University of Passau
Department of Informatics and Mathematics
   University of Passau  >  FIM  >  IT-SEC  > CISAT - Combination and Integration of Static Analysis Tools      SiteMapSitemap  Seitenende

CISAT - Combination and Integration of Static Analysis Tools


CISAT is a framework which enables the integration of security-related static analysis into automatic processes. CISAT consists of the following components:

  • CISAT XML format - a unified XML-shema for providing a uniform, machine-readable output format to list the security findings of static analysis tools.
  • A unified call convention to provide all tools with the same call-interface.
  • SATEC - a high level programming library for combining tools and parsing the XML format.
  • A set of wrappers for most free static analysis tools.


Daniel Schreckling, Martin Johns, SVS Sectoolers: CISAT: Integration von sicherheitszentrierter statischer Analyse in den Enwicklungsprozess, 14. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", Hamburg, Germany, February 2007 (paper)

Installing and using CISAT

The software is packaged for Ubuntu Linux 6.06 (LTS) , source packages are provided; Additionally we provide an Eclipse plug-in for performaning scans and displaying the results.

We provide two ways for installing the software:

Install with APT via HTTP:

For installing our software directly over the internet, please create a file /etc/apt/sources.list.d/cisat.list with the following content:

deb ./
deb-src ./

Install with APT from a local repository:

For installing our software on computers without HTTP access to the internet, you can download the repository as a tarball. Unpack it, e.g. to your home-directory:

user@machine:/home/user$ tar xfz cisat-packages.tar.gz

Then create a file /etc/apt/sources.list.d/cisat.list with similar content like:

deb file:///home/user/cisat-packages/ ./
deb-src file:///home/user/cisat-packages/ ./

You must now run sudo aptitude update to update the package manager's cache.

Now you can install our software by running sudo aptitude install PACKAGENAME

Source packages are installed by running sudo aptitude source PACKAGENAME
The sources are also included in the tarball.

The available packages are:

Eclipse plug-in

Our Eclipse plug-in is based on Eclipse 3.2 and CDT 3.1. It is distributed as a JAR file.

For installation, just copy it to the plugins/ folder of your Eclipse installation.

The sources are included in the JAR file.

Usage hints

Some hints for using the software:

  • Static Analysis Tools:
    • Each tool installs a wrapper into /usr/lib/cisat/wrapper/
    • You can call the tools by running e.g. /usr/lib/cisat/wrapper/ source1.c [source2.c ...]
  • Combination Framework:
    • Edit the file /etc/cisat/satec/config.cfg:
      Remove the comments ((* and *)) to enable installed analysis tools
    • Now you can start the combination tool with toolcomb source1.c [source2.c ...]
  • Eclipse plug-in:
    • There is a preference page accesible via Window -> Preferences... -> SecTool
    • Enter the path to one tool wrapper for scanning with a single tool, or enter /usr/bin/toolcomb for combined scanning with all enabled tools.
    • Some tools don't provide probability or severity values. You can enter a default value.


Even though the main CISAT-project has ended, you can try to contact us using the Sectoolers-Mailing-List which still should be active.


The concepts that are the basis of CISAT were developed as part of the secologic-project.

The software and documentation was written by (in alphabetical order): Christian Beyerlein*, Björn Engelmann, Nils Hoier, Moritz Jodeit, Martin Johns*, Benjamin Leipold and Daniel Schreckling.

*Martin Johns' and Christian Beyerlein's work was funded by secologic.

  Impressum Last modified: 24/02/2015 - 18:33:27 by mj  Seitenanfang