Corgea Expands Language Support: C, C++, Kotlin, and PHP for False Positive Detection and Auto-Fixing

Corgea is excited to announce the expansion of its language support to include C, C++, Kotlin, and PHP. We know how critical comprehensive language and framework support is for enterprises. This addition broadens Corgea’s capabilities, extending powerful code security tools to a wider range of developers and enabling seamless security management across more languages.

Corgea now supports 20+ programming languages and frameworks, including C#, Python, Ruby, JavaScript & TypeScript, and Java. This extensive coverage establishes Corgea as a leading solution for code security, empowering developers to address vulnerabilities more effectively across the most popular languages and frameworks.

Key Benefits for Each New Language:

• C and C++: Corgea helps manage complex security challenges in systems programming by filtering out false positives and auto-fixing issues like buffer overflows and memory leaks.

• Kotlin: Optimized for mobile applications, Corgea enables Android developers to focus on real security risks, offering auto-fixes for common weaknesses in data handling and permissions.

• PHP: Widely used for web applications, Corgea’s PHP support ensures that developers can quickly resolve frequent security issues related to injection attacks and file handling with precise auto-fixes.

Real-World Examples of Corgea’s New Language Support

Example 1: C - Use of Potentially Dangerous Function

The code uses gets(), a dangerous function that can cause buffer overflow, leading to potential security risks like unauthorized access or crashes.

• gets(buffer) doesn’t check input size, risking overflow if input exceeds buffer capacity.

• Overflow can overwrite memory, altering program flow or exposing sensitive data.

• Attackers can inject malicious code or crash the program.

 void buffer_overflow_example() {
     char buffer[10];
     printf(\"Enter a string (max 9 characters): \" );
-    gets(buffer); // Dangerous: Vulnerable to buffer overflow
+    fgets(buffer, sizeof(buffer), stdin); // Safe: Not vulnerable to buffer overflow
     printf(\"You entered: %s\n\", buffer);

The fix replaces the dangerous gets function with fgets, which prevents buffer overflow by limiting input to the buffer size.

• Replaced gets(buffer) with fgets(buffer, sizeof(buffer), stdin).

• fgets limits input to the buffer size, preventing overflow.

• sizeof(buffer) ensures the input does not exceed buffer capacity.

Example 2: C++ - Use After Free

Accessing memory after it’s freed can lead to crashes, data corruption, or even arbitrary code execution.

• The code uses *ptr after freeing its memory, leading to undefined behavior.

• If ptr points to reallocated memory, it may corrupt valid data.

• Overwriting function pointers in reallocated memory can execute arbitrary code.

 void danglingPointerExample() {
     int* ptr = new int(42);
+    std::cout << \"Pointer access: \" << *ptr << std::endl;
     delete ptr; // Memory freed
-    std::cout << \"Dangling pointer access: \" << *ptr << std::endl; // Undefined behavior
 }

The fix removes the use of a dangling pointer by eliminating the access to memory after it has been freed, preventing undefined behavior and potential security risks.

• Removed the line std::cout << "Dangling pointer access: " << *ptr << std::endl; to prevent accessing freed memory.

• The pointer ptr is deleted after its last valid use.

• Ensures no operations are performed on ptr after delete ptr;.

Example 3: PHP - Code Injection

The code below is vulnerable to code injection, allowing attackers to execute arbitrary system commands by manipulating the input used in the system() function.

• The system($command) function executes OS commands, and if $command is user-controlled, it can be exploited.

• An attacker can inject malicious commands by appending them to $command, altering the intended execution.

• For example, if $command is ls, an attacker could input ls; rm -rf / to delete files.

 <?php
 if (isset($_GET['command'])) {
-    $command = $_GET['command'];
-    system($command); // Vulnerable to command injection
-    // Use escapeshellcmd() or escapeshellarg() to prevent this
+    $command = escapeshellarg($_GET['command']);
+    system($command);
 }

The fix addresses a command injection vulnerability by sanitizing user input with escapeshellarg(), preventing arbitrary code execution through the system() function.

• The original code directly used $_GET['command'] in system(), allowing code injection.

• The fix applies escapeshellarg() to sanitize the input.

• escapeshellarg() ensures special characters are escaped, preventing injection.

• The system() function now executes only safe, sanitized commands.

Intelligent False Positive Filtering

With Corgea’s enhanced false positive detection, developers benefit from reduced noise, as the AI models identify harmless patterns that do not pose security risks. This streamlined filtering allows developers to concentrate on legitimate vulnerabilities, avoiding time-consuming manual triage and reducing alert fatigue.

Auto-Fixing for Common Vulnerabilities

Corgea’s context-aware auto-fixes provide targeted solutions for over 900 Common Weakness Enumerations (CWEs) across supported languages. For C, C++, Kotlin, and PHP, developers can now rely on Corgea’s automation to address common weaknesses directly in the code, saving time while enhancing security.

Continuous Innovation in Code Security

As Corgea continues to expand support across major languages and frameworks, our commitment to comprehensive code security remains at the forefront. By adding false positive detection and auto-fixing for C, C++, Kotlin, and PHP, Corgea brings trusted, automated security solutions to a broader developer base, supporting everything from web applications to mobile and system-level programming.