Home

Welcome to your wiki!

This is the default page, edit it as you see fit. To add a new page simply reference it within brackets, e.g.: [SamplePage].

The wiki uses Markdown syntax.

Project Admins:

• N1ckDunn

[N1ckDunn]

The latest version of VCG has now been added (V1.1)

Changes and improvements include a number of bugfixes along with the following:

1. All issues now start with default text to indicate their severity ('HIGH', 'MEDIUM', etc.) to make searches easier.
2. Ctrl + F is now tied to the search function for the Results pane.

There are some scanning improvements:

1. Java - I've made some changes to the XSS scanning so it should now catch a type of occurrence that it was missing before (it worked against obvious examples in my test file)
2. Java - It should also now locate some potential race conditions (this is not expected or meant to be comprehensive but it will find some of them)
3. Java - Reports large synchronized blocks of code to help reduce risk of unnecessary locking of resources.
4. C++ - It now recognises signed/unsigned comparisons

Other additions:

1. More shortcut keys:
   F5 or Ctrl+R => Scan
2. Results can be exported to/imported from XML (not that useful at the moment but it's there if you want it :-) )
3. Double clicking an item in the summary table loads the file in its associated application
4. You can now report by severity (only show items higher than standard or higher than low, etc.) There's a drop-down list in the options screen for this
5. GUI modification to show a progress bar when loading files and saving results in order to improve user experience.

Let me know if you have more comments/suggestions - just send them on to vcgapplication(a)gmail.com
If you notice anything isn't working properly just let me know and I'll take a look at it.

[N1ckDunn]

The latest version of VCG has now been added (V1.3.0)

There is, one major innovation and one minor innovation (along with a couple of bugfixes):

1. VCG now scans C# code
2. In order to make life more pleasant for everyone, any code fragments that appear in the Results window are now in Courier New font.

[N1ckDunn]

The latest version of VCG has now been added (V1.3.1)
This incorporates some minor bugfixes to prevent '/*/' breaking the comment parsing and further reduce false positives in the detection of signed/unsigned comparisons for C/C++ code.

[N1ckDunn]

Latest version (V1.4.0) added – a couple of bug-fixes to reduce false positives and some UI changes to make life easier (you can now filter results after the scan as well as before the scan and can mark items in the results list to help you mark completed items or false positives during a review)

The full details are…
UI changes:

1. The application no longer loads new files immediately after clicking a directory in the list view. This should make things less annoying, remove a minor bug and allow you to select a previous directory and then modify it slightly without having to wait for files to load.
2. Results can now be filtered by Severity.
3. It is now possible to export both complete versions and filtered versions of results to XML.
4. The listview/results table now allows items to be marked to assist in the review process. A checkbox is provided which highlights the item in green to allow marking of false positives, reviewed items, etc.
5. Issues ranked as 'Low' are now shown in 'grey-blue' in the rich text display to distinguish them from issues ranked as 'Standard'.

Bugfixes and improvements:

1. C++ - Signed/Unsigned comparison has been modified to further reduce the number of false positives (possible further improvements to be made)
2. Fix to remove false positives for 'Exception Throw in Destructor' in C++ scan.

[N1ckDunn]

Emergency update...
V1.4.1 fixes a major bug which prevented the XML export from working and minor bugs in the rich text results sorting.

[N1ckDunn]

V1.4.2 - Update with some bug fixes and improvements to scanning:

1. Fix for a bug which prevented checkbox state from being correctly maintained for filtered results.
2. C++ - Signed/Unsigned comparison has been modified to further reduce the number of false positivies.
3. Improved SQL injection detection in PL/SQL scan.
4. 'Transactional controls' now have a more appropriate rank and description for PL/SQL scan.
5. Improved XSS detection in Java scan.

[N1ckDunn]

V 1.4.3 - Important bug fix
There is a very important update to eliminate a bug which resulted in false positives and false negatives in the buffer overflow detection for C++ code. I’d suggest you use the latest version for any C++ scans.
There are some additional searches for weak ciphers.

Future plans - I am intending to add some functionality to deal with VB and Perl.

[N1ckDunn]

V 1.5.0 - Major Update:
New features:

1. New facility to scan VB code (including ASP.NET code).
2. Additional checks in Java scan:
   a) Unsafe usage of doPrivileged blocks.
   b) Unsafe use of RequestDispatcher.
   c) Entity Expansion deliberately enabled.
   d) Mathematical operations on primitive data types, use of user-controlled variables in mathematical operations on primitive data types (Risk of overflow)
   e) Checking that filestream resources are released correctly in try ... catch blocks.
3. Additional checks for default error messages and .NET debugging in the web.config file for C# and VB code.

Bugfixes:

1. Improvements to the check for insecure use of Response.Redirect in ASP code.
2. Fixes to the check for case-insensitive password matching in ASP C# code.
3. Some improvements to the GUI:
   a) Menu items for scanning the code only enabled when target files are loaded.
   b) Colour coding added to 'Standard Level' issues to aid readability and to stop this section appearing as a block of black text.

[N1ckDunn]

Emergency bug-fix:
I have just released version 1.5.1 which fixes a broken regex in the Java scan.

[N1ckDunn]

Minor bugfix - Version 1.5.1.1 has a change to deal with some uncommon constructions which could cause exceptions in the Java scan.

[N1ckDunn]

New version 1.6.1 added with improved GUI options and additions to PHP scanning.