Results tagged “code review” from Just Another Hacker

Graudit 1.8 released

|
The next (long overdue) graudit version is out! Just in time for those who wants to do some hacking during the holidays.
  • -L operator does vim friendly line numbers
  • Man pages and documentation updates
  • PHP signature updates
  • JSP signature updates
  • Dotnet signature updates
  • Perl signature updates and bug fixes
  • Python signature updates
  • Bug fixes for aux/ scripts
  • More aux/ scripts
  • Fixed ignore CVS directories by default

Package maintainers should note that graudit now has a man page. The install section of the Makefile does not currently place it anywhere, so please patch for the appropriate location. I will add more distro neutral updates to the makefile for next release.This release fixes some of the broken whitespace neutral rules I added last release. For the perl users, I'm sorry.

Big thanks to the people who contributed with patches, bug reports and feedback. Keep them coming!

You can download the latest version from the graudit download page.
Happy christmas!

It is time for another graudit release, and this time it includes some big changes.
  • New PHP signatures
  • Improved C signatures for fewer false positives
  • Improved dotnet signatures
  • Whitespace neutrality for all signatures
  • -l operator lists available databases
  • -x operator for excluding files
  • configure script added to make chain
  • Makefile install targets changed, install is now server wide
Package maintainers should take note of the last change. The make file currently supports the old style home directory install (make user install), but that is deprecated and will be dropped as ./configure --prefix /home/user/bin --dbdir /home/user/.graudit;make install does the same thing.
I have also added some scripts from my talks, you can find them in the aux directory. There are no install rules for them so they are only available from within the graudit-1.7_src tarball. My thanks to the people who contributed with patches and bug reports, keep them coming.

You can download the latest version from the graudit download page.
After a short hiatus I am happy to deliver the next graudit release. Version 1.6 introduces three new databases, c, dotnet and "all". The all database is a combined database of all the distributed signatures so you can easier scan multi language projects. The rough database has also been deprecated. As usual there are some new features, bug fixes and signature tweaks, see the changelog for the full details.

You can download the latest version from the graudit download page.
Please note that with the current changes to the test suite there is no development (.src.tar.gz) release. If you are a package maintainer or otherwise wish to use the development release you can either clone the git repository or wait for the upcoming 1.7 release.

Graudit version 1.5 released

|
The latest version of graudit is out. Notable changes are;
        New features for server wide install
        Source distro file for package maintainers
        Signature bug fixes
        New php, python and perl signatures
        Deprecating the rough signature set
        Fixed graudit usage text
        Improved documentation
        Several color modes supported
You can obtain the latest version from the graudit download page.

Graudit version 1.4 released

|
This will be a short lived release, it's actually more like 1.5RC1. Anyway, there are some improvements to the PHP signatures so if you really can't wait until the start of December for version 1.5, then grab a copy from the graudit download page.

Download graudit

|
Please use the links below to download your preferred graudit release. We recommend that you use the latest release, or even stay up to date by using our github repository.

Latest version:
1c0e8954e8b205915ad9bb698b43611f graudit-1.9.tar.gz
a90ce37860fde6e7a255b3e01eb127bc graudit-1.9.zip
bc7d05f29c87fc21fa3d16da690aead1 graudit-1.9_src.tar.gz

Older versions;
9b63cf2c003ce3b0be730a77150e1aeb  graudit-1.8.tar.gz
eb76eef43f7a0ef9a379a98cf8bf72c4  graudit-1.8.zip
5001669ee9c1c6f5fa670a031d8041ef  graudit-1.8_src.tar.gz
b40ef6d7c2de0b17bcdcfa8f863c24aa  graudit-1.7.tar.gz
2720f4b625a511a5b2ac50f0cdc5690a  graudit-1.7.zip
89bb69911cebf49bc52c172388232705  graudit-1.7_src.tar.gz
5f43b14b3af77f5af7e02fc549bcf4b3  graudit-1.6.tar.gz
ec6db94b7e450860af2afa1a24ddc69b  graudit-1.6.zip
1b6b255e8a384faec9e4f6a20179ad9d  graudit-1.5.tar.gz
e55c3463ff0d7c1a1c75c3e57ba92c9d  graudit-1.5.zip
0cbf01f09f1b84c6b3dd7dec78ba5784  graudit-1.5_src.tar.gz
291545462e89943aed26637047e78dc8  graudit-1.4.tar.gz
0f1771062fb54c61d85ab88963167231  graudit-1.4.zip
71297a09bd5c378826acc91e44baceb3  graudit-1.3.tar.gz
028dc34ad97ba8a1a5080f511f5fe638  graudit-1.3.zip
dd513e8663ab1bcfe61a034823c75d8f  graudit-1.2.tar.gz
85a73ef39fc685aaf72d1a8057406ed3  graudit-1.2.zip
a4a8937481a71f27df85bd7cd9ec2d25  graudit-1.1.tar.bz2


Graudit version 1.3 released

|
The latest version of Graudit is here, version 1.3. The most exiting news about this release is the added support for ASP and JSP. That's right, Graudit now supports 5 languages.
There are also some new signatures and bug fixes for the existing rules.

You can obtain the latest version from the graudit download page.
I attended this months OWASP Melbourne meeting. It's been a while since I attended one and the talks this month were too good to miss.

Matthew Hackling - Australian Prudential Practice Guide 234
I missed the start of this thanks to my reading comprehension which saw me waste $4 on parking at Deloitte's old offices in QV. I'll be following the development on this closely.

The second presentation was
Richard Farrell - Static Source Code Analysis - What, why, when and how?
Although the world of static analysis hasn't had any earth shattering break throughs lately it was very good to see how the enterprise solution integrate and work. I wish I'd had more time to stay around and play, perhaps another time,

Graudit version 1.2 release

|
Graudit version 1.2 is finally out. Here It fixes several gripes I've (and other) had with some of the signatures. There are less false positives, the default signatures are aimed easier to detect vulnerabilities, there is a new signature set called other which focuses more on comments left by developers. Some bug fixes and better POSIX compliance for graudit. Better documentation (should be better still). And finally, if you get yours from github there is a Makefile and a basic test harness in place to ensure that future releases remain "quality".

Most notably though, the signature changes is what most people will enjoy.

You can obtain the latest version from the graudit download page.

Benchmarking graudit

|
Benchmarking might not be the correct term as graudit does not have the capacity to determine if a signature match is in fact a vulnerability or not. It only highlights a potential problem area so you can pay closer attention to it. Like most signature based approaches it does stand a fairly good chance of catching low hanging fruit, but certain kind of vulnerabilities will remain impossible to detect. None-the-less I am aiming to improve the standard of the signature sets, so from now on graudit will be "benchmarked" on each release.

To avoid writing signatures for specific vulnerabilities I am using two vulnerable applications to benchmark graudit with;

* Multillidae
* Damn Vulnerable Web Application

My hope is to approximate 100% low and 75% medium detection rate by version 2.0. Now to find some non PHP equivalents for the other languages.

Graudit

|
graudit-1.1-screenshot.jpgGRAUDIT
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Graudit supports scanning code written in several languages; asp, jsp, perl, php and python.

USAGE
Graudit supports several options and tries to follow good shell practices. For
a list of the options you can run graudit -h or see below. The simplest way to use
graudit is;
graudit /path/to/scan

DEPENDENCIES
Required: bash, grep, sed

DOCUMENTATION
See the readme file and frequently asked questions.
DOWNLOAD
You can download the latest version from the graudit download page.

SOURCE
Graudit is available from github, you can check the github project page or check it out directly using git from git://github.com/wireghoul/graudit.git

Graudit version 1.1 is out

|
So with little fanfare I present to you the first proper release of graudit. If you did not already know; graudit is a rough code auditing tool for dynamic languages.
In all honesty it is just a bash script that uses grep with several regular expressions to highlight potential problem areas in source code. The results are comparable to that of other rough auditing tools such as rats or flaw-finder.

You can obtain the latest version from the graudit download page.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.