The Praline project applies static analysis techniques to detect bugs and security vulnerabilities in programs containing PL/SQL code. In particular, Praline focuses on vulnerabilities such as SQL injection that may require analysis across the application stack to detect, including Java, PL/SQL, SQL, and C.
How it works
1. Translation: Programs written in PL/SQL are translated into a common format (intermediate representation) that can be analysed by Oracle’s static-analysis tool, Parfait.
2. Detection: Using static analyses built on top of the Parfait framework, bugs and vulnerabilities will be detected in the translation and across language boundaries to Java and C/C++.
Precisely analyzing complete multi-language applications requires accurate mapping of cross-language semantics, and analysis of string fragments at the interface between the languages. At the same time, the analysis must scale to applications consisting of 10s of millions of lines of code.