thegreatjedi Posted June 8, 2019 Posted June 8, 2019 I've a working application written in AutoIT. However, we just found out from our client that it needs to pass a code analysis test for security reasons. The code analysis tool they're using doesn't support AutoIT, so I'll need to look into converting the code just in case the current version can't be approved. Out of the supported languages, C++ is the only language I'm certain doesn't require installations of additional runtime dependencies that don't already exist in the production servers (we've visual c++ 2005 redist on win2k servers). Is there any way to convert my existing AutoIT code to C++ without manually rewriting from scratch, or at least something that can help me speed things up if that's the only way? I still need to relearn C++ seeing as how I only touched it once in a single module during the third sem of univ. I found this thread in the forum but the solution linked within is dead. Side info for those wondering: The reason why we only found out about the code analysis test requirement now is that this was originally just an exploratory effort and neither side knew what to expect. AutoIT was chosen (internally, not by contractual agreement) before I joined the project, and I was still a fresh grad so I didn't question much. But today I'm one-manning the whole thing (it's not a large app and 100% of the code is basically mine, following some heavy redesigns after they decided to fully commit to producing this thing). Questions were only raised after I figured out that the only way to run this app without runtime dependencies is to build it as a .exe, which we do know has a whole set of security red tape to go through before it can be deployed on production servers. So...here we are.
TheDcoder Posted June 8, 2019 Posted June 8, 2019 (edited) What kind of code analysis test? There is no way to convert automatically your AutoIt code to a C variant, and definitely not code which could be human readable. Your options are to either convince them to perform a manual code analysis on your script or rewrite the whole thing in C/C++ Edited June 8, 2019 by TheDcoder argumentum and Earthshine 2 EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time) DcodingTheWeb Forum - Follow for updates and Join for discussion
jchd Posted June 8, 2019 Posted June 8, 2019 This is a too common misconception. Tell them they walk on a path that does not lead to the top of the mountain. Most (if not all code) analysis tools can be viewed —in the very best case only— as "assigning meaning to programs" after the facts, in the sense of R. Floyd. This is exactly the same thing as trying to understand in great details all the semantic subtilties of a significantly large Klingon text, by just knowing the Klingon alphabet. Obviously such approach gains you zero guaranteed knowledge about the dangerousness of the actual Klingon intents against your planet or civilization. Monthly (weekly, daily) "vulnerability patches" from MS and others illustrate the fact. If your client really cares about security and correctness of the programs they want to use, they should think the opposite way: "assign programs to meanings": https://www.researchgate.net/publication/220695256_The_B-book_-_assigning_programs_to_meanings I don't expect generic IT staffs to go that route so the best you can do if setup a code review task force on the AutoIt source or write a formally proven correct B0 to AutoIt converter and re-develop the project with B method, down to proven-correct AutoIt code. Just get warned that the latter way isn't completely trivial. Earthshine and mLipok 2 This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe hereRegExp tutorial: enough to get startedPCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta. SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)
thegreatjedi Posted June 8, 2019 Author Posted June 8, 2019 3 hours ago, jchd said: This is a too common misconception. Tell them they walk on a path that does not lead to the top of the mountain. Most (if not all code) analysis tools can be viewed —in the very best case only— as "assigning meaning to programs" after the facts, in the sense of R. Floyd. This is exactly the same thing as trying to understand in great details all the semantic subtilties of a significantly large Klingon text, by just knowing the Klingon alphabet. Obviously such approach gains you zero guaranteed knowledge about the dangerousness of the actual Klingon intents against your planet or civilization. Monthly (weekly, daily) "vulnerability patches" from MS and others illustrate the fact. If your client really cares about security and correctness of the programs they want to use, they should think the opposite way: "assign programs to meanings": https://www.researchgate.net/publication/220695256_The_B-book_-_assigning_programs_to_meanings I don't expect generic IT staffs to go that route so the best you can do if setup a code review task force on the AutoIt source or write a formally proven correct B0 to AutoIt converter and re-develop the project with B method, down to proven-correct AutoIt code. Just get warned that the latter way isn't completely trivial. Can't say I follow completely. Here's some details to help clarify my situation. fI I remember correctly, they're using HP Fortify Software Security Center. I'm not fully certain of what the client is looking for, but it seems they want to scan the source code for vulnerabilities to stuff like SQL injections etc. The application being developed will be used in various government projects including those in defence-related domains, so there're multiple levels of approval and requirements to pass. The code analysis tool is supposed to be a first-level check that developers can immediately act upon, and to generate a report that provides a degree of assurance further down the approval process. This HP tool doesn't support the analysing of AutoIT syntax. No support, no scanning, no report, weaker case for approval by authorities for whom the compiled executable is essentially a black box.
TheDcoder Posted June 8, 2019 Posted June 8, 2019 3 hours ago, thegreatjedi said: weaker case for approval by authorities for whom the compiled executable is essentially a black box. Give them the source code, let them perform a security audit manually. There isn't anything more that can be done unfortunatley... EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time) DcodingTheWeb Forum - Follow for updates and Join for discussion
jchd Posted June 8, 2019 Posted June 8, 2019 Then I'm afraid there isn't anything that can be done to pass the barrier: source can be reviewed but the interpreter and the core functions are closed source. This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe hereRegExp tutorial: enough to get startedPCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta. SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)
TheDcoder Posted June 9, 2019 Posted June 9, 2019 7 hours ago, jchd said: ...but the interpreter and the core functions are closed source.  Ah, true, I didn't think of this aspect... I guess this is one of the anti-features of AutoIt 😕 Oh well, atleast it is free to use EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time) DcodingTheWeb Forum - Follow for updates and Join for discussion
argumentum Posted June 9, 2019 Posted June 9, 2019 15 hours ago, thegreatjedi said: HP Fortify Software Security Center Fortify SCA supports a wide variety of languages, frameworks and operating systems. • Languages: ASP.NET, C/C++, C#, ColdFusion, Java, JSP, PL/SQL, T-SQL, XML, VB.NET and other .NET languages • Platforms: Windows, Solaris, Linux, Mac OS X, HP-UX, AIX • Frameworks: J2EE/EJB, Struts, Hibernate. So that is that. Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
Skysnake Posted June 24, 2019 Posted June 24, 2019 On 6/8/2019 at 1:48 PM, thegreatjedi said: The application being developed will be used in various government projects including those in defence-related domains, so there're multiple levels of approval and requirements to pass. My impression is that AutoIt is very commonly used in the US military. And, you know, if it is good enough for the Army, then, well... Skysnake Why is the snake in the sky?
jchd Posted June 24, 2019 Posted June 24, 2019 Did the Pentagon actually drop ADA for AutoIt? TheDcoder 1 This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe hereRegExp tutorial: enough to get startedPCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta. SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now