Forum OpenACS Development: Announcement: static source code analysis tool for OpenACS/NaviServer/AOLserver

1: Announcement: static source code analysis tool for OpenACS/NaviServer/AOLserver

Posted by Gustaf Neumann on 11/15/19 05:44 PM

Dear all,

Some of you might find this useful:

There was recently a commercial tool announced [1] that is able to scan the source code of Tcl/ADP pages for NaviServer/AOLserver (including OpenACS) for vulnerabilities. It uses a database with about hundred checks of dangerous function calls and vulnerabilities [2], which will probably grow with the time.

Since there is an increasing security awareness the number of security audits required by certain company policies goes up. Therefore it is important to have such tools around, especially due to the fact that there are many old and strongly adapted OpenACS sites out there. If you are running a website, or have developed some websites, you might be asked about such audits.

The developers seem quite competent and have an impressive list [3] of public vulnerabilities and CVEs.

-gn

Disclaimer: I have personally not used the tool, nor i have no relation at all to this company.

[1] https://voidsec.com/announcing-ecgs-closed-beta/
[2] https://ecg.voidsec.com/product.php
[3] https://voidsec.com/vulnerabilities-cve/

2: Re: Announcement: static source code analysis tool for OpenACS/NaviServer/AOLserver (response to 1)

Posted by Raul Rodriguez on 11/03/22 04:25 AM

Hi All,
This looks interesting and would like to know if anyone has tried it and where to get it.
The ecg.voidsec.com links did not work for me.

Thank you

3: Re: Announcement: static source code analysis tool for OpenACS/NaviServer/AOLserver (response to 2)

Posted by Gustaf Neumann on 11/03/22 10:22 AM

On June 13, the EGC website was still working:
https://web.archive.org/web/20210613135547/https://ecg.voidsec.com/

Have you tried to contact the author?
Maybe he is allowed to name you references.