Detecting Errors in the Pandas Software Module using the Svace Static Code Analyzer

The article deals with the urgent problem of software security at the early stage of its development. Special attention is paid to static code analysis, which is a key tool for detecting vulnerabilities at early stages of the software development life cycle. The article emphasizes the importance of integrating static analysis tools into the development process in order to detect and eliminate vulnerabilities early. The methods of static analyzers’ error search are considered, as well as the main components of the Svace static analyzer developed at the Institute of System Programming of the Russian Academy of Sciences. Classification of analyses used in the Svace static analyzer is presented. Static analysis of source code in Python programming language is considered in detail. As a practical example the analysis of the Pandas 2.2.1 project performed with the help of Svace is given. The result was the detection of 241 vulnerabilities for 590709 lines of code, which shows a high density of warnings per million lines of code and confirms the effectiveness of static analysis in ensuring software security.

1. Chernov D. Code analysis: problems, solutions, perspectives. 2022. URL: https://www.tadviser.ru/index.php/Статья:Анализ_кода:_проблемы,_решения,_перспективы#:~:text=У метода есть два недостатка,программы%2C который не всегда доступен, accessed 20.03.2024.

2. Borodin A.E., Belevantsev A.A. Static analyzer Svace as a collection of analyzers of different levels of complexity. Proceedings of ISP RAS, vol. 27, issue 6, 2015, pp. 111-134. (in Russian). DOI: 10.15514/ISPRAS-2015-27(6)-8.

3. Zaboleva-Zotova A.V., Orlova Y.A. MODELING OF LEXICAL ANALYSIS OF TECHNICAL TASK TEXT. URL: https://www.elibrary.ru/item.asp?id=9506673, accessed 21.03.2024.

4. Mavchun E.V. Comparison of algorithms of tabular bottom-up syntactic analysis. URL: https://oops.math.spbu.ru/SE/dip loma/2015/s/544-Mavchun-report.pdf, accessed 24.03.2024.

5. А. P. Syzranov, A. I. Nenakhov, A. Y. Bolotov, A. J. Osipov. Development of criteria for evaluation of means of automation of certification testing on the level of control of the absence of undeclared capabilities. URL: https://elibrary.ru/item.asp?id=47856981, accessed 24.03.2024.

6. Fadeev S.G. TECHNOLOGY OF STATIC ANALYSIS OF SOURCE CODE. URL: https://apni.ru/media/Sbornik-6-3.pdf#page=131, accessed 20.03.2024.

7. Kuchin I.Yu. Review of existing methods of program code analysis. URL: https://cyberleninka.ru/article/n/obzor-suschestvuyuschih-metodov-analiza-programmnogo-koda/viewe, accessed 21.03.2024.

8. Svace static analyzer. URL: https://www.ispras.ru/technologies/svace/, accessed 24.03.2024.

9. Svace components. URL: https://svace.pages.ispras.ru/svace-website/2023/10/04/analysis-types.html, accessed 24.03.2024.

10. Afanasyev V.O., Borodin A.E., Vikhlyantsev K.I., Belevantsev A.A. Static analysis based on generalized abstract syntactic tree. Proceedings of ISP RAS, vol. 35, issue 6, 2023, pp. 103-120. (in Russian). DOI: 10.15514/ISPRAS–2023–35(6)–6.

11. V.V. Bykova, G.E. Glukhov, A.N. Sharypov, P.E. Chernikov, S.V. Koval, A.Yu. Konkov. PROBLEMS OF VULNERABILITY OF INFORMATION SYSTEMS OF AVIATION INDUSTRY ENTERPRISES: ANALYSIS AND CLASSIFICATION OF ERRORS. URL: https://mlgvs.ru/files/iac/art-niiga-2019-27.pdf, accessed 01.04.2024.

12. Информация об авторах / Information about authors

13. Мария Анатольевна ЛАПИНА – кандидат физико-математических наук, доцент, доцент кафедры информационной безопасности автоматизированных систем Северо-Кавказского федерального университета. Сфера научных интересов: цифровые технологии, киберфизические системы, анализ данных, управление информационной безопасностью, доверенный искусственный интеллект, криптография, анализ программного кода.

14. Maria Anatolyevna LAPINA – Cand. Sci. (Phys.-Math.), Associate Professor, Associate Professor of the Department of Information Security of Automated Systems of the North Caucasus Federal University. Research interests: digital technologies, cyber-physical systems, data analysis, information security management, trusted artificial intelligence, cryptography, program code analysis.

15. Максим Иванович ХОДАКОВ – студент кафедры информационной безопасности автоматизированных систем Северо-Кавказского федерального университета. Сфера научных интересов: программирование, цифровые технологии, анализ программного кода.

16. Maxim Ivanovich KHODAKOV – student of the Department of Information Security of Automated Systems of the North Caucasus Federal University. Research interests: programming, digital technologies, program code analysis.

17. Софья Кирилловна ГРОБОВА – студентка кафедры инфокоммуникаций Северо-Кавказского федерального университета. Сфера научных интересов: программирование, цифровые технологии, анализ программного кода.

18. Sofya Kirillovna GROBOVA – student of the Department of Infocommunications of the North Caucasus Federal University. Her research interests: programming, digital technologies, program code analysis.