app cloud

Source Code Scanning

CodeWatch scans source code, and in some cases compiled code, for vulnerabilities. It can scan for things like SQL injection, command injection, XML injection, LDAP injection, Cross-Site Scripting (XSS), disclosure of sensitive information, and Denial-of-Service (DOS) issues to name a few.

This is a very, very, poor man's Veracode. If you need a high level of accuracy and features I suggest you look at Veracode.

Check it out! Create an account and get started today by registering here

  • screen1
  • screen2
  • screen3
  • screen4

Why Free?

For many reasons. This is not a commercial grade tool. It is something I did in my spare time for fun as I have an interest in application security. I am a penetration tester by trade and do not consider myself a developer. If you are a developer and looked at my code you would probably vomit on your screen. I did, however; believe that other people might find this useful as a free tool and in offering it for free I would receive a lot of great feature requests and improve it as a whole. I expect heavy criticism, which is fine because there are a lot of things that could be done better. So I welcome feedback.

CodeWatch is a web management interface and backend processor for Yasca. This is a great open source tool that makes it easy to integrate multiple open source scanning tools, and closed source scanning tools if you like, into one engine. I have contributed to the project in the past and would love to contribute now but responses from the project owner have gone cold. I'm not sure it is still actively maintained and have considered forking the project and maintaining the fork so that it will live on.

Some of the plugins we have implemented include, but are not limited to: Antic, Brakeman, ClamAV, Clang, CppCheck, DependencyChecker, FlexPMD, PMD, FindBugs, and Gendarme. The plugins provide coverage for C, C++, .NET, Java, Ruby on Rails, Flash, PHP, and several other languages.

Future Enhancements

Sort/Exclude by File Path

Currently, sorting can be done by category, severity, file name, ID, and a few other options. It would be great to sort based on the path to the file for which a vulnerability was identified.

Ditto for exclusions. Possibly even more helpful for exclusions.

Search

This is kind of a no-brainer. There is no search functionality at the moment. It would be great to search based on set criteria.

Searching will probably be by project and as a whole across all projects at some point.

Project Comparisons

Compare multiple scans of the same code base. This could be a one to one comparison, or a one to many.

Trending and reporting on the changes between scans would be great. This could help with identifying progress or weak areas.

PDF Reports

PDF reports along the same lines as the current HTML report. People love them some PDF reports.

The reports and capabilities within them could be better in general. More charts, better information, and filtering would be great.

Warranty & Support

None. Just kidding. In all seriousness, this is a free service and I cannot guarantee that it will always be available or that your data will not be lost at some point. I make weekly backups of configuration files, app files, and the database, try to take backups of each VM when significant changes are made, and have done my best to write the application securely and harden the systems, but I have a day job and this is not it. There is no explicit, implicit, or implied warranty. I do, however; welcome any donations of time, money, hardware, or other services that will make this a more reliable service.

The system is currently running on fairly outdated commodity hardware. However, the hardware is using battery backed RAID, dual power supplies, dual redundant NIC's, and I have backup HD's, memory, processors, and other miscellanous parts. So hopefully, with the hardware in place and backups, there won't be any significant outages or loss of data.

Any support issues for the app should be directed at support [at] codewatch.org. I will resolve issues and add requested features and enhancements as time permits. Again, it could take a while.


Why use CodeWatch on Your App