2015年6月9日 星期二

源碼檢測 Visual Code Grepper

哈囉~ 大家好

今天我們就來聊一聊 —「源碼檢測 (Source Code Analysis)」的議題。

記得之前我們有談過弱點掃描 (Vulnerability Scanning)的部分,如果各位還記得的話,這個部份是比較屬於系統層面的弱點檢測,也是屬於黑箱測試 (Black-Box Testing)的範圍。而今天所要談到的源碼檢測也就是所謂的程式碼掃描 (Code Review),這個部份是直接對程式碼做掃描,進而檢測出弱點並即時做程式碼的修正,這個範疇就是所謂的「白箱測試 (White-Box Testing)」

一般做軟體程式開發時,研發人員在開發的過程中就會進行所謂的「單元測試 (Unit Test),在Alpha版 release 之前會就進行所謂的 Code Review,初次的程式碼掃描多數是由 RD 完成,到最後要 release 到 Beta版 前就會交由 QA 進行最後的 Source Code Analysis。因為大多數的程式開發人員,都沒有資訊安全的背景,所以做源碼檢測是有其必要性的。

而今天就要來介紹一個源碼檢測工具 —VCG(Visual Code Grepper),之所以會選擇這個工具的原因,不外乎它是一個 Freeware 免費軟體,再來就是它可以檢測的程式語言,包含支援 C/C++、C#、VB、PHP、Java、PL/SQL 等等,它所產出的測試報告除了可以明確指出有風險的程式碼之外,還可以提供建議的修正方法,並有圖表說明各種程度的風險所佔的百分比,還可以將掃描結果另存成文字檔,以提供正式測試報告說明使用。

以下就這一節的圖解說明:



Step 1: Download the installer from official website or File link as below.
VCG-Setup.msi
http://sourceforge.net/projects/visualcodegrepp/?source=typ_redirect

Step 2: After download file "VCG-Setup.msi" double click to install the tool.

Step 3: Welcome the VCG Setup Wizard. Click "Next"

Step 4: Select Installation Folder. If want to install to other folder click "Browse" to changed, if not please keep for default then click "Next"

Step 5: Confirm Installation click "Next"

Step 6: Click "Yes" to continue installation.


Step 7: Installation Complete click "Close"

Step 8: Check the Start menu then double click "VisualCodeGrepper" to start the tool GUI.

Step 9: Select Language to do the scanning click "OK" to show the main GUI.


Step 10: Select scanning language.
Settings | Java

Step 11: Select the scanning target folder or file.
File | New Target Directory... or New Target File...

Step 12: Select the target directory form your source code directory then click "OK" (Ex: select directory "TargetSourceCode")


Step 13: After loaded whole source code show like below.

Step 14: Run for full scan.
Scan | Full Scan


Step 15: After scanning complete then tick "Always display Visual Breakdown after every scan" and click "OK"

Step 16: Finished the scanning show the Code Breakdown like below.

Step 17: Results show like below.

Step 18: Select "Target File" show completed scanning target files and path.

Step 19: Select "Summary Table" show results summary sort by tables.



Step 20: Select more detailed text results sort by severity.
Scan | Sort Rich Text Results on Severity


Step 21: Select more detailed text results sort by file name.
Scan | Sort Rich Text Results on FileName


Step 22: Show comments to fix issues.
Scan | Show All 'FixMe' Comments


Step 23: Show results group by issues.
View | Group Rich Text Results by Issue


Step 24: Export and import results as XML or CSV formats.

Step 25: Save results as a text file.
File | Save Results as Text...





這一節介紹到這裡,各位對於這 VCG 源碼檢測工具,應該有了更進一步的瞭解。
特別對於檢測報告的解讀,應該可以透過不同選項來幫助使用者更容易找出問題,甚至提供建議的解決方法。

這套源碼檢測工具,雖然是 Freeware 但是功能性與準確性,並不輸給動輒幾百萬的商業檢測工具,唯一的差別應該只在商業工具會提供較完美的圖表測試報告。這當然是免費工具無法相提並論的。

今天我們就介紹到這裡,希望大家都能有所收穫。我們下次見~ 掰掰!

~ See you ~

參考出處:
http://sourceforge.net/projects/visualcodegrepp/