Static Code Analysis - Visual Code Grepper
Static Code Analysis (SCA) is the
analysis done on computer software without actually executing the code. SCA
tools are used to discover issues/errors that are hard to be discovered
manually.
Developed by Nick Dunn, and
currently on version 2.1.0, Visual CG is a static code analysis tool for Java, C/C++,
C#, PHP, VB and PL/SQL. It is designed to identify potentially bad/insecure
code and warn its users about it. Once the file/directory containing the code
is entered into the software, it quickly scans and outputs a detailed report
about the issues it finds, giving its user the option of patching any
vulnerability in their code.
Installation
VCG is a free and open source tool
that is easy to use – which is even easier to download and install. It is
available to download in the links given below,
Once you have finished downloading
the setup, run the installer to start the installation. Installation of this
tool is done in 4 simple steps.
Usage
Once the installation is finished,
a shortcut icon of this tool appears on your desktop. You can either start the
app by clicking on the icon, or you can run VCG using command line.
Running the GUI
Once you click on the icon the
application starts and it looks like the following figure.
Next we need to specify what kind
of we wants to analyze (Java, C/C++, C#, PHP, VB or PL/SQL). This is done by
clicking Settings and then selecting
the language we have used in our code.
Next we have to point VCG to the
file/directory which contains the code we want to analyze. In order to do this
you have to go to File -> New Target Directory/New Target File and
select the specific folder. (If you have multiple class files inside the
directory you selected, everything will be loaded into the application and each
one will be analyzed. However, if you want analyze only one file, make sure you
select New Target File instead of New Target Directory.)
Once the folder is loaded, you can
start the analysis of the code. To do this, go to Scan -> Full Scan.
However if you do not want the whole code being scanned, you can choose another
option. For example, if you want to exclude the comments from being analyzed,
you can choose the Scan Code Only
option.
Here, I have loaded a simple java
source code that checks whether a given number is odd or even.
After
analyzing the code VCG outputs a pie chart of results, which represents the
number of lines of code which were scanned, the overall whitespace, the overall
comments, potentially broken or unfinished flags and potentially dangerous
code.
In my case,
VCG found 4 threats in my code (as donated by Potentially dangerous code).
One great
feature of VCG is that it lets you know the line number of the code with the
vulnerability and the type of vulnerability it possesses.
Results are
written to the results pane in the order they have been located. Results have
the following format:
SEVERITY:
Code issue
Line number
- File name
Description
[code
fragment]
The issue
title has the following color codes for clarity:
Critical -
Magenta
High - Red
Medium -
Orange
Standard/Normal
- Yellow/Sepia
Low -
Grey-Blue
Potential
Issue/Best Practice - Green
Suspicious
comment indicating broken code - Dark Blue
If you go
to the Summary Table pane you can see
a brief summary of the potential threats along with their line numbers. If you
right click on one of the lines, VCG prompts you to open the code in an editor
of your choice in order to edit it.
Once VCG is
done analyzing the code, you save the analysis report on your computer in the
form of a text, XML or CSV file.
Running VCG using the command prompt
VCG can
also be run using the command prompt, without having to open the GUI. Here’s
how to do it.
First of
all we need to go the directory where we installed VCG and open command a
window from the said folder.
For a basic
run, you can enter the following command;
Visualcodegrepper.exe -c -v -l -t --results
Visualcodegrepper.exe -c -v -l -t --results
It will
output the following result;
It explains
the commands which we have to enter in order to analyze a specific code without
having to run the GUI. Such as,
STARTUP
OPTIONS:
(Set
desired starting point for GUI. If using console mode these options will set
target(s) to be scanned.)
-t, --target <Filename|
DirectoryName>: Set target file or directory. Use this option either to load
target immediately into GUI or to provide the target for console mode.
-l, --language
<CPP|PLSQL|JAVA|CS|VB|PHP>: Set target language (Default is C/C++).
-e, --extensions
<ext1|ext2|ext3>: Set file extensions to be analyzed (See ReadMe or
Options screen for language-specific defaults).
-i, --import <Filename>: Import
XML/CSV results to GUI.
OUTPUT
OPTIONS:
(Automatically
export results to a file in the specified format. Use XML or CSV output if you
wish to reload results into the GUI later on.)
-x, --export <Filename>: Automatically
export results to XML file.
-f, --csv-export <Filename>: Automatically
export results to CSV file.
-r, --results <Filename>: Automatically
export results to flat text file.
CONSOLE
OPTIONS:
-c, --console: Run application in
console only (hide GUI).
-v, --verbose: Set console output to
verbose mode.
-h, --help: Show help.
Below is an
example command,
Visualcodegrepper.exe -c -v -l Java -t C:\Users\DELLI5\Desktop\VCG --results C:\Users\DELLI5\Desktop\VCG\result.txt
Once we run
this command, the program searches for the target file given, and if it
contains any files that contain Java code, it analyzes the code, and saves the
result in a text file.
Strengths of VCG
1. Not only does this tool perform complex checks, it also has a configuration file for each language that allows the user to run custom queries.
2. It tells its users the security level of the vulnerabilities they find in their code.
3. Searches for any specific violations of OWASP recommendations.
4. This tool is constantly updated since its release in 2012.
Weaknesses of VCG
1. Even though it has the capability of analyzing many languages, the user has to always tell the tool what language their code is written in.
2. None of the vulnerabilities it finds cannot be modified right there on the application itself -- users are prompted to use a separate tool for that.
3. It is not fully automated.
2. It tells its users the security level of the vulnerabilities they find in their code.
3. Searches for any specific violations of OWASP recommendations.
4. This tool is constantly updated since its release in 2012.
Weaknesses of VCG
1. Even though it has the capability of analyzing many languages, the user has to always tell the tool what language their code is written in.
2. None of the vulnerabilities it finds cannot be modified right there on the application itself -- users are prompted to use a separate tool for that.
3. It is not fully automated.
Great blog... This blog contain lot of knowledge and information on code analysis tools. I found a good C# code analysis tools.
ReplyDeleteI have a java code file in vul folder, when I am scanning from CLI it is not writing anything to the out.txt file. It is blank. However when I am scanning using GUI it is showing vulnerabilities. Kindly suggest what can be done.
ReplyDeleteVisualcodegrepper.exe -c -v -l Java -t C:\Users\Z004H61R\Downloads\vul -r C:\Users\Z004H61R\Downloads\vul\out.txt