|
|
|
 |
Á¤ÀûºÐ¼®µµ±¸ - Java »ê¾÷ Ç¥ÁØ Áö¿ø
Java(JSP) Á¤ÀûºÐ¼®µµ±¸´Â Àüü ÇÁ·Î±×·¥ ³»ÀÇ ÇÏÀ§ ÇÁ·Î±×·¥°ú ÇÔ¼öÀÇ ¿Ã¹Ù¸¥ ½ÇÇà ¼ø¼¿¡ µû¶ó µ¥ÀÌÅÍ È帧 ºÐ¼®(data-flow analysis)À» ÅëÇØ »ý¼ºµÈ °¢ °æ·Î¸¦ ±â¹ÝÀ¸·Î ÄÚµåÀÇ ÇöÀç »óŸ¦ ºÐ¼®ÇÏ¿© ÄÚµåÀÇ °áÇÔÀ̳ª Ãë¾àÁ¡À» Á¡°ËÇÏ´Â µµ±¸ÀÌ´Ù.
ÃÖ±Ù, ³»¿¬±â°üÂ÷¿¡¼ Àü±âÂ÷·Î ´ëÀüȯÇÏ´Â °úÁ¤¿¡¼ ¹Ì·¡ ÀÚµ¿Â÷ Â÷·®¿¡ žÀçµÇ´Â ÀÚÀ² ÁÖÇà, °øÀ¯¼ºñ½º µîÀÇ ¼ÒÇÁÆ®¿þ¾î¿¡ ´ëÇÑ ½Å·Ú¼º°ú º¸¾È¼ºÀ» ³ôÀ̱â À§ÇØ Â÷·®¿ë ÀÓº£µðµå ¼ÒÇÁÆ®¿þ¾î¿¡¼ ¿ä±¸µÇ´Â Á¤º¸º¸È£ ¼ºñ½º(±â¹Ð¼º, ¹«°á¼º, °¡¿ë¼º, ÀÎÁõ)ÀÇ È®º¸°¡ ÄÚµù ´Ü°è¿¡¼ ÇʼöÀûÀ¸·Î ¿ä±¸µÇ°í ÀÖ½À´Ï´Ù.
|
 |
 ±¹³»¿Ü »ê¾÷ ÄÚµù Ç¥ÁØ Áؼö
ÄÚµù °¡À̵å: Oracle Code Convention, JPL-Java µî
(CWE 4.17) Run-time °¡À̵å: CWE-660 (Java: 77 ±ÔÄ¢)
(±¹¿Ü) º¸¾È Ãë¾àÁ¡: CWE(4.17), OWASP(20021), CERT-Java
(±¹³») º¸¾È Ãë¾àÁ¡: SW °³¹ß º¸¾È °¡À̵å(49±ÔÄ¢), ±ÝÀ¶ ITºÎ¹®/±¹Á¤¿ø Ãë¾àÁ¡
(Other Code Assurance) SQL, XML, Code Metrics, ¸ÞŸ µ¥ÀÌÅÍ °ËÁõ µî
¾ð¾î ÄÄÆÄÀÏ·¯ ¹öÀü
(Java Language Standard) Java 5, 8, 11, 17, 21
(2nd Code Analysis) Configuration File, XML, SQL, JSP µî
ÁÖ¿ä ±â´É
(no False Positive) Inter-procedural Path Analysis ±â¹Ý ¼Ò½º ÄÚµå ºÐ¼®/°ËÁõ
- (defect message) °áÇÔ »ó¼¼ ¼³¸í, °áÇÔ ¿øÀÎÀÇ ¹®Àå°ú À§Ä¡ ¸Þ½ÃÁö
(no Rule Option) °æ·Î È帧 ±â¹Ý ÄÚµå ¹®¸ÆÀÇ ºÐ¼®°ú Ãß·ÐÀ¸·Î ¿É¼Ç ºÒÇÊ¿ä
(Rule Design) "One Guide to One Rule"ÀÇ ±ÔÄ¢ ¼³°è (Áߺ¹ ±ÔÄ¢/Á¡°Ë ¿¹¹æ)
(Exception Code Process) ¿¹¿Ü ÄÚµå ÀÚµ¿ µî·Ï ¹× °ü¸®·Î Á¡°Ë½Ã ÀÚµ¿ Á¦¿Ü
(SDLC Chain) Á¤ÀûºÐ¼®µµ±¸°ú Çü»ó°ü¸®½Ã½ºÅÛÀÇ ¿¬µ¿À¸·Î ÄÚµå Á¡°Ë ÀÚµ¿È
(Plug-in) Eclipse, Intellij, Jenkins µî ´Ù¼ö
±¹Á¦ ¾ÈÀü¼º ¿ä±¸»çÇ× Áö¿ø
ISO 26262(Automotive), DO 178(Aerospace), IEC 61508(Industrial), EN 50128(Railway), IEC 62304(Medical) µî
ÁÖ¿ä °í°´
ÀüÀÚ, Á¦Á¶, ÀÚµ¿Â÷ µî ´ë±â¾÷ÀÇ Àü»ç Ç¥ÁØ µµ±¸
Áõ±Ç»çÀÇ Àü»ç Ç¥ÁØ µµ±¸
±¹Ã¥/º¸¾È ¿¬±¸¼ÒÀÇ ½Å·Ú¼º/¾ÈÀü¼º/º¸¾È¼º Á¡°ËÀÇ Ç¥ÁØ µµ±¸
¹«±âü°è ¼ÒÇÁÆ®¿þ¾î Á¤Àû ½ÃÇè µµ±¸
±¹Ã¥¿¬±¸°úÁ¦
|
|
|
|
|
|
