RATS v2.3 - Rough Auditing Tool for Security

In: Code Auditing , Local auditing , RATS

10 November 2009

RATS (Rough Auditing Tool for Security), is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.

RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.

RATS is free software, under the terms of the GNU Public License.

Requirements

RATS requires expat to be installed in order to build and run. Expat is often installed in /usr/local/lib and /usr/local/include. On some systems, you will need to specify —with-expat-lib and —with-expat-include options to configure so that it can find your installation of the library and header.
More Info: http://expat.sourceforge.net/

Usage

rats [-d ] [-h] [-r] [-w ] [-x] [file1 file2 ... filen]

-d Specifies a vulnerability database to be loaded. You may have multiple -d options and each database specified will be loaded.
-h Displays a brief usage summary
-i Causes a list of function calls that were used which accept external input to be produced at the end of the vulnerability report.
-l Force the specified language to be used regardless of filename extension. Currently valid language names are "c", "perl", "php" and "python".
-r Causes references to vulnerable function calls that are not being used as calls themselves to be reported.
-w Sets the warning level. Valid levels are 1, 2 or 3. Warning level 1 includes only default and high severity Level 2 includes medium severity. Level 2 is the default warning level 3 includes low severity vulnerabilities.
-x Causes the default vulnerability databases (which are in the installation data directory, /usr/local/lib by default) to not be loaded.

When started, RATS will scan each file specified on the command line and produce a report when scanning is complete. What vulnerabilities are reported in the final report depend on the data contained in the vulnerability database or databases that are used and the warning level in use.

For each vulnerability, the list of files and line numbers where it occurred is given, followed by a brief description of the vulnerability and suggested action.

More information: here

Post scriptum

Download Source tarball: rats-2.3.tar.gz

Download Win32 binary: rats-2.3-win32.zip

Compliance Mandates

Code Auditing :
PCI/DSS 6.3.6, 6.3.7, 6.6, SOX A12.8, GLBA 16CFR Part 314.4(b) and (2);FISMA RA-5, SC-18, SA-11 SI-2, and ISO 27001/27002 (12.4.1, 12.4.3, 12.5)

Code Auditing	10 May 2010 : WebTest 1.2.1 - Testing Web Application with Python 7 May 2010 : fuu v0.1 Beta - [F]aster [U]niversal [U]npacker 24 April 2010 : Security Ninja security tool announcement 22 April 2010 : OWASP Code Crawler v2.7 released 7 April 2010 : CWE/SANS Top 25 list updated to v1.0.3
Local auditing	11 May 2010 : iScanner v0.5 released - Malicious codes scanner 1 May 2010 : Sysinternal AccessChk v5.0 released 22 April 2010 : OpenSCAP v0.5.9 released 30 March 2010 : Buck Security - Checks for Debian Linux - v0.5 released 29 March 2010 : PDFResurrect v0.10 released
RATS	10 November 2009 : RATS v2.3 - Rough Auditing Tool for Security

RATS v2.3 - Rough Auditing Tool for Security

Post scriptum

Compliance Mandates

Related Articles

Follow us

Like us !

Most Read

Advertising

License

Categories

COMPANY

STANDARDS

RECENT POSTS

MENU