search menu icon-carat-right cmu-wordmark

SEI CERT Division Releases Downloadable Source Code Analysis Tool

SEI CERT Division Releases Downloadable Source Code Analysis Tool
Press Release

PITTSBURGH, Aug. 15, 2018—The CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University today announced the release of its Source Code Analysis Laboratory (SCALe) application. This is the first release of the SCALe application to the public via open-source.

SCALe can be used for auditing software in any source code language. This version of SCALe provides categories of alerts for tools based on two code flaw taxonomies—CERT Secure Coding Standards and MITRE’s Common Weakness Enumeration (CWE). The CERT Secure Coding Standards support detailed guidance for secure development in C, C++, Java, and Perl.

The SCALe application can be used to identify source code flaws that may lead to vulnerabilities. By using output from multiple flaw-finding static analysis tools, SCALe can be used to efficiently analyze more code defects than any single static analysis tool would find.

“Using multiple static analysis tools can greatly increase the types of flaws found,” said Lori Flynn, senior software security researcher at the SEI. “The alerts must be examined by an expert who determines whether each alert represents an actual code defect. Typically there are too many alerts, and not all can be manually examined. The SCALe system is designed to make this process easier. We are researching ways to automate the process of accurate alert classification and sophisticated methods of alert prioritization, and this version of SCALe includes features added over the last three years intended to assist with that.”

The SCALe application simplifies the process of auditing alerts. It takes as input the source code for a program, plus output from static analysis tools (flaw-finding tools and code metrics tools) that were run on the code. With this input, it provides a browser-based interface to the alerts and their associated code. It provides simple prioritizations of the alerts and relevant information about the potential vulnerabilities and how to fix the code based on the CERT Secure Coding Standards and CWEs. It makes auditor work more efficient by fusing alerts into a single view that requires only one audit determination.

SCALe provides an easy-to-use graphical user interface for examining alerts, identifying true positives and other determinations, and saving the audit information to a database.

For more information about the SCALe application, see Download the application at