That is not what dynamic analysis means but I appreciate everyone redefining terms to suit their marketing.
<a href="https://en.wikipedia.org/wiki/Dynamic_program_analysis" rel="nofollow">https://en.wikipedia.org/wiki/Dynamic_program_analysis</a>
Interesting. So if I understood correctly, you dynamically analyze the build process (and that's why you use that term) instead of just parsing the build file, because you don't know exactly how the dependencies are going to be resolved from the package manager during the build process. How do you verify that a specific version of a library is used during the build and not some other version (you just do a hash lookup or have a way to generate signatures with small false positives) ? Also, what happens if the package manager is compromised (for example it informs you that she used version 2.0 but instead she used a vulnerable version) ? For the call graphs, do you find the relationships between each procedure for the whole project and if so, isn't that literally static analysis ? Sorry if my questions don't make sense or are trivial, I am just looking it from a research perspective, because I am working on somehow similar things.
I agree w/all the confusion regarding terminology. It's still static if you're not executing the code.<p>But, back to the premise: it would be really helpful if you [the author] could illustrate security defects which can be detected using "dynamic analysis" which cannot be detected with "static analysis." Legitimate, actually exploited/able vulnerabilities would be ideal.
I don't understand what exactly they're saying. Seems to me they're comparing apples, oranges, and cherries. I don't know if they're willingly doing this or if they're trying to make the problem sound harder than it is.<p>You only need to perform whatever security analysis is necessary after all your dependencies are resolved. This does not require anything "dynamic". You just call the packager manager, wait for all the dependencies to be resolved, then verify there are no vulnerable versions, which is just a matter of looking up the relevant pieces in some database somewhere.<p>Which is fine if that's what they're doing but this article seems to be just smoke and mirrors mostly.