VisualCodeGrepper: The Legacy SAST Tool That Scans COBOL and Classic ASP When Nothing Else Will

Hook

When a Fortune 500 bank needs to audit 20 million lines of COBOL before a mainframe migration, modern SAST tools suddenly go silent. That's where a 2016-era Visual Basic tool becomes unexpectedly irreplaceable.

Context

Before the era of automated CI/CD security gates and container-native scanning, security consultants needed fast, practical tools to triage client codebases during time-boxed engagements. VisualCodeGrepper emerged from NCC Group—a respected security consultancy—as a pragmatic answer to a specific problem: how do you quickly identify obvious security anti-patterns across diverse legacy languages when you have days, not weeks, for a manual code review?

The security scanning landscape of the mid-2010s was fragmented. Commercial tools were expensive and often Windows-only anyway. Open-source alternatives like RATS or Flawfinder focused narrowly on C/C++. Meanwhile, consultants were walking into enterprises running PL/SQL stored procedures, Classic ASP web applications, and COBOL batch processors—sometimes all in the same engagement. VCG filled the gap as a Swiss Army knife for legacy code security review, prioritizing breadth of language support and low false-positive rates over deep semantic analysis. It was never meant to replace comprehensive security testing; it was designed to guide human experts toward the most suspicious code sections when time and budget were constrained.

Technical Insight

VisualCodeGrepper's architecture reveals a thoughtful balance between simplicity and effectiveness. At its core, it employs a hybrid scanning approach: regex-based pattern matching against language-specific configuration files containing known dangerous functions, combined with hardcoded semantic checks for specific vulnerability classes like buffer overflows and signed/unsigned comparison issues.

The language configuration files are the tool's secret weapon. Each supported language (C/C++, Java, C#, VB.NET, PL/SQL, PHP, COBOL) has an XML config defining dangerous function lists, comment markers, and syntax rules. For example, the C/C++ config flags functions like strcpy, gets, and sprintf while the PHP config watches for eval, system, and SQL concatenation patterns. This modular approach means adding coverage for a new dangerous API is a configuration change, not a code change.

Here's what a simplified check pattern might look like conceptually:

' Pseudocode representation of VCG's checking logic
Function ScanForDangerousFunctions(codeLines As String(), langConfig As LanguageConfig) As List(Of Issue)
    Dim issues As New List(Of Issue)
    
    For Each line In codeLines
        ' Skip comments and whitespace
        If IsComment(line) Or IsWhitespace(line) Then Continue For
        
        ' Check against configured dangerous function patterns
        For Each pattern In langConfig.DangerousPatterns
            If Regex.IsMatch(line, pattern.Regex) Then
                issues.Add(New Issue With {
                    .Severity = pattern.Severity,
                    .Title = pattern.Description,
                    .LineNumber = currentLineNum,
                    .CodeFragment = line
                })
            End If
        Next
    Next
    
    Return issues
End Function

What makes VCG distinctive is its preprocessing intelligence. Before pattern matching begins, the tool parses each file to categorize every line as code, comment, or whitespace. This prevents the classic SAST problem of flagging dangerous patterns in commented-out code or documentation. The parser understands multi-line comments, string literals, and language-specific syntax quirks—a non-trivial feat across seven different languages.

The tool's buffer overflow detection demonstrates its semantic analysis layer. Rather than just flagging every strcpy call, VCG attempts basic bounds checking by examining surrounding code for buffer size declarations and source data lengths. It's rudimentary compared to modern data flow analysis but significantly reduces false positives:

// VCG would flag this - no bounds checking
char buffer[10];
strcpy(buffer, userInput);

// VCG would NOT flag this - bounded alternative used
char buffer[10];
strncpy(buffer, userInput, sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0';

// VCG would STILL flag this - strncpy usage but no null termination check
char buffer[10];
strncpy(buffer, userInput, sizeof(buffer));

The GUI presents results with color-coded severity levels (red for critical, yellow for medium, green for low) and an unusual but useful feature: pie chart visualizations showing code composition. You can instantly see that a codebase is 40% comments, 30% whitespace, 25% actual code, and 5% flagged security issues—valuable context for prioritizing review efforts.

Perhaps VCG's most underappreciated feature is comment analysis. It scans for keywords like TODO, FIXME, HACK, and WORKAROUND as potential security indicators. The reasoning: comments marking incomplete or problematic code often sit next to actual vulnerabilities. A "TODO: validate input" comment might be more security-relevant than the benign code it annotates. This heuristic reflects NCC Group's consultant experience—real-world vulnerabilities cluster around technical debt markers.

The tool's language coverage for COBOL and PL/SQL is particularly noteworthy. Modern SAST vendors largely ignore these languages despite their prevalence in financial services and government systems. VCG checks COBOL for unsafe MOVE operations, unvalidated ACCEPT statements, and SQL injection patterns in embedded SQL blocks—vulnerabilities that persist in production mainframe systems processing billions of transactions daily.

Gotcha

VisualCodeGrepper's most obvious limitation is right in the name: it's written in Visual Basic .NET, making it irrevocably Windows-only. There's no command-line automation mode suitable for CI/CD pipelines, no Docker container, no REST API. In 2024, this means VCG exists outside modern development workflows entirely. You can't integrate it into GitHub Actions, Jenkins, or GitLab CI. It's a desktop GUI application that requires manual execution and manual result interpretation.

The tool's age is increasingly problematic. With no updates since around 2017, it lacks awareness of modern language features and frameworks. It won't understand Rust's memory safety guarantees, Swift's optionals, or Kotlin's null safety. For languages it does support, it misses newer vulnerability patterns—it predates widespread awareness of dependency confusion attacks, prototype pollution in JavaScript frameworks, or SSRF vulnerabilities in cloud-native applications. The regex patterns are frozen in time, meaning they catch 2015-era vulnerability patterns but miss contemporary attack vectors.

The "beta" label on features like signed/unsigned comparison detection is a red flag. The documentation explicitly warns these checks are "very unreliable"—not confidence-inspiring for a security tool. The pattern-matching approach also means VCG has no understanding of data flow. It can't track whether user input gets sanitized before reaching a dangerous function five calls deep. This leads to both false positives (flagging sanitized data paths) and false negatives (missing indirect vulnerabilities through complex call chains). Modern tools like CodeQL build semantic graphs of code to trace taint flow; VCG just matches regex patterns line-by-line.

Verdict

Use if: You're conducting manual security reviews of legacy codebases containing COBOL, Classic ASP, or PL/SQL where modern SAST tools provide zero coverage. Use it for rapid triage during time-constrained consulting engagements on Windows workstations where you need to guide human reviewers toward high-risk code sections across unfamiliar legacy languages. It's ideal as a supplementary scanner alongside manual review, not as a primary security gate. Skip if: You're building modern applications with contemporary languages and frameworks, need CI/CD integration, require cross-platform operation, or want comprehensive security analysis with data flow tracking. The lack of maintenance, Windows-only limitation, and shallow analysis make it unsuitable for any automated security pipeline or as a primary scanning tool for codebases using language features from the last seven years. For any greenfield project or modern tech stack, literally any maintained SAST tool will serve you better.