VisualCodeGrepper (VCG)

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


VisualCodeGrepper (VCG) is a code scanning tool and scans code for vulnerabilities or possible vulnerabilities. Among other things VCG shows comments like ToDo or FixMe as possible vulnerabilities, detects some known vulnerabilities like format string and it has a config file that allows you to add any bad functions. After the scan VCG generates a pie chart and shows you the logs. For a better overview VCG uses a color code. VCG supports the following languages: C/C++, Java, C#, VB, PL/SQL, PHP, COBOL and is free to use and open source (GNU General Public License).


I recommend reading the readme file from the git repository as it contains more information.


Step 1

Clone the git repository and navigate to the folder Release (VCG/VCG-Setup/Release/). Now run the setup.exe file. After the installation process Grepper should start the application or you can find and run the VisualCodeGrepper app on your computer.

Step 2

VCG will show you the warning that you have to select a language before scanning. Confirm this with ok and you will see the GUI of Grepper.

Click Settings in the navigation bar, here you can change the language to the project language of the project you want to scan.

Step 3

Then click File and select New Target Directory... or use the keyboard shortcut Strg+N. Select the folder with the code files you want to scan. Now you should see the path to your code in the Grepper user interface.

Step 4

Click Scan in the navigation bar, and then click Full Scan (Note: Some types of scans are listed here. For example, if you want to scan for comments only, you can select Scan Comments Only, and so on). VCG asks you if you want to see visual breakdowns, and then shows you a pie chart and table of information from the scan.