Tool Release: Code Query (cq)

Code Query is a new, open source universal code security scanning tool.

CQ scans code for security vulnerabilities and other items of interest to security-focussed code reviewers. It outputs text files containing references to issues found, into an output directory. These output files can then be reviewed, filtered by unix command line tools such as grep, or used as a means to ‘jump’ into the codebase at the specified file:line reference.

One popular mode of use is to consider the output files as a ‘todo’ list, deleting references as they are reviewed and either considered false positives, or copying the references into some report file to either review in detail or provide the basis for a bug report.

The tool is extremely basic, largely manual, and assumes deep knowledge of application security vulnerabilities and code review. It does, however, have the advantages of being relatively fast and reliable, and working even when only partial code is available.

CQ is intended to be used in a security code review context by human experts. It is not intended for use in automated scenarios, although it might be applied in that context.

The CQ project is located at: https://github.com/nccgroup/cq