nccgroup / vcg Goto Github PK

VisualCodeGrepper - Code security scanning tool.

License: GNU General Public License v3.0

Visual Basic .NET 100.00%

vcg's Introduction

====================================================================================
VCG (VisualCodeGrepper)

Current version: 2.3.2

====================================================================================

Contents:

1. Overview
2. Latest additions to VCG V2.3.2
3. Using VCG
	Input files/codebase
	Options & settings
	Scanning
	Configuration files
	Output
	Command Line Parameters

====================================================================================
Overview
------------------------------------------------------------------------------------

VCG is an automated code security review tool that handles C/C++, Java, C#, VB, PL/SQL, PHP and COBOL. It has a few features that should hopefully make it useful to anyone conducting code security reviews, particularly where time is at a premium:
1.	In addition to performing some more complex checks it also has a config file for each language that basically allows you to add any bad functions (or other text) that you want to search for
2.	It attempts to find a range of around 20 phrases within comments that can indicate broken code (“ToDo”, “FixMe”, “Kludge”, etc.)
3.	It provides a nice pie chart (for the entire codebase and for individual files) showing relative proportions of code, whitespace, comments, ‘ToDo’ style comments and bad code

I’ve tried to produce something which doesn’t return the large number of false positives that are returned by some tools and which also searches intelligently to identify buffer overflows and signed/unsigned comparisons.


====================================================================================
Latest additions to VCG V2.3.2
------------------------------------------------------------------------------------

New features:
	1)	GUI change means that target language selection is via a dropdown list instead of menu (as in V2.3.1).
	2)	Beta functionality now includes the scanning of R Script (as in V2.3.1).
	3)	Minor bug fixes to deal with various issues and restore the allowing of multiple application instances.


====================================================================================
Using VCG
------------------------------------------------------------------------------------

Input Files/Codebase:

Before scanning the code, ensure that the correct language is selected as VCG will only test for issues related to the selected language and only scan the relevant file types. The language can be selected in the settings menu menu or the options dialog.
Select the directory which contains the code to be scanned using File=>New Target...
VCG will then load all files that have the specified endings. 

The defaults are below but these can be modified using the Options dialog:
C/C++:	.c .h .cpp .hpp
Java:	.java .jsp web.xml config.xml	(the xml files are included to check for input validation by Struts, etc.)
PL/SQL:	.pls .sql .pkb .pks
C#:	.cs .asp .aspx web.config	(the web.config file is included to check for input validation, debug settings, etc.)
VB:	.vb .asp .aspx web.config	(the web.config file is included to check for input validation, debug settings, etc.)
PHP:	.php php.ini			(the php.ini file is included to check for bad configs such as register_globals)
COBOL:	.cob .cbl .clt .cl2 .cics
R:	.r

------------------------------------------------------------------------------------

Options and Settings:

File types - 	Use this to alter the types of file that VCG will scan for each code type. To scan all files in a directory add .* to the list or delete all types and submit an empty string.
Config files -	Specify a configuration file for each language. This holds a listing of any functions or code fragments that may be considered a risk and require reporting. This feature essentially adds an additional layer of checks on top of the more complex operations carried out as part of the code scan.
Severity -	VCG can be set to only report errors above a certain level of severity. e.g. Select 'Medium' to only get Medium, High and Critical in the report.
COBOL settings - The initial column should be specified - i.e. the first column after the line numbers. This will generally be 1 for a listing with no line numbers or 7 for a listing which includes line numbers. A different setting may be required if the code/comment lines in the listing begin in a different column. The z/OS setting can be used to include checks for safe use of the CICS API, etc.
OWASP Settings (Java only) - If selected these will identify two violations of OWASP best practice for Java programming listed on the OWASP secure coding pages. Nested classes and non-final public classes will be reported on - as there are likely to be large numbers of these violations without a great deal of risk the option is given to turn off either of these scans.
Output file -	ASCII output will be written to this file if selected.
Beta functionality -	Select whether to use any beta functionality by clicking the appropriate checkbox in Options -> Beta Functionality. Currently avaialable beta functionality is location of Signed/Unsigned Comparison in C (very unreliable), and scanning of R (tested in working reasonably well - close to inclusion in next release).

------------------------------------------------------------------------------------

Scanning:

The scan be carried out in three ways:
1. Comments Only -	VCG attempts to identify any comments that indicate broken or unfinished code based on a list of around 16 phrases that typically feature in such comments ('ToDo', 'FixMe', etc.)
2. Code Only - 		VCG scans and reports on potential code security issues and any dangerous functions etc. from the config file that are located in the code.
3. Dangerous Functions Only -	VCG scans and reports only on any dangerous functions etc. from the config file that are found in the code.
4. Code, Dangerous Functions & Comments -	Also known as a Full Scan in the Scan menu, this is a combined scan of both code and comments covering all of the above.

------------------------------------------------------------------------------------

Configuration Files:

Configuration files exist for each of the six languages that VCG scans. These provide an additional layer of scanning to supplement the built-in complex scans for each language.
The content of the configuration files consists of a list of functions/code fragments to scan for, along with an associated description to appear in the results. The description includes an optional severity setting in square braces and is separated from the function by '=>' with the following format:
function name[=>][[N]][description]
(where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal'))

For example:
strcat=>[3]String concatenation function which facilitates buffer overflow conditions. Appears in Microsoft's banned function list.


------------------------------------------------------------------------------------

Output:

The Visual Code Breakdown will be shown when scanning has finished.

Results are written to the results pane in the order they have been located. Results have the following format:
SEVERITY: Code issue
Line number - File name
Description
[code fragment]


The issue title has the following colour codes for clarity:
Critical - Magenta
High - Red
Medium - Orange
Standard/Normal - Yellow/Sepia
Low - Grey-Blue
Potential Issue/Best Practice - Green
Suspicious comment indicating broken code - Dark Blue


Results are also written to the summary table in an abbreviated form, where they can be ordered by clicking on column headings. Double-clicking an item in the results table results in the file being loaded in it's associated application.


These results can be saved as ASCII text by clicking File=>Save Results...
The results can be saved as XML by clicking File=>Export Results as XML...
A set of results filtered on severity can be saved as XML by right-clicking in the Results window and clicking Export Filtered XML Results...
The results can be saved to a CSV file by clicking File=>Export Results as CSV...


------------------------------------------------------------------------------------

Command Line Parameters:

Usage:  VisualCodeGrepper [Options]

STARTUP OPTIONS:
	(Set desired starting point for GUI. If using console mode these options will set target(s) to be scanned.)
	-t, --target <Filename|DirectoryName>:	Set target file or directory. Use this option either to load target immediately into GUI or to provide the target for console mode.
	-l, --language <CPP|PLSQL|JAVA|CS|VB|PHP|COBOL|R>:	Set target language (Default is C/C++).
	-e, --extensions <ext1|ext2|ext3>:	Set file extensions to be analysed (See ReadMe or Options screen for language-specific defaults).
	-i, --import <Filename>:	Import XML/CSV results to GUI.

OUTPUT OPTIONS:
	(Automagically export results to a file in the specified format. Use XML or CSV output if you wish to reload results into the GUI later on.)
	-x, --export <Filename>:	Automatically export results to XML file.
	-f, --csv-export <Filename>:	Automatically export results to CSV file.
	-r, --results <Filename>:	Automatically export results to flat text file.

CONSOLE OPTIONS:
	-c, --console:		Run application in console only (hide GUI).
	-v, --verbose:		Set console output to verbose mode.
	-h, --help:		Show help.

====================================================================================

vcg's People

Contributors

Stargazers

Watchers

Forkers

theralfbrown wirespecter h0wl linearregression cvexva telnetgmike vysecurity lucabongiorni nagyistge devlead hfernando xiju2003 gmaster89 hax0rg1rl why-not-sky delkyd huyuanmei c3stbon etboc n4yk vic3t3chn0 oneshot80 stafot oldups johnjohnsp1 jkuemerle oneiroi kbahaxor 5up3rc zaidabdshukor micksmix raymondjeon j1anfen qsdj dp1310 kamalonline4 4n6strider wsppt egulacti chitranjali007 paulthorpe threezerobravoteam cloudxtreme prodigysml lawrynew brbaran amoenus crudbug pombredanne delcas1 earlvking loneboat voidsec ignitionlab alexhiggins732 mmg1 anezashraf modulexcite mark22013333 arryboom rsmkoepke jack51706 jieonestr 5l1v3r1 strangerting bvcmxy santhoshinty tbonham giuliocomi arukaminado kannans iamtutu thinklib michelmelo asll666 mallikaarjjuna 751797916 vishalrmn fil-blue nosorry vpnj012k gh0st0ne xiaoruiguo stantoxt johto89 jandress md347 rajeshkannanrrk nucleareris ahmadfikrimasyhur k4ll4h4r1sh-ltc qq431169079 jbasu2013 cuiyedong dommyzee cspsolutions-dev szp35 wxw12345 gongliangxie smhuda

vcg's Issues

[BUG] "No config file found for bad functions" error on launch

Error shows up about a dozen times before app finally opens. Also pops up when trying to change settings.

Copy path to clipboard

New Feature Request - Provide a mechanism to copy the path of the source-code file, relative to the target directory, to the clipboard for easy inclusion in external documents.

I am trying to make a code change suggested in this issue -#6
But how do I build this to generate the modified exe. I couldn't find any information on how to build the application. I am getting the below issue when trying to build -

C:\Program Files\dotnet\sdk\6.0.415\Microsoft.Common.CurrentVersion.targets(3262,5): error MSB4216: Could not run the "
GenerateResource" task because MSBuild could not create or connect to a task host with runtime "NET" and architecture "
x86".  Please ensure that (1) the requested runtime and/or architecture are available on the machine, and (2) that the
required executable "C:\Program Files\dotnet\sdk\6.0.415\MSBuild.dll" exists and can be run.

My specs -
Windows 11 Enterprise - x64
dotnet version -6.0.415

Thanks

java script is not recognized by VCG

i have java script file which is not recognized by vcg on windows gui. i have tried to change the suffixes to .java, .jsp, .jspf but no success. any suggestion?

VCG not analysing files with extension ".sql"

Hi everybody,

i'm trying to automate the analysis of SQL-script-files via command line (and later on Jenkins) and VCG is not picking these files up.
For test-reasons i duplicated one of my files and changed the extension from "sql" to "pls" and VCG analysed it correctly, the same file with extension "sql" was ignored,
although "sql" is mentioned as default extension for PL/SQL analysis in readme file.

I ran the following command:

 VisualCodeGrepper.exe --console --language PL/SQL --export C:\somepath\vcg_result_sql.xml --target C:\somecodepath

BTW: ".sql" is not listed as default file extension in the GUI of VCG either.

Thanks for your help

Best regards

Akki

#ThanksTicket

There isn't a problem. I just like what you do.

Missing License

Hi there,

Can you create a LICENSE for this project? I'd love to learn and contribute more but without a license it wont go anywhere.

Thanks

[Feature Request] Make mulithreaded

Scanning large code bases with VCG can be very slow. It would be great if the scanning engine was multi threaded so as to reduced the required scan times.

Getting wrong line numbers for the vulnerable lines in the report on scanning using command line .

Hi Team,

I am getting wrong line numbers for the vulnerable lines in the xml report that is generated on scanning using command line. When I scan using the application , it is correct. Can anyone help me to fix this issue or even guide me what may be causing the issue?

Linux usage

Hi, is there a way to compile and run it on linux without visual studio? Can I use this via command line?

VisualCodeGrepper on Linux

Can we run VisualCodeGrepper on Linux? I am trying to use it in CentOS which is running on docker container.using WINE but getting issues like X server is not running and $DISPLAY is not set properly.
Can someone please let me know if we can run it on Linux terminal?

Unhandled Exception Error

Came by this issue a while ago, forgot to report it.

The following file:
https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/cinepak.c

When given to VCG triggers a unhandled exception.
At this point the current scan freezes/halts but the main program does not terminate.

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at VisualCodeGrepper.CodeTracker.CompareBufferLengths(String SourceBuffer, String DestinationBuffer, Boolean IsStrN, Int32 SizeLimit, Boolean IsCat)
at VisualCodeGrepper.CodeTracker.CheckOverflow(String CodeLine, String FileName)
at VisualCodeGrepper.modCppCheck.CheckBuffer(String CodeLine, String FileName)
at VisualCodeGrepper.modCppCheck.CheckCPPCode(String CodeLine, String FileName)
at VisualCodeGrepper.modMain.CheckCode(String CodeLine, String FileName)
at VisualCodeGrepper.frmMain.ScanFiles(Boolean CommentScan, Boolean CodeScan)
at VisualCodeGrepper.frmMain.FullScan()
at VisualCodeGrepper.frmMain.StartScanningToolStripMenuItem_Click(Object sender, EventArgs e)
at System.Windows.Forms.ToolStripItem.RaiseEvent(Object key, EventArgs e)
at System.Windows.Forms.ToolStripMenuItem.OnClick(EventArgs e)
at System.Windows.Forms.ToolStripItem.HandleClick(EventArgs e)
at System.Windows.Forms.ToolStripItem.HandleMouseUp(MouseEventArgs e)
at System.Windows.Forms.ToolStripItem.FireEventInteractive(EventArgs e, ToolStripItemEventType met)
at System.Windows.Forms.ToolStripItem.FireEvent(EventArgs e, ToolStripItemEventType met)
at System.Windows.Forms.ToolStrip.OnMouseUp(MouseEventArgs mea)
at System.Windows.Forms.ToolStripDropDown.OnMouseUp(MouseEventArgs mea)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ToolStrip.WndProc(Message& m)
at System.Windows.Forms.ToolStripDropDown.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.6.106.0 built by: NETFXREL2STAGE

CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll

VisualCodeGrepper
Assembly Version: 2.0.1.0
Win32 Version: 2.0.1.0

CodeBase: file:///C:/Program%20Files%20(x86)/VisualCodeGrepper/VisualCodeGrepper.exe

Microsoft.VisualBasic
Assembly Version: 10.0.0.0
Win32 Version: 14.6.79.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualBasic/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll

System
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll

System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll

System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll

System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.6.93.0 built by: NETFXREL2STAGE

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll

System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll

System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll

System.Runtime.Remoting
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Runtime.Remoting/v4.0_4.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll

System.Windows.Forms.DataVisualization
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0

CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms.DataVisualization/v4.0_4.0.0.0__31bf3856ad364e35/System.Windows.Forms.DataVisualization.dll

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

Console app does not exit - just hangs around

Command Line:
"C:\Program Files (x86)\VisualCodeGrepper\VisualCodeGrepper.exe" -t Z:\Repos\blah\blah -l CS -e cs -c -v -r Z:\Repos\blah\cS_Results.txt

CWE mapping

Hi!
I am doing a research of many different SAST applications for the final project of my cybersecurity master, and I've reached VCG. After some tests, I wanted to have an OWASP Benchmark of this tool, but I've realized there is not a reader for VCG in it.
Anyway, I am up to dev this integration, but there is a handicap due to the tool does not report the CWE number of the code issues it finds.
Anyone knows how could I map these code issues into CWE numbers in order to integrate it into OWASP Benchmark?
Thankssss :)

some form of statements are not recognized in a bulk project

A have given a sample code in c# where for some statements the tool doesn't raise a complain. In our project we have lots of code written in some of those ways. Could you kindly clarify in this regard.

sample-code.zip

False positive sun.misc.Unsafe

Hi,

When scanning Java code VCG seem to find sun.misc.Unsafe on every code line. Ex:
MEDIUM: Potentially Unsafe Code - sun.misc.Unsafe
Line: 22 - C:\Temp\apigw-test\CertifiedClientDetailsServiceImpl.java
This package allows direct access to memory locations, potentially resulting in C-style memory and buffer issues if not used carefully.

MEDIUM: Potentially Unsafe Code - sun.misc.Unsafe
Line: 42 - C:\Temp\apigw-test\CertifiedClientDetailsServiceImpl.java
This package allows direct access to memory locations, potentially resulting in C-style memory and buffer issues if not used carefully.

Line 22 contains: package org.apigw.authserver.svc.impl;
Line 42 contains: public class CertifiedClientDetailsServiceImpl implements CertifiedClientDetailsService {

Tried escaping dots (.) in javafunctions.conf but it didn't work.

PHP results - questions for understanding the issues

Thank you for providing the visual code grepper! PHP code allows for nasty fails, and it is good to have a tool to direct attention at critical code lines.

After running VCG over my PHP project, I received some warnings about potential issues that I do not understand properly. I would greatly appreaciate some hints on why these lines might be dangerous:

(1) MEDIUM: Potentially Unsafe Code - Application Variable Used on System Command Line
Line: 162 - C:....\file01.php
The application appears to allow the use of an unvalidated variable when executing a command. Carry out a manual check to determine whether the variable is user-controlled.
($dir === 'system')

To my eye, this looks like a simple comparison between two strings.

(2) MEDIUM: Potentially Unsafe Code - Potential XSS
Line: 87 - C:...\file01.php
The application appears to reflect data to the screen with no apparent validation or sanitisation. It was not clear if this variable is controlled by the user.
echo 'Error 500: The file '.htmlspecialchars($uri).' is not within '.htmlspecialchars($ownFolder);

htmlspecialchars() is often used in PHP for creating output that won't reflect JavaScript and other HTML contents. Therefore, I had assumed that would be "apparent ... sanitisation". Would it not?

(3) STANDARD: Potentially Unsafe Code - system
Line: 199 - C:...\file01.php
This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
ini_set('error_log', 'system/logfiles/errorlog.txt');

Again, this looks like a simple function call on ini_set(), but VCG says that "this function allows execution of commands". It that a general advice against ini_set() or die VCG interpret the path on the right-hand side to be a potential issue?

(4) STANDARD: Potentially Unsafe Code - system
Line: 199 - C:...\file02.php
This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
$f = fopen('../system/logfiles/somefile.txt', 'a');

Same here: Is this a simple warning against fopen() (which would be perfectly legitimate)?

Thank you for some advice on better understanding the code grepper's output!

Rules for sonar

why not?

Please provide a release version

Hello, I want to open a package request ticket in the scoop package manager for VCG. please provide a release link if it's possible.