Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how to use the command line tool Graudit to find security vulnerabilities in the code". In the daily operation, it is believed that many people have doubts about how to use the command line tool Graudit to find security vulnerabilities in the code. The editor consulted all kinds of materials and sorted out simple and useful methods of operation. I hope it will be helpful to answer the question of "how to use the command line tool Graudit to find security vulnerabilities in your code"! Next, please follow the editor to study!

Why use open source tools to check code security?

There are many reasons to choose open source software, tools, and projects as part of development. It won't cost any money because you're using a tool developed by a like-minded developer community that wants to help other developers. If you have a small team or a startup, it's good to find open source software to check your code security. This reduces your costs by eliminating the need to hire a separate DevSecOps team.

Good open source tools always take flexibility into account, and they should be able to be used in any environment to cover as many situations as possible. This makes it easier for developers to connect the software to their existing systems.

But sometimes you may need a feature that is not available in the tool of your choice. Then you can choose to copy its code, develop its own functions on it, and use it in your system.

Because, most of the time, open source software is community-driven, and the speed of development is often a bonus for users of the tool, who iterate over projects based on user feedback, problems, or bug reports.

Use Graudit to keep your code safe

There are a variety of open source static code analysis tools to choose from, but as you know, the tools analyze the code itself, which is why there are no common tools for all programming languages. But some of them follow OWASP guidelines and cover as many languages as possible.

Here, we will use Graudit, a simple command-line tool that allows us to find security flaws in the code base. It supports different languages, but has a fixed signature set.

Grep used by Graudit is a tool under the GNU license, and similar static code analysis tools include Rough Auditing Tool for Security (RATS), Securitycompass Web Application Analysis Tool (SWAAT), flawfinder, and so on. But Graudit has the lowest technical requirements and is very flexible. However, you may still have requirements that Graudit can't meet. If so, you can take a look at the other options in this list.

We can install this tool under a specific project, or in a global namespace, or under a specific user, or wherever we like, it is very flexible. Let's clone the warehouse first.

$git clone https://github.com/wireghoul/graudit

Now we need to create a symbolic link for Graudit so that we can use it as a command.

$cd ~ / bin & &; mkdir graudit $ln-- symbolic ~ / graudit/graudit ~ / bin/graudit

Add an alias to .bashrc (or any shell configuration file you use).

#-.bashrc-alias graudit= "~ / bin/graudit"

Reload shell:

$source ~ / .bashrc # or $exex $SHELL

Let's run this to check if the tool has been successfully installed.

$graudit-h

If you get a result similar to this, then that's fine.

Figure 1 Graudit help page

I am using one of my existing projects to test this tool. To run the tool, we need to pass the database of the appropriate language. You will find these databases in the signatures folder.

$graudit-d ~ / gradit/signatures/js.db

I ran it on two JavaScript files in the existing project, and you can see that it throws vulnerable code in the console.

JavaScript file showing Graudit display of vulnerable code

JavaScript file showing Graudit display of vulnerable code

You can try to run this on one of your projects, which itself has a long list of databases to support different languages.

Advantages and disadvantages of Graudit

Graudit supports many languages, which makes it an ideal choice for users on many different systems. Because of its simple use and wide language support, it is comparable to other free or paid tools. Most importantly, they are under development and the community supports other users.

Although this is a convenient tool, you may find it difficult to identify a particular code as "vulnerable". Maybe developers will add this feature to future versions of the tool. However, it is always good to focus on security issues in your code by using such tools.

At this point, the study on "how to use the command line tool Graudit to find security vulnerabilities in the code" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.