Recent changes to Home

Discussion for Home page

N1ckDunn — Fri, 23 May 2014 07:08:08 -0000

New version 1.6.1 added with improved GUI options and additions to PHP scanning.

Discussion for Home page

N1ckDunn — Sun, 16 Jun 2013 21:43:05 -0000

Minor bugfix - Version 1.5.1.1 has a change to deal with some uncommon constructions which could cause exceptions in the Java scan.

Discussion for Home page

N1ckDunn — Mon, 03 Jun 2013 17:19:04 -0000

Emergency bug-fix:
I have just released version 1.5.1 which fixes a broken regex in the Java scan.

Discussion for Home page

N1ckDunn — Thu, 30 May 2013 16:46:08 -0000

V 1.5.0 - Major Update:
New features:
1. New facility to scan VB code (including ASP.NET code).
2. Additional checks in Java scan:
a) Unsafe usage of doPrivileged blocks.
b) Unsafe use of RequestDispatcher.
c) Entity Expansion deliberately enabled.
d) Mathematical operations on primitive data types, use of user-controlled variables in mathematical operations on primitive data types (Risk of overflow)
e) Checking that filestream resources are released correctly in try ... catch blocks.
3. Additional checks for default error messages and .NET debugging in the web.config file for C# and VB code.

Bugfixes:
1. Improvements to the check for insecure use of Response.Redirect in ASP code.
2. Fixes to the check for case-insensitive password matching in ASP C# code.
3. Some improvements to the GUI:
a) Menu items for scanning the code only enabled when target files are loaded.
b) Colour coding added to 'Standard Level' issues to aid readability and to stop this section appearing as a block of black text.

Discussion for Home page

N1ckDunn — Mon, 15 Apr 2013 15:27:38 -0000

V 1.4.3 - Important bug fix
There is a very important update to eliminate a bug which resulted in false positives and false negatives in the buffer overflow detection for C++ code. I’d suggest you use the latest version for any C++ scans.
There are some additional searches for weak ciphers.

Future plans - I am intending to add some functionality to deal with VB and Perl.

Discussion for Home page

N1ckDunn — Sat, 23 Mar 2013 14:17:34 -0000

Update with some bug fixes and improvements to scanning:
1. Fix for a bug which prevented checkbox state from being correctly maintained for filtered results.
2. C++ - Signed/Unsigned comparison has been modified to further reduce the number of false positivies.
3. Improved SQL injection detection in PL/SQL scan.
4. 'Transactional controls' now have a more appropriate rank and description for PL/SQL scan.
5. Improved XSS detection in Java scan.

Discussion for Home page

N1ckDunn — Wed, 20 Feb 2013 17:30:31 -0000

Emergency update...
V1.4.1 fixes a major bug which prevented the XML export from working and minor bugs in the rich text results sorting.

Discussion for Home page

N1ckDunn — Tue, 12 Feb 2013 06:43:47 -0000

Latest version (V1.4.0) added – a couple of bug-fixes to reduce false positives and some UI changes to make life easier (you can now filter results after the scan as well as before the scan and can mark items in the results list to help you mark completed items or false positives during a review)

The full details are…
UI changes:
1. The application no longer loads new files immediately after clicking a directory in the list view. This should make things less annoying, remove a minor bug and allow you to select a previous directory and then modify it slightly without having to wait for files to load.
2. Results can now be filtered by Severity.
3. It is now possible to export both complete versions and filtered versions of results to XML.
4. The listview/results table now allows items to be marked to assist in the review process. A checkbox is provided which highlights the item in green to allow marking of false positives, reviewed items, etc.
5. Issues ranked as 'Low' are now shown in 'grey-blue' in the rich text display to distinguish them from issues ranked as 'Standard'.

Bugfixes and improvements:
1. C++ - Signed/Unsigned comparison has been modified to further reduce the number of false positives (possible further improvements to be made)
2. Fix to remove false positives for 'Exception Throw in Destructor' in C++ scan.

Discussion for Home page

N1ckDunn — Sun, 27 Jan 2013 14:55:43 -0000

The latest version of VCG has now been added (V1.3.1)
This incorporates some minor bugfixes to prevent '/*/' breaking the comment parsing and further reduce false positives in the detection of signed/unsigned comparisons for C/C++ code.

Discussion for Home page

N1ckDunn — Wed, 16 Jan 2013 23:35:15 -0000

The latest version of VCG has now been added (V1.3.0)

There is, one major innovation and one minor innovation (along with a couple of bugfixes):
1. VCG now scans C# code
2. In order to make life more pleasant for everyone, any code fragments that appear in the Results window are now in Courier New font.