Code Dx is a software vulnerability aggregation and management system that brings together a variety of code analysis tools that enable you to locate and fix potential vulnerabilities in the code you write, in the languages you use, and at a affordable costs.
Over 90% of computer security incidents are due to weaknesses in software. These weaknesses can expose vulnerabilities that put your business at risk for attacks such as SQL injection and cross-site scripting, leading to data loss, corruption, or even a host takeover. Static code analysis tools can help you find these weaknesses. However, commercial tools are typically costly, and while open source tools are “free,” they still require considerable human resources to configure and run. Regardless of whether you are running a commercial or open source code analysis tool, no single tool provides sufficient code coverage. You have to run multiple tools, and tediously correlate the results.
Code Dx runs a suite of preconfigured, fully integrated, multi-language, open source static code analysis tools against your code base. It can also incorporate the results of commercial tools and manual analysis, and automatically correlate all the weaknesses into a single consolidated set, viewable from a single user interface—with reports presented in an easy to understand visual display.
Code Dx Enterprise Edition (EE)
The Enterprise Edition provides all of the features of open source scanners and it expands your coverage by working seamlessly with commercial testing tools. At the same time, it allows for findings to be added manually. The correlation and normalization of results from multiple tools produce a consolidated set of results, with greater coverage of potential vulnerabilities and a better assessment of your overall software security risk.
- Automatically configures and runs many bundled static source code analysis tools
- Checks 3rd party software component libraries for known vulnerabilities
- Contains over 1,500 configurable security/quality rules covering multiple programming languages
- Combines and normalizes output of multiple tools into a single consolidated set of results on a common severity scale
- Browser-based user interface used to assign, collaborate, and track weakness remediation
- Maps results to the Common Weakness Enumeration (CWE)
- Links correlated weaknesses to source code
- Visual analytics for triage and prioritization of software weaknesses
- Robust data filtering supports detailed drill-down and organization of weaknesses
- Generates CSV, XML and PDF assessment reports
- REST API enables integration with automated build servers
- Plug-ins provide support for popular Integrated Development Environments
- Integrates the results from multiple commercial static source code analysis tools (EE only)
- Enables manual entry of independently identified weaknesses (EE only)
Commercial & Free Tool Support:
Open Source: Dynamic/Static Scanners: OWASP Zed Attack Proxy, Arachni, Android Lint, Brakeman, Checkstyle, Clang, Cppcheck, ErrorProne, FindBugs, FxCop, Gendarme, Jlint, JSHint, Microsoft CAT.NET, OCLint, PMD, Pylint / Defect Trackers: Mozilla Bugzilla
Commercial tools: Checkmarx, Grammatech, Coverity and other major vendors