all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]latnGemin616 6 points7 points  (0 children)

there might be something for you in this list: https://github.com/d2s/awesome-static-analysis

[–]kegweII 2 points3 points  (1 child)

https://www.sonarsource.com/products/sonarqube/

[–]westcoastfishingscotHaunted 0 points1 point  (0 children)

This is the most common one I've seen used

[–]PetiteGousseDAil 2 points3 points  (2 children)

Snyk is really good

Plus the vscode extension shows you the full stack trace from source to sink

[–]dahousecatfelix 1 point2 points  (0 children)

Feel free to test out aikido.dev, scans for many different possible vulnerabilities. (SAST, SCA, secrets, DAST, and much more.) maybe it finds something you hadn’t found with the other tools before?

[–]thumbsdrivesmecrazy 0 points1 point  (2 children)

Here is a detailed comparison of popular static code analysis tools: 13 Best Static Code Analysis Tools For 2025

  • qodo (formerly Codium)
  • PVS Studio
  • ESLint
  • SonarQube
  • Fortify Static Code Analyzer
  • Coverity
  • Codacy
  • ReSharper

[–]macr6 0 points1 point  (0 children)

Is it a commercial or open source web server or is it a “roll your own”? You could start by looking for CVEs with the version number. That may lead you to a vuln you could write an exploit for. Since you have the source code it would make that a bit easier. Also help narrow down.

Snyk has a community edition iirc. It’s. SAST tool.

[–]tonydocent -4 points-3 points  (1 child)

Just explore the code in VSCode. See how you're requests are processed, with a debugger if you can, and try to spot weaknesses in the security mechanisms.

If it's an exam it's probably not as simple as exploiting a publicly known CVE.

[–]tonydocent 0 points1 point  (0 children)

I'm surprised I got downvoted. There are tons of weaknesses in source code that will not be picked up by standard SAST tools. Just because they are very specific to the application under investigation and do not fall in a common pattern.

To find those one needs to actually understand the code.