SCALe stands for Source Code Analysis Laboratory. SCALe can refer to one or more of the following three artifacts, all of which evaluate source code for adherence to secure coding standards: SCALe auditing framework, SCALe research prototype, and SCALe code Conformance Testing. Each is described below.
The Recommended Resources on the right provide detailed information about the SCALe tool, research, and conformance testing methods. Previous publications may not describe full current tool functionality or the current conformance testing procedures. Please contact the Secure Coding group with any SCALe-related questions.
SCALe Auditing Framework
The SCALe auditing framework uses (aggregates) output from commercial, open source, and experimental analysis tools. The SCALe tool maps code analysis tools' warnings about possible code flaws (i.e., alerts) to taxonomies of code flaws (e.g., CERT Secure Coding Rules).
The SCALe tool provides a GUI interface that an analyst uses to filter and prioritize alerts, as well as examine code associated with an alert. The SCALe tool provides an interface for the analyst to mark alert determinations (e.g., true or false), and provides back-end data storage for the audited code project. Some tool output formats are already integrated with the SCALe tool; the SCALe install and user manual explain the simple API that enables users to integrate new tools.
We provide the SCALe auditing framework tool to many DoD organizations and some non-DoD organizations for their use in evaluating their source code for adherence to secure coding standards.
This framework is provided in various install formats:
- Online install formats require Internet connectivity to install third-party packages.
- Offline install formats do not require Internet connectivity to install or run. They come with the third-party software included.
Since we continue work to improve the SCALe tool, previous publications may not describe its full current functionality or the current ways it is used. Publications that detail previous versions of SCALe and provide insight into the current version of SCALe include Improving Automated Detection and Analysis of Secure Coding Violations and Source Code Analysis Laboratory (SCALe).
SCALe Research Prototype
CERT researchers create varied SCALe research prototypes by modifying the SCALe auditing framework with new, experimental functionality. This prototype may be distributed to collaborators during a project. Often, much of the new functionality is eventually integrated into the regular SCALe auditing framework tool.
In CERT research projects, although we use a version of the same SCALe tool, we often use different processes than those used in SCALe code conformance testing. For example, a research project may use different rules for determining which alerts to audit or which alert determination lexicon to use. Recent research involving such prototypes focuses on alert classification and prioritzation.
SCALe Code Conformance Testing
We provide SCALe code conformance testing to those who request the service to evaluate their source code for its adherence to secure coding standards. The testing typically results in a report and the tested organization may earn a CERT SCALe Seal and certificates (if the code is judged to be conforming). For more information, see the SCALe Conformance Testing page.