Menu

VCG - Overview

N1ckDunn

VCG is an automated code security review tool. It's basically intended to perform the function of quickly bringing back a set of reasonably accurate results for situations such as short term contracts or tight deadlines where the reviewer needs any help they can get in identifying issues quickly.
(I'm not claiming that it will bring back a definitive list of all issues or no false positives but I have experienced a smaller number of false positives than with other free tools)

At the moment it handles C/C++, Java and PL/SQL but it has a couple of features that should hopefully set it apart from other free tools:

  1. In addition to performing some more complex checks it also has a config file for each language that basically allows you to add any bad functions (or other text) that you want to search for such as the Microsoft 'banned functions' list, Java functions which process user input, 'EXECUTE IMMEDIATE' in PL/SQL, etc.
  2. The application itself deals with the complex stuff internally (buffer overflows, signed/unsigned comparisons, etc.) so the config files mentioned above basically provide an additional layer of extra checks that a user may or may not want and can modify accordingly.
  3. Results are ranked by severity to assist the user during assessment.
  4. It attempts to find a range of around 20 phrases within comments that can indicate broken code (“ToDo”, “FixMe”, “Kludge”, etc.)
  5. It provides a pie chart (for the entire codebase and for individual files) showing relative proportions of code, whitespace, comments, ‘ToDo’ style comments and bad code along with number of lines, percentages, etc.

I’ve tried to produce something which doesn’t return the large number of false positives that are returned by some free tools and which also searches intelligently to identify security issues such as buffer overflows, signed/unsigned comparisons, etc. in C; XSS, SQLi, unsafe clone methods, etc. in Java and can be viewed as reasonably dependable.
The installer has a set of config files for the above-mentioned simple scans. The C/C++ file includes all of the Microsoft banned functions from Michael Howard's web apges and the Java file includes OWASP functions that require further investigation.

We’re hoping it should be quite useful and I’ve tested it out against known bad code with reasonable results.
If anyone uses it then it would be great to hear your feedback and suggestions, particularly if you feel it’s failing to identify certain issues, bringing incorrect results or if you feel the GUI is awkward or missing useful features.

MongoDB Logo MongoDB