nccgroup / vcg Goto Github PK
View Code? Open in Web Editor NEWVisualCodeGrepper - Code security scanning tool.
License: GNU General Public License v3.0
VisualCodeGrepper - Code security scanning tool.
License: GNU General Public License v3.0
Hi, is there a way to compile and run it on linux without visual studio? Can I use this via command line?
Hi Team,
I am trying to make a code change suggested in this issue -#6
But how do I build this to generate the modified exe. I couldn't find any information on how to build the application. I am getting the below issue when trying to build -
C:\Program Files\dotnet\sdk\6.0.415\Microsoft.Common.CurrentVersion.targets(3262,5): error MSB4216: Could not run the "
GenerateResource" task because MSBuild could not create or connect to a task host with runtime "NET" and architecture "
x86". Please ensure that (1) the requested runtime and/or architecture are available on the machine, and (2) that the
required executable "C:\Program Files\dotnet\sdk\6.0.415\MSBuild.dll" exists and can be run.
My specs -
Windows 11 Enterprise - x64
dotnet version -6.0.415
Thanks
Hi Team,
I am getting wrong line numbers for the vulnerable lines in the xml report that is generated on scanning using command line. When I scan using the application , it is correct. Can anyone help me to fix this issue or even guide me what may be causing the issue?
Scanning large code bases with VCG can be very slow. It would be great if the scanning engine was multi threaded so as to reduced the required scan times.
Hi there,
Can you create a LICENSE for this project? I'd love to learn and contribute more but without a license it wont go anywhere.
Thanks
Hi,
When scanning Java code VCG seem to find sun.misc.Unsafe on every code line. Ex:
MEDIUM: Potentially Unsafe Code - sun.misc.Unsafe
Line: 22 - C:\Temp\apigw-test\CertifiedClientDetailsServiceImpl.java
This package allows direct access to memory locations, potentially resulting in C-style memory and buffer issues if not used carefully.
MEDIUM: Potentially Unsafe Code - sun.misc.Unsafe
Line: 42 - C:\Temp\apigw-test\CertifiedClientDetailsServiceImpl.java
This package allows direct access to memory locations, potentially resulting in C-style memory and buffer issues if not used carefully.
Line 22 contains: package org.apigw.authserver.svc.impl;
Line 42 contains: public class CertifiedClientDetailsServiceImpl implements CertifiedClientDetailsService {
Tried escaping dots (.) in javafunctions.conf but it didn't work.
Came by this issue a while ago, forgot to report it.
The following file:
https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/cinepak.c
When given to VCG triggers a unhandled exception.
At this point the current scan freezes/halts but the main program does not terminate.
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
************** Exception Text **************
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at VisualCodeGrepper.CodeTracker.CompareBufferLengths(String SourceBuffer, String DestinationBuffer, Boolean IsStrN, Int32 SizeLimit, Boolean IsCat)
at VisualCodeGrepper.CodeTracker.CheckOverflow(String CodeLine, String FileName)
at VisualCodeGrepper.modCppCheck.CheckBuffer(String CodeLine, String FileName)
at VisualCodeGrepper.modCppCheck.CheckCPPCode(String CodeLine, String FileName)
at VisualCodeGrepper.modMain.CheckCode(String CodeLine, String FileName)
at VisualCodeGrepper.frmMain.ScanFiles(Boolean CommentScan, Boolean CodeScan)
at VisualCodeGrepper.frmMain.FullScan()
at VisualCodeGrepper.frmMain.StartScanningToolStripMenuItem_Click(Object sender, EventArgs e)
at System.Windows.Forms.ToolStripItem.RaiseEvent(Object key, EventArgs e)
at System.Windows.Forms.ToolStripMenuItem.OnClick(EventArgs e)
at System.Windows.Forms.ToolStripItem.HandleClick(EventArgs e)
at System.Windows.Forms.ToolStripItem.HandleMouseUp(MouseEventArgs e)
at System.Windows.Forms.ToolStripItem.FireEventInteractive(EventArgs e, ToolStripItemEventType met)
at System.Windows.Forms.ToolStripItem.FireEvent(EventArgs e, ToolStripItemEventType met)
at System.Windows.Forms.ToolStrip.OnMouseUp(MouseEventArgs mea)
at System.Windows.Forms.ToolStripDropDown.OnMouseUp(MouseEventArgs mea)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ToolStrip.WndProc(Message& m)
at System.Windows.Forms.ToolStripDropDown.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.6.106.0 built by: NETFXREL2STAGE
VisualCodeGrepper
Assembly Version: 2.0.1.0
Win32 Version: 2.0.1.0
Microsoft.VisualBasic
Assembly Version: 10.0.0.0
Win32 Version: 14.6.79.0 built by: NETFXREL2
System
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.6.93.0 built by: NETFXREL2STAGE
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2
System.Runtime.Remoting
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0 built by: NETFXREL2
System.Windows.Forms.DataVisualization
Assembly Version: 4.0.0.0
Win32 Version: 4.6.79.0
************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.
For example:
When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.
Can we run VisualCodeGrepper on Linux? I am trying to use it in CentOS which is running on docker container.using WINE but getting issues like X server is not running and $DISPLAY is not set properly.
Can someone please let me know if we can run it on Linux terminal?
A have given a sample code in c# where for some statements the tool doesn't raise a complain. In our project we have lots of code written in some of those ways. Could you kindly clarify in this regard.
Hello, I want to open a package request ticket in the scoop package manager for VCG. please provide a release link if it's possible.
why not?
Thank you for providing the visual code grepper! PHP code allows for nasty fails, and it is good to have a tool to direct attention at critical code lines.
After running VCG over my PHP project, I received some warnings about potential issues that I do not understand properly. I would greatly appreaciate some hints on why these lines might be dangerous:
(1) MEDIUM: Potentially Unsafe Code - Application Variable Used on System Command Line
Line: 162 - C:....\file01.php
The application appears to allow the use of an unvalidated variable when executing a command. Carry out a manual check to determine whether the variable is user-controlled.
($dir === 'system')
To my eye, this looks like a simple comparison between two strings.
(2) MEDIUM: Potentially Unsafe Code - Potential XSS
Line: 87 - C:...\file01.php
The application appears to reflect data to the screen with no apparent validation or sanitisation. It was not clear if this variable is controlled by the user.
echo 'Error 500: The file '.htmlspecialchars($uri).' is not within '.htmlspecialchars($ownFolder);
htmlspecialchars() is often used in PHP for creating output that won't reflect JavaScript and other HTML contents. Therefore, I had assumed that would be "apparent ... sanitisation". Would it not?
(3) STANDARD: Potentially Unsafe Code - system
Line: 199 - C:...\file01.php
This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
ini_set('error_log', 'system/logfiles/errorlog.txt');
Again, this looks like a simple function call on ini_set()
, but VCG says that "this function allows execution of commands". It that a general advice against ini_set()
or die VCG interpret the path on the right-hand side to be a potential issue?
(4) STANDARD: Potentially Unsafe Code - system
Line: 199 - C:...\file02.php
This function allows execution of commands. It is dangerous with user controlled parameters and may facilitate direct attacks against the web server.
$f = fopen('../system/logfiles/somefile.txt', 'a');
Same here: Is this a simple warning against fopen()
(which would be perfectly legitimate)?
Thank you for some advice on better understanding the code grepper's output!
Hi!
I am doing a research of many different SAST applications for the final project of my cybersecurity master, and I've reached VCG. After some tests, I wanted to have an OWASP Benchmark of this tool, but I've realized there is not a reader for VCG in it.
Anyway, I am up to dev this integration, but there is a handicap due to the tool does not report the CWE number of the code issues it finds.
Anyone knows how could I map these code issues into CWE numbers in order to integrate it into OWASP Benchmark?
Thankssss :)
There isn't a problem. I just like what you do.
i have java script file which is not recognized by vcg on windows gui. i have tried to change the suffixes to .java, .jsp, .jspf but no success. any suggestion?
New Feature Request - Provide a mechanism to copy the path of the source-code file, relative to the target directory, to the clipboard for easy inclusion in external documents.
Hi everybody,
i'm trying to automate the analysis of SQL-script-files via command line (and later on Jenkins) and VCG is not picking these files up.
For test-reasons i duplicated one of my files and changed the extension from "sql" to "pls" and VCG analysed it correctly, the same file with extension "sql" was ignored,
although "sql" is mentioned as default extension for PL/SQL analysis in readme file.
I ran the following command:
VisualCodeGrepper.exe --console --language PL/SQL --export C:\somepath\vcg_result_sql.xml --target C:\somecodepath
BTW: ".sql" is not listed as default file extension in the GUI of VCG either.
Thanks for your help
Best regards
Akki
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.