference and Missing Free. These are frequently missed in code reviews and only manifest themselves during runtime. Some can occur from race conditions or simple programming omissions. Flow analysis is required to identify them. Xcalscan’s analysis methods include data flow analysis, control flow analysis, context sensitive analysis, object sensitive analysis, cross procedure analysis and cross file analysis. Xcalscan also provides cross language analysis support.
CODE, SECURITY AND DATA PRIVACY COMPLIANCE
Violations of coding conventions, data privacy and security policies often occur due to poor oversight or a rush to get the application go live. Poor quality code can result from not adhering to best practice programming guidelines, for example, failure to apply encryption, lack of secure authentication and many other reasons. Xcalscan can help developers comply with internal organizational rules, worldwide coding practices and government legislation. Xcalscan can give you peace of mind when developing software.
HOW DOES XCALSCAN BENEFIT YOU?
ARE YOU A DEVELOPER?
Xcalscan gives you fast and accurate code analysis allowing you to develop clean, efficient, quality code. Our intuitive interface rapidly identifies potential vulnerabilities, explicitly highlights priorities and provides clear guidance for resolving issues. Xcalscan employs a high number of CERT rule levels 1 and 2, as well as our own proprietary Xcalibyte Rule Set that will ensure you maintain quality and apply best practices to your source code. These rules map to OWASP and CWE. Xcalscan reviews code for you, speeding up manual peer-to-peer reviews and works with Continuous Integration (CI) tools and Integrated Development Environments (IDE) to make the development process efficient and productive.
ARE YOU A QA PROFESSIONAL?
Software health begins and ends with high quality code. Xcalscan ensures strict compliance with major software industry standards. Compliance rules can also be tailor-made to any specific corporate standards. Xcalscan provides accurate and comprehensive reporting and is easily embedded into your QA process. It can assign fixes to specific developers and allow them to be individually responsible for compliance while they code. By facilitating the effortless adoption of regular static code analysis, Xcalscan helps encourage developers to think naturally about a ‘quality-first’ approach to coding.
ARE YOU A SECURITY PROFESSIONAL?
Today’s cybersecurity professionals are expected to cover both network and application security. Xcalscan is designed to easily identify vulnerabilities that can lead to serious cybersecurity risks. By starting in the early stages of the SDLC, Xcalscan ensures delivery of defect-free code. Xcalscan identifies and prioritizes all defects according to the level of threat, making it easy to work with developers to find security issues, monitor reports, prioritize remediation tasks and ensure all security standards have been met. Xcalscan helps you implement a 'security by design' approach.
ARE YOU A TECHNOLOGY EXECUTIVE?
Without adequate steps to secure your technology assets, hackers can severely cripple your business and permanently damage your reputation. With Xcalscan, you no longer have to sacrifice security in the race to deliver products to market. You can stay on schedule and within budget without jeopardizing your business. Xcalscan is an essential business tool to support all your technology planning and development. It ensures high quality and secure products are delivered on time and at reduced cost. Xcalscan gives any executive an instant picture of the software health of all ongoing projects and categorizes them by risk level. This allows you to focus on delivering the kind of quality and security that will enhance your business.
WHAT CAN XCALSCAN FIND?
THE XCALIBYTE RULE SET
Xcalscan’s analysis engine includes our Xcalibyte Rule Set which covers the most important software vulnerabilities. This is a partial list of the Xcalibyte Rule Set.
|Array Out Of Bounds (AOB)||The program is accessing data outside the declared boundary (before or after) of the intended buffer.|
|Division by Zero (DBZ)||The program is trying to divide a value by zero.|
|Dead Variable (DDV)||Execution of this statement will be nullified by another statement following it, or the result of this statement is never used.|
|Empty Catch Block (ECB)||The program has an exception construct with an empty catch block.|
|Formal and Actual Parameter Mismatch (FAM)||The program is calling a function with number of argument(s) used different from how the function is defined.|
|Format String Overflow (FMT)||The program is calling one of print family with number (or type) of parameter(s) used differently from format string declaration.|
|Missing Free (MSF)||The program has allocated heap memory but failed to free that piece of memory.|
|Null Pointer Dereference (NPD)||The program is accessing memory through a pointer with NULL value. This will cause a segmentation fault or unpredictable program behavior.|
|Return Address of Local (RAL)||The function returns the address of a stack variable and will cause unintended program behavior.|
|Read from External Socket (RXS)||The program has read from external sockets which may include untrusted data.|
|Use After Free (UAF)||The program has referenced memory after it has been freed. It can cause the program to crash or cause unexpected program behavior.|
|Use Dangling Reference (UDR)||Dangling pointer has been used to refer to an invalid memory resource.|
|Uninitialized Variable (UIV)||The program is using a variable before it has been initialized.|
|Write to File for Read Only (WRF)||The program is performing write operation to a file that is available for read only.|
The Xcalibyte Rule Set further expands on rules based on CERT and CVE.
HOW IS XCALSCAN DIFFERENT FROM OTHER SAST TOOLS?
Xcalscan takes several analysis methods and makes them work as one, instead of in isolation. This allows users to reduce the number of false positives and gain a deeper understanding of how a program will execute.
Building on Open64 compiler optimization technology, Xcalscan conducts high quality scanning using data flow analysis, context sensitive analysis and object sensitive analysis. Xcalscan manages resource allocation and memory access conflict using the memory Static Single Assignment (SSA) framework.
COMMON PROBLEMS IN LEGACY SAST TOOLS
Object Code Scan:
- - Effective for known issues but cannot find unknown/potential issues
Source Code Scan
- - High False Positive and High False Negative
- - Inaccurate analysis, cannot deal with complex program logic or data paths
- - Partial analysis NOT cross module or whole program analysis
THE XCALIBYTE SOLUTION:
- A program analysis engine improved upon the foundation of Open64 Compiler
- Optimization Memory SSA Framework with Resource Model