Code analysis is the process of analyzing the source code of software to verify the quality and identify weaknesses that can be exploited. This is achieved in two ways; static and dynamic. In Static code analysis, the code is inspected without executing the code. This can be done through a peer to peer code review or else using automated tools. The benefit of performing static code analysis is that the vulnerabilities can be detected early and addressed before deploying the software. In Software Development Life Cycle, it is important that the developers perform code analysis for every piece of code they write.
Static code analysis functionality is integrated into the development environments as well (IDEs) where the developers can simply analyze their code while writing code and see how much secure their code is. However when using such tools for analyzing source code, there is a high chance that they produce false positives where the developer has handled the security of code but still these tools would complain.
OWASP  has defined top 10 vulnerabilities  related to Web Application security where the developers have to pay attention to write secure code that are not open to such vulnerabilities. For analyzing code statically to identify such issues, we can use OWASP’s LAPSE  tool which comes as a plugin for Eclipse IDE.
Installation of LAPSE on Eclipse
You can download the tool from  and by the time of this writing, the latest version is LapsePlus 2.8.1.
Once you download the jar file (LapsePlus_2.8.1.jar), copy it to the plugins directory of eclipse installation.
After that run eclipse.
Go to Window -> Show View -> Other
In the Show View window, type ‘Vulnerability’ and you can see the Lapse’s Vulnerability Sinks and Vulnerability Sources options.
LAPSE+ is based on the static analysis of code to detect the source and the sink of a vulnerability. The source of a vulnerability refers to the injection of untrusted data, e.g. in the parameters of an HTTP request or a Cookie. The sink of a vulnerability refers to the process of data modification to manipulate the behaviour of the application, such as a servlet response or a HTML page. The vulnerability sources can lead to sinks by simple assignments, method calls or parameters passing. When it is possible to reach a vulnerability sink from a vulnerability source then we have a vulnerability in our application .
From the Show View window, you can select Vulnerability Sources and you will see a panel in Eclipse as shown below.
You can import your project to Eclipse for analyzing the source code. Here I am using the Webgoat  sample application for static code analysis.
Once you have imported the project, right click on the Vulnerability Sources panel and click on Find sources.
This will scan the source code and display all possible vulnerabilities of the code.
You can double click on a specific vulnerability in the panel and it will open and highlight the source code related to that issue.
Similar to Vulnerability Sources, you can select Vulnerability Sinks from the Show View window.
Then from the Vulnerability Sinks panel, right click and select Find sinks option.
It will list down all the vulnerability sinks if found.
You can double click on a specific vulnerability and view the code that is responsible for the issue.
Although this tool complains vulnerabilities, there can be false positives where we have handled the security from code even though the tool complains that there is a problem. In such cases we can ignore those warnings. However there can be possible actual vulnerabilities as well and therefore it is always better to check the code you write to verify the quality of it in terms of security.
Platform Security Team