What's new in VisualCodeGrepper 1.6.1.0
May 23, 2014
- New features:
- Improvements to GUI
- Graph display is optional
- Reminder to select required language before scanning
- Scan for dangerous use of parse_str in PHP
- Bugfixes:
- Some improvements to detection of signed/unsigned comparisons in C/C++ (this still brings back some false positives)
New in VisualCodeGrepper 1.5.1 (Jun 10, 2013)
- New features:
- New facility to scan VB code (including ASP.NET code).
- Additional checks in Java scan:
- Unsafe usage of doPrivileged blocks.
- Unsafe use of RequestDispatcher.
- Entity Expansion deliberately enabled.
- Mathematical operations on primitive data types, use of user-controlled variables in mathematical operations on primitive data types (Risk of overflow)
- Checking that filestream resources are released correctly in try ... catch blocks.
- Additional checks for default error messages and .NET debugging in the web.config file for C# and VB code.
- Bugfixes:
- Improvements to the check for insecure use of Response.Redirect in ASP code.
- Fixes to the check for case-insensitive password matching in ASP C# code.
- Some improvements to the GUI:
- Menu items for scanning the code only enabled when target files are loaded.
- Colour coding added to 'Standard Level' issues to aid readability and to stop this section appearing as a block of black text.
- Fix to broken regex in Java scan.
New in VisualCodeGrepper 1.5.0 (May 31, 2013)
- New features:
- New facility to scan VB code (including ASP.NET code).
- Additional checks in Java scan:
- Unsafe usage of doPrivileged blocks.
- Unsafe use of RequestDispatcher.
- Entity Expansion deliberately enabled.
- Mathematical operations on primitive data types, use of user-controlled variables in mathematical operations on primitive data types (Risk of overflow)
- Checking that filestream resources are released correctly in try ... catch
- blocks.
- Additional checks for default error messages and .NET debugging in the web.config file for C# and VB code.
- Bugfixes:
- Improvements to the check for insecure use of Response.Redirect in ASP code.
- Fixes to the check for case-insensitive password matching in ASP C# code.
- Some improvements to the GUI:
- Menu items for scanning the code only enabled when target files are loaded.
- Colour coding added to 'Standard Level' issues to aid readability and to stop this section appearing as a block of black text.
New in VisualCodeGrepper 1.4.3 (Apr 16, 2013)
- Important bug fix
- There is a very important update to eliminate a bug which resulted in false positives and false negatives in the buffer overflow detection for C++ code. You should use the latest version for any C++ scans. There are some additional searches for weak ciphers.
New in VisualCodeGrepper 1.4.2 (Mar 25, 2013)
- Fix for a bug which prevented checkbox state from being correctly maintained for
- filtered results.
- C++ - Signed/Unsigned comparison has been modified to further reduce the number of false positivies.
- Improved SQL injection detection in PL/SQL scan.
- "Transactional controls" now have a more appropriate rank and description for PL/SQL scan.
- Improved XSS detection in Java scan.
New in VisualCodeGrepper 1.4.1 (Feb 21, 2013)
- V1.4.1 fixes a major bug which prevented the XML export from working and minor bugs in the rich text results sorting.
New in VisualCodeGrepper 1.4.0 (Feb 12, 2013)
- UI changes:
- The application no longer loads new files immediately after clicking a directory in the list view. This should make things less annoying, remove a minor bug and allow you to select a previous directory and then modify it slightly without having to wait for files to load.
- Results can now be filtered by Severity.
- It is now possible to export both complete versions and filtered versions of results to XML.
- The listview/results table now allows items to be marked to assist in the review process. A checkbox is provided which highlights the item in green to allow marking of false positives, reviewed items, etc.
- Issues ranked as 'Low' are now shown in 'grey-blue' in the rich text display to distinguish them from issues ranked as 'Standard'.
- Bugfixes and improvements:
- C++ - Signed/Unsigned comparison has been modified to further reduce the number of false positivies (possible further improvements to be made)
- Fix to remove false positives for 'Exception Throw in Destructor' in C++ scan.
New in VisualCodeGrepper 1.3.1.0 (Jan 29, 2013)
- some minor bugfixes to prevent '/*/' breaking the comment parsing
- reduce false positives in the detection of signed/unsigned comparisons for C/C++ code.
New in VisualCodeGrepper 1.3.0.0 (Jan 17, 2013)
- Major change:
- C# code can now be scanned
- Bugfixes and improvements:
- C++ - Signed/Unsigned comparison detection used to return false positives. This has been modified to reduce the number of blatant false positives but further improvements will be made in the near future.
- The Results window now shows any code included in the description in a different font for clarity (Courier New)
- There are some scanning improvements:
- C++ - The buffer overflow detection has undergone further improvements.
New in VisualCodeGrepper 1.2.0.0 (Dec 20, 2012)
- Changes and improvements include the following bugfixes:
- Fix to prevent issues when setting a new target directory - previously File=>New... was triggering an event in the drop down list of files causing
- reloading of directories.
- There are some scanning improvements:
- Java - Improved SQL injection scanning.
- Java - It should also now locate some potential deadlock conditions (this is not expected or meant to be comprehensive but it will find some of them)
- Other additions:
- The rich text in the main Results window can now be sorted on severity or
- filename.
- Improved export to/import from XML.
- Right-clicking an item in the summary table now allows a user to load the file in its associated application or load it at the given line number in Notepad++.
- The results summary table can now be sorted on multiple columns. Right-click and then choose the columns.
New in VisualCodeGrepper 1.1.0.0 (Dec 11, 2012)
- Improvements:
- All issues now start with default text to indicate their severity to make searches easier.
- Ctrl + F is now tied to the search function for the Results pane.
- There are some scanning improvements:
- Java - I've made some changes to the XSS scanning so it should now catch a type of occurrence that it was missing before (it worked against obvious examples in my test file)
- Java - It should also now locate some potential race conditions (this is not expected or meant to be comprehensive but it will find some of them)
- Java - Reports large synchronized blocks of code to help reduce risk of unnecessary locking of resources.
- C++ - It now recognizes signed/unsigned comparisons
- Other additions:
- More shortcut keys: F5 or Ctrl+R = Scan
- Results can be exported to/imported from XML (not that useful at the moment but it's there if you want it :-) )
- Double clicking an item in the summary table loads the file in its associated application
- You can now report by severity (only show items higher than standard or higher than low, etc.) There's a drop-down list in the options screen for this
- GUI modification to show a progress bar when loading files and saving results in order to improve user experience.