Shulou(Shulou.com)06/02 Report--

How to use the command line tool Graudit to find security vulnerabilities in your code, this article describes in detail the corresponding analysis and solutions, hoping to help more partners who want to solve this problem to find a more simple and easy way.

With extensive language support, Graudit allows you to audit your code security during development.

Testing is an important part of the software development life cycle (SDLC), which has several stages. Today, I want to talk about how to find security problems in your code.

When developing software, you can't ignore security issues. This is why there is a term called DevSecOps, whose basic responsibility is to identify and resolve security vulnerabilities in applications. There are open source solutions for checking for OWASP vulnerabilities, which will yield results by creating a threat model of the source code.

There are different ways to deal with security problems, such as static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), software composition analysis and so on.

Static application security testing runs at the code level and analyzes the application by finding errors in the written code. This method does not need to run code, so it is called static analysis.

I'll focus on static code analysis and use an open source tool for real-world experience.

Why use open source tools to check code security?

There are many reasons to choose open source software, tools, and projects as part of development. It won't cost any money because you're using a tool developed by a like-minded developer community that wants to help other developers. If you have a small team or a startup, it's good to find open source software to check your code security. This reduces your costs by eliminating the need to hire a separate DevSecOps team.

Good open source tools always take flexibility into account, and they should be able to be used in any environment to cover as many situations as possible. This makes it easier for developers to connect the software to their existing systems.

But sometimes you may need a feature that is not available in the tool of your choice. Then you can choose to copy its code, develop its own functions on it, and use it in your system.

Because, most of the time, open source software is community-driven, and the speed of development is often a bonus for users of the tool, who iterate over projects based on user feedback, problems, or bug reports.

Use Graudit to keep your code safe

There are a variety of open source static code analysis tools to choose from, but as you know, the tools analyze the code itself, which is why there are no common tools for all programming languages. But some of them follow OWASP guidelines and cover as many languages as possible.

Here, we will use Graudit, a simple command-line tool that allows us to find security flaws in the code base. It supports different languages, but has a fixed signature set.

Grep used by Graudit is a tool under the GNU license, and similar static code analysis tools include Rough Auditing Tool for Security (RATS), Securitycompass Web Application Analysis Tool (SWAAT), flawfinder, and so on. But Graudit has the lowest technical requirements and is very flexible. However, you may still have requirements that Graudit can't meet. If so, you can take a look at the other options in this list.

We can install this tool under a specific project, or in a global namespace, or under a specific user, or wherever we like, it is very flexible. Let's clone the warehouse first.

$git clone https://github.com/wireghoul/graudit

Now we need to create a symbolic link for Graudit so that we can use it as a command.

$cd ~ / bin & & mkdir graudit$ ln-- symbolic ~ / graudit/graudit ~ / bin/graudit

Add an alias to .bashrc (or any shell configuration file you use).

#-.bashrc-alias graudit= "~ / bin/graudit"

Reload shell:

$source ~ / .bashrc # or $exex $SHELL

Let's run this to check if the tool has been successfully installed.

$graudit-h

If you get a result similar to this, then that's fine.

Figure 1 Graudit help page

I am using one of my existing projects to test this tool. To run the tool, we need to pass the database of the appropriate language. You will find these databases in the signatures folder.

$graudit-d ~ / gradit/signatures/js.db

I ran it on two JavaScript files in the existing project, and you can see that it throws vulnerable code in the console.

JavaScript file showing Graudit display of vulnerable code

JavaScript file showing Graudit display of vulnerable code

You can try to run this on one of your projects, which itself has a long list of databases to support different languages.

Advantages and disadvantages of Graudit

Graudit supports many languages, which makes it an ideal choice for users on many different systems. Because of its simple use and wide language support, it is comparable to other free or paid tools. Most importantly, they are under development and the community supports other users.

Although this is a convenient tool, you may find it difficult to identify a particular code as "vulnerable". Maybe developers will add this feature to future versions of the tool. However, it is always good to focus on security issues in your code by using such tools.

I only introduced one of the many types of security testing: static application security testing. It's easy to start with static code analysis, but this is just the beginning. You can add other types of application security tests to your application development pipeline to enrich your overall security awareness.

This is the answer to the question on how to use the command line tool Graudit to find security vulnerabilities in your code. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.