Karamba VCode

Karamba VCode is a binary analysis tool designed for supply chain security, targeted at automotive OEMs and IoT device manufacturers. It scans software and firmware images to identify, prioritize, and mitigate security gaps — particularly in third-party modules — before production deployment. VCode performs several categories of analysis: - Weak password detection in connected system configurations - Kernel feature analysis to identify missing hardening options - CVE scanning across software libraries and applications within firmware images - Detection of insecure binary configurations (compiler, linker, and OS security features) - File permission analysis to identify overly permissive settings on Linux systems The tool generates a Software Bill of Materials (SBOM), which includes component details such as location, CVE count, severity, dependencies, license types, and version numbers. SBOM output supports compliance with standards such as UN R155. VCode can be integrated into CI/CD pipelines or used as a standalone tool via drag-and-drop. It provides a CLI for piping structured output to downstream mitigation processes. Findings are prioritized based on each customer's security compliance policies. Supported scan targets include Yocto build system images, firmware images (OVA/VMDK, MBR disk images), Linux kernel configurations, and individual files (executables, libraries, JAR, APK). Supported filesystems include cpio, ext4, jffs2, squashfs, and vfat. Archive formats supported include bz2, gz, tar, xz, and zip. OS support covers Linux, Android, QNX, FreeRTOS, and AUTOSAR. Reports include management-level security summaries, compliance validation checklists, and findings mapped to industry standards.