Most of the application source vulnerability diagnoses will receive a large number of source files and perform vulnerability diagnostics. Most of them are static diagnosis using a tool for diagnosing source vulnerabilities such as Fortify and dynamic manual diagnosis of a professional consultant. In this situation, it is common to utilize some useful tools because it is quite difficult to visualize large amounts of sources in manual diagnosis.
1. String Search Tool
It is a useful tool for searching specific strings among many files. It is a tool that provides Windows-like functions such as grep that are provided by Unix or Linux.
I would like to share with you if you have better tools because I think it is a useful tool.
- AstroGrep 4.4.4 Because this tool is publicly available under the GNU license, anyone can use it for free under this policy, and the source code is publicly available and can be modified or further developed if necessary. If you see the current version (220.127.116.11) released 4.4.4, you can guess that it is continuously updated and released. It is based on .Net Framework, so you need to install .Net Freamework on it. As for the features, the GUI is very simple and intuitive, so it is easy for anyone to use. Hangul supports it naturally, and provides options such as searching within search results and setting exclusion strings. In particular, it displays the searched file list in the upper window, the lower window shows the source code of the search string of the source file, and if necessary, double click the file to open a separate editor to view the source in detail.
* Download: http://astrogrep.sourceforge.net/download/
- PowerGREP 4.7.0 Unfortunately, this tool is a commercial tool, so you can download the 15-day trial version, and you can see that the 4.7 version has been upgraded continuously. Since it is a commercial product, AstroGrep provides much more functions than it does, so the GUI seems to be complicated and you can use it only by opening the most used windows. In particular, it provides a large number of libraries, and it provides a basic search pattern automatically in regular format according to the target file to search for a string, and provides a function that the user can modify and search. For example, if you want to find only the email addresses of the target files, you can use \ b [A-Z0-9 ._% + -] + @ [A-Z0-9 .-] It provides a regular form such as \ b, so it is a versatile tool.
* Download: http://www.powergrep.com/download.html
2. Pro Chart generation tool
The source vulnerability diagnostics task visually checks many sources. The larger the source size, the more time it takes to see the source and understand the logic. This time saving tool is a flowchart tool. These tools were originally used for a variety of purposes and purposes, but they are also quite helpful tools for diagnosing source vulnerabilities. However, there are a few things to keep in mind when selecting these tools. It is most important to support the kind of development source language you want to diagnose, because the development languages you support are slightly different. The other is that if you do not check the function of the tool in detail, you may be disappointed by downloading a tool for creating flowcharts, rather than creating a flowchart chart. ^^ ;; I would like to introduce some flow chart tools that have been downloaded and tested by Google.
- Visustin 7 This tool is unfortunately a commercial tool, and it supports about 35 development languages including ABAB, Ada, Ruby, SAS, Cobol, and Fortran in addition to the usual development language. The GUI is also very structured, so you can very easily understand the logic of that source. When you select a source, you will generate a flow chart of the summary type and detail, The Demo version is capable of generating only one source, and the commercial version can handle multiple source files. It also provides other tools, but it also provides intelligence to export the generated flow chart to MS Word or Visio, which can be very useful in some cases.
* Download: http://www.aivosto.com/shareware/visus710.zip
- Code Visual to Flowchart 2.0 This tool is also a commercial tool, and the demo version is limited to use 30 times. Supported development languages include Java, C, PHP and other development languages. As with other tools, we generate flow charts of summary and detail, and we provide sample code for each supported language, so you can guess how it will be displayed in other development languages. In addition, it provides not only a flow chart for the entire source code, but also a function for specifying a specific area and generating a flowchart.
* Download: http://www.fatesoft.com/s2f/download/CodeVisual2FlowChart.exe