Lab 5: On-fly Code Analysis with DevSkim


On-fly code analysis is an essential method to help discover and fix coding errors in the development phase of SDLC. No one wants to see those errors transferred into products and systems in the real world.

In this lab, you will use the DevSkim extension of Visual Studio Code to practice on-fly code analysis. More information on DevSkim can be found here:


Learn more about an Integrated Development Environment used by developers here:


1. Click on the “Windows 10”.

2. Type in “isecstudent” without quotes as the password to log in to Window 10.

3. Open Visual Studio Code by clicking the icon on the taskbar.

4. Click the Extensions as shown below to confirm that the DevSkim extension has been installed.

5. Click File menu on Visual Studio Code and then New File.

6. Click the File menu and then click Save. Save the empty document as a C file by selecting the file type from the drop-down list of the Save as dialog box.

7. Begin typing this C code:

#include <stdio.h>


Int main () {

char src[40];



return 0;


8. When you finished typing gets(src);, you should see a light bulb icon.


9. Click on the light bulb to see the recommendations of the DevSkim. Click one of the recommendations, and see that the function has been replaced with the secure version. Take a screenshot.

10. Also, notice that gets(src) is underlined. Bring your cursor on this, and you should see a popup with a detailed explanation of the problem with the gets function. The underlining and the message are a security feature of the Visual Studio Code. Modern IDEs have these built-in code security and quality improvement features.


1) Submit the screenshot.

2) Summarize the consequences of using gets function as if you are explaining it to a non-technical person.

3) Navigate to Find the CWE that describes the problem of using the gets function. Explain the CWE.

Find a CVE that is the instance of the CWE you found in the previous question. You can search on security bulletins of Microsoft, Cisco, Adobe, etc. or CVE page:

4) Send the webpage of the security bulletin along with the CVE number. Explain why that CVE is an instance of the CWE.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.