Dear All,
I am searching for a tool similiar to Checkmarx or SonarQube that would be able to check my R scripts that I call in shiny app. Is there anything I could use for that purposes?
It is of crucial importance for me to address the OWASP Top 10 requirements and regularily check the code and provide the report.
Thank you for your help,
nolimalm
Hello @nolimal!! Apologies for the delayed in response here and thanks for asking this question!
I am not familiar with Checkmarx / SonarQube - are these static code scanners? A quick search suggests as much.
In any case, I believe the nature of the R language makes it very challenging to static analyze. Moreover, I am not aware of any tools that purport to do so. One way you could get started is probably with the lintr package or something like it that makes suggestions on readability. You can also statically analyze the other languages that R calls out to: C++ and whatnot.
I'm definitely curious to hear what other users come up with, as I have seen this type of request before. However, I believe it is someone infrequent in the R community due to the nature of the language's use within data science.
Bumping this to see if there is an answer to the question is there a secure coding verification tool for R in mid-2021.
fyi excellent youtube here on why static analysis is pretty much impossible with R
linking this in case someone else comes up with some good ideas. VERY interested in this myself.