hakiri 0.2.1 → 0.3.0

data/.gitignore

@@ -15,3 +15,4 @@ capybara-*.html
 /spec/tmp/*
 **.orig
 *.gem
+/manifest.json

data/Gemfile.lock

@@ -1,10 +1,11 @@
 PATH
   remote: .
   specs:
-    hakiri (0.2.0)
+    hakiri (0.2.1)
       active_support
       commander
       i18n
+      rake
       rest-client
       terminal-table
 
@@ -19,6 +20,7 @@ GEM
     highline (1.6.19)
     i18n (0.6.4)
     mime-types (1.23)
+    rake (10.1.0)
     rest-client (1.6.7)
       mime-types (>= 1.16)
     terminal-table (1.4.5)

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2013 Vasily Vasinov
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -1,31 +1,124 @@
-# Hakiri
-Hakiri is a command line interface for the Hakiri platform. It allows Ruby on Rails developers to collect versions of servers, databases and other technologies that they use in their stacks. It also shows CVE vulnerabilities found in their system software versions.
+# Secure Rails with Hakiri
+
+Hakiri is a command line interface (CLI) for the Hakiri platform. It allows Ruby on Rails developers to automate version scraping of servers, databases and other technologies used in their stacks. For each technology Hakiri shows CVE vulnerabilities. Here is a snippet of how it works:
+
+~~~
+$ hakiri system:scan
+-----> Scanning system for software versions...
+       Found Ruby 1.9.3.429
+       Found Ruby on Rails 3.2.11
+-----> Searching for vulnerabilities...
+       Found 17 vulnerabilities in Ruby on Rails 3.2.11
+Show all of them? (yes or no)
+
+CVE-2013-0276
+ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
+
+...
+~~~
+
+Wanna try it on your system?
 
 ## Installation
-```
-gem install hakiri
-```
 
-## Authentication Token
-For some extra functionality, you'll have to get an authentication token from Hakiri.
+Hakiri CLI is a Ruby gem that can be installed by
+
+~~~
+$ gem install hakiri
+~~~
+
+After it's installed, restart your command line and you should be good to go.
+
+## Test Your System in 2 Minutes
+
+Once you have Hakiri CLI installed, it's really easy to start using it. You can scan your Rails stack in a matter of seconds.
+
+One way to do so is to run a command line wizard that will ask you about your technologies in 5 steps:
+
+~~~
+$ hakiri system:steps
+~~~
+
+After you are done, Hakiri CLI will scrape versions of technologies in your stack and show you all active CVE vulnerabilities.
+
+The wizard is a good way to get a taste of Hakiri but it's not really useful for real work. A much better setup suitable for production is a manifest file that the user can configure with technologies that are part of the stack and then run tests against it.
+
+Hakiri CLI can generate a generic manifest file with the following command:
+
+~~~
+$ hakiri manifest:generate
+~~~
+
+This will generate a `manifest.json` file in your current directory. It will contain all technologies supported by Hakiri. You can choose which ones you need by editing this file.
 
-TBD
+Once you are done, run the following command in the directory where you've created the manifest file:
 
-## Getting Started
-### System Scan
-You can scan your system for vulnerabilities. Supply a JSON file with technologies that you are interested in and run this command.
-```
-$ hakiri system:scan -s my_stack.json
-```
+~~~
+$ hakiri system:scan
+~~~
 
-### Step by Step
-TBD
+It will attempt to scrape versions of technologies in your current directory and then make a request to the Hakiri API to see if there are open CVE vulnerabilities. If any vulnerabilities are found, Hakiri CLI will ask you whether you want to see all of them. The output will look something like this:
 
-### Sync Stack
-TBD
+~~~
+-----> Scanning system for software versions...
+       Found Ruby 1.9.3.429
+       Found Ruby on Rails 3.2.11
+       Found Unicorn 4.6.3
+-----> Searching for vulnerabilities...
+       Found 17 vulnerabilities in Ruby on Rails 3.2.11
+Show all of them? (yes or no) yes
+
+CVE-2013-0276
+ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
+
+...
+~~~
+
+Simple, right? If you manifest file is in a different directory or named differently you can specify it in a parameter:
+
+~~~
+$ hakiri system:scan -m ../my_stack.json
+~~~
+
+You can learn more about configuring the manifest in [Hakiri docs](https://www.hakiriup.com/docs/manifest-file).
+
+## Advanced Usage
+
+We just went through the most basic Hakiri use case. Here are links to docs describing how to do more:
+
+- [Learn about](https://www.hakiriup.com/docs/manifest-file) advanced manifest file options.
+- [Setup your](https://www.hakiriup.com/docs/authentication-token) authentication token.
+- [Sync your stack technologies](https://www.hakiriup.com/docs/stack-syncing) with the cloud and get notified when new vulnerabilities come out.
+- [Check out technologies](https://www.hakiriup.com/docs/technologies-version-formats) the lsit of supported technologies and version formats.
 
 ## Contribute
+
 - Fork the project.
 - Write code for a feature or bug fix.
 - Commit, do not make changes to version.
-- Submit a pull request.
+- Submit a pull request.
+
+## License
+
+(The MIT license)
+
+Copyright (c) 2013 Vasily Vasinov
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/bin/hakiri

@@ -3,23 +3,33 @@
 require 'rubygems'
 require 'commander/import'
 require 'hakiri'
-require 'terminal-table'
 
 program :name, 'hakiri'
 program :version, Hakiri::VERSION
 program :description, 'Hakiri CLI'
 
+command 'manifest:generate' do |c|
+  c.syntax = 'hakiri manifest:generate'
+  c.summary = 'Generates a manifest file with example technologies.'
+  c.description = 'This command generates a JSON file with technologies supported by Hakiri.'
+
+  c.action do |args, options|
+    cli = Hakiri::Manifest.new(args, options)
+    cli.generate
+  end
+end
+
 command 'system:scan' do |c|
   c.syntax = 'hakiri system:scan [options]'
-  c.summary = 'Configure your stack with a JSON file.'
+  c.summary = 'Configure your stack with a manifest JSON file.'
   c.description = 'This command grabs your custom stack JSON file and shows vulnerabilities in your project.'
-  c.option '--stack STRING', String, 'Path to your JSON file'
+  c.option '--manifest STRING', String, 'Path to your manifest JSON file'
 
   c.action do |args, options|
-    options.default stack: './technologies.json'
+    options.default manifest: './manifest.json'
 
-    cli = Hakiri::SystemScan.new(args, options)
-    cli.command
+    cli = Hakiri::System.new(args, options)
+    cli.scan
   end
 end
 
@@ -27,15 +37,15 @@ command 'system:sync' do |c|
   c.syntax = 'hakiri system:sync [options]'
   c.summary = 'Sync your system\'s software versions with the server.'
   c.description = 'This command grabs your custom stack JSON file, and syncs it with your project on www.hakiriup.com.'
-  c.option '--stack STRING', String, 'Path to your JSON file stack'
+  c.option '--manifest STRING', String, 'Path to your manifest JSON file stack'
   c.option '--project INTEGER', Integer, 'Your project ID.'
+  c.option '--force', 'Force syncing without asking for it first.'
 
   c.action do |args, options|
-    options.default stack: './technologies.json'
+    options.default manifest: './manifest.json'
     options.default project: nil
-
-    cli = Hakiri::SystemSync.new(args, options)
-    cli.command
+    cli = Hakiri::System.new(args, options)
+    cli.sync
   end
 end
 
@@ -45,7 +55,7 @@ command 'system:steps' do |c|
   c.description = 'This command launches a step by step walkthrough that will help you customize your stack.'
 
   c.action do |args, options|
-    cli = Hakiri::SystemSteps.new(args, options)
-    cli.command
+    cli = Hakiri::System.new(args, options)
+    cli.steps
   end
 end

data/hakiri.gemspec

@@ -4,8 +4,8 @@ require 'hakiri/version'
 Gem::Specification.new do |s|
   s.name          = 'hakiri'
   s.version       = Hakiri::VERSION
-  s.summary       = 'CLI for Hakiri'
-  s.description   = 'Hakiri is a CLI for www.hakiriup.com—a cloud security platform for Ruby on rails apps.'
+  s.summary       = 'Secure Rails with Hakiri'
+  s.description   = 'Hakiri is a CLI for www.hakiriup.com—a cloud security platform for Ruby on Rails apps.'
   s.authors       = ['Vasily Vasinov']
   s.email         = 'vasinov@me.com'
   s.files         = `git ls-files`.split("\n")
@@ -14,6 +14,7 @@ Gem::Specification.new do |s|
   s.homepage      = 'http://www.hakiriup.com'
   s.license       = 'MIT'
 
+  s.add_dependency 'rake'
   s.add_dependency 'commander'
   s.add_dependency 'terminal-table'
   s.add_dependency 'active_support'

data/lib/hakiri.rb

@@ -7,9 +7,8 @@ require 'http'
 require 'open-uri'
 
 require 'hakiri/cli/cli'
-require 'hakiri/cli/system_sync'
-require 'hakiri/cli/system_scan'
-require 'hakiri/cli/system_steps'
+require 'hakiri/cli/system'
+require 'hakiri/cli/manifest'
 
 require 'hakiri/stack'
 require 'hakiri/version'

data/lib/hakiri/cli/manifest.json

@@ -0,0 +1,19 @@
+{
+    "apache": { "command": "", "version": "" },
+    "apache-tomcat": { "command": "", "version": "" },
+    "java": { "command": "", "version": "" },
+    "jruby": { "command": "", "version": "" },
+    "linux-kernel": { "command": "", "version": "" },
+    "memcached": { "command": "", "version": "" },
+    "mongodb": { "command": "", "version": "" },
+    "mysql": { "command": "", "version": "" },
+    "nginx": { "command": "", "version": "" },
+    "phusion-passenger": { "command": "", "version": "" },
+    "postgres": { "command": "", "version": "" },
+    "redis": { "command": "", "version": "" },
+    "ruby": { "command": "", "version": "" },
+    "ruby-on-rails": { "command": "", "version": "" },
+    "thin": { "command": "", "version": "" },
+    "trinidad": { "command": "", "version": "" },
+    "unicorn": { "command": "", "version": "" }
+}

data/lib/hakiri/cli/manifest.rb

@@ -0,0 +1,14 @@
+require 'fileutils'
+
+class Hakiri::Manifest < Hakiri::Cli
+  #
+  # Generates a JSON manifest file
+  #
+  def generate
+    FileUtils::copy_file "#{File.dirname(__FILE__)}/manifest.json", "#{Dir.pwd}/manifest.json"
+    File.chmod 0755, "#{Dir.pwd}/manifest.json"
+    say '-----> Generating the manifest file...'
+    say "-----> Generated the manifest file in #{Dir.pwd}/manifest.json"
+    say "-----> Edit it and run \"hakiri system:scan\""
+  end
+end

data/lib/hakiri/cli/system.rb

@@ -0,0 +1,235 @@
+class Hakiri::System < Hakiri::Cli
+  #
+  # Walks the user through system scanning process.
+  #
+  def scan
+    if File.exist? @options.manifest
+      @stack.build_from_json_file(@options.manifest)
+      @stack.fetch_versions
+
+      # GETTING VERSIONS
+      say '-----> Scanning system for software versions...'
+
+      if @stack.technologies.empty?
+        say '       No versions were found...'
+      else
+        @stack.technologies.each do |technology_slug, payload|
+          say "       Found #{payload[:name]} #{payload[:version]}"
+        end
+
+        # GETTING VULNERABILITIES
+        say '-----> Searching for vulnerabilities...'
+        params = ({ technologies: @stack.technologies }.to_param)
+        response = @http_client.get_issues(params)
+
+        if response[:errors]
+          response[:errors].each do |error|
+            say "!      Server Error: #{error}"
+          end
+        else
+          authenticated = response[:meta][:authenticated]
+
+          if response[:technologies].empty?
+            say '       No vulnerabilities found. Keep it up!'
+          else
+            response[:technologies].each do |technology|
+              unless technology[:issues_count] == 0
+                say "!      Found #{technology[:issues_count].to_i} #{'vulnerability'.pluralize if technology[:issues_count].to_i != 1} in #{technology[:name]} #{technology[:version]}"
+              end
+            end
+
+            if agree 'Show all of them? (yes or no) '
+              puts ' '
+              response[:technologies].each do |technology|
+                technology[:issues].each do |issue|
+                  say issue[:name]
+                  say issue[:description]
+                  puts ' '
+                end
+              end
+            end
+
+            unless authenticated
+              say '****** Signup on www.hakiriup.com to get notified when new vulnerabilities come out.'
+            end
+          end
+        end
+      end
+    else
+      say '!      You have to create a manifest file with "hakiri manifest:generate"'
+    end
+  end
+
+  #
+  # Walks the user through the version syncing process.
+  #
+  def sync
+    @stack.build_from_json_file(@options.manifest)
+    @stack.fetch_versions
+
+    if @http_client.auth_token
+      # GETTING VERSIONS
+      say '-----> Scanning system for software versions...'
+
+      if @stack.technologies.empty?
+        say '       No versions were found...'
+      else
+        @stack.technologies.each do |technology_name, payload|
+          say "       Found #{payload[:name]} #{payload[:version]}"
+        end
+
+        # CHECK VERSIONS ON THE SERVER
+        params = ({ project_id: @options.project, technologies: @stack.technologies }.to_param)
+        say '-----> Checking software versions on www.hakiriup.com...'
+        response = @http_client.check_versions_diff(params)
+
+        if response[:errors]
+          response[:errors].each do |error|
+            say "!      Server Error: #{error}"
+          end
+        else
+          if response[:diffs].any?
+            @stack.technologies = {}
+            response[:diffs].each do |diff|
+              if diff[:success]
+                @stack.technologies[diff[:technology][:slug]] = { version: diff[:system_version] }
+
+                if diff[:hakiri_version]
+                  if diff[:system_version_newer]
+                    say "       System version of #{diff[:technology][:name]} is newer (#{diff[:system_version]} > #{diff[:hakiri_version]})"
+                  else
+                    say "       System version of #{diff[:technology][:name]} is older (#{diff[:system_version]} < #{diff[:hakiri_version]})"
+                  end
+                else
+                  say "       New technology detected: #{diff[:technology][:name]} #{diff[:system_version]}"
+                end
+              else
+                say "!      Error in #{diff[:technology][:name]}: #{diff[:errors][:value][0]}"
+              end
+            end
+
+            # UPDATE VERSIONS ON THE SERVER
+            unless @options.force
+              update = agree "Do you want to update \"#{response[:project][:name]}\" with system versions? (yes or no) "
+            end
+
+            if update or @options.force
+              say '-----> Syncing versions with www.hakiriup.com...'
+              params = ({ project_id: @options.project, technologies: @stack.technologies }.to_param)
+              response = @http_client.sync_project_versions(response[:project][:id], params)
+
+              if response[:errors]
+                response[:errors].each do |error|
+                  say "!      Server Error: #{error}"
+                end
+              else
+                if response[:updated].any?
+                  response[:updated].each do |update|
+                    if update[:success]
+                      say "       #{update[:technology][:name]} was updated to #{update[:new_version]}"
+                    else
+                      say "!      Error syncing #{update[:technology][:name]}: #{update[:errors][:value][0]}"
+                    end
+                  end
+                end
+              end
+            end
+          else
+            say '       No differences were found. Everything is up to date.'
+          end
+        end
+      end
+    else
+      say '!      You have to setup HAKIRI_AUTH_TOKEN environmental variable with your Hakiri authentication token.'
+    end
+  end
+
+  #
+  # Walks the user through manual technologies selection.
+  #
+  def steps
+    say 'Hakiri Walkthrough will help you configure your @stack step by step and show '
+    say 'you vulnerabilities at the end.'
+    puts ' '
+    say 'Step 1 of 5: Rails Server'
+    say '1. Unicorn'
+    say '2. Phusion Passenger'
+    say '3. Thin'
+    say '4. Trinidad'
+    say '5. None of the above'
+
+    server = ask('What do you use as your Rails server? (1, 2, 3, 4 or 5) ', Integer) { |q| q.in = 1..5 }
+    puts ' '
+    say 'Step 2 of 5: Secondary Server'
+    say '1. Apache'
+    say '2. nginx'
+    say '3. Both'
+    say '4. Neither'
+
+    extra_server = ask('Do you use Apache or nginx? (1, 2, 3 or 4) ', Integer) { |q| q.in = 1..4 }
+    puts ' '
+    say 'Step 3 of 5: Database'
+    say '1. MySQL'
+    say '2. Postgres'
+    say '3. MongoDB'
+    say '4. None of the above'
+
+    db = ask('What database do you use? (1, 2, 3 or 4) ', Integer) { |q| q.in = 1..4 }
+    puts ' '
+    redis = agree 'Step 4 of 5: do you use Redis? (yes or no) '
+    puts ' '
+    memcached = agree 'Step 5 of 5: do you use Memcached? (yes or no) '
+
+    say '-----> Retrieving software versions versions on your system...'
+
+    @stack.build_from_input(server, extra_server, db, redis, memcached)
+    @stack.fetch_versions
+
+    if @stack.technologies.empty?
+      say '       No versions were found...'
+    else
+      @stack.technologies.each do |technology_slug, payload|
+        say "       Found #{payload[:name]} #{payload[:version]}"
+      end
+
+      say '-----> Searching for vulnerabilities...'
+      params = ({ technologies: @stack.technologies }.to_param)
+      response = @http_client.get_issues(params)
+
+      if response[:errors]
+        response[:errors].each do |error|
+          say "!      Server Error: #{error}"
+        end
+      else
+        authenticated = response[:meta][:authenticated]
+
+        if response[:technologies].empty?
+          say '       No vulnerabilities found. Keep it up!'
+        else
+          response[:technologies].each do |technology|
+            unless technology[:issues_count] == 0
+              say "!      Found #{technology[:issues_count].to_i} #{'vulnerability'.pluralize if technology[:issues_count].to_i != 1} in #{technology[:name]} #{technology[:version]}"
+              puts ' '
+            end
+          end
+
+
+          if agree 'Show all of them? (yes or no) '
+            puts ' '
+            response[:technologies].each do |technology|
+              technology[:issues].each do |issue|
+                say issue[:name]
+                say issue[:description]
+                puts ' '
+              end
+            end
+          end
+
+          unless authenticated
+            say '****** Signup on www.hakiriup.com to get notified when new vulnerabilities come out.'
+          end
+        end
+      end
+    end
+  end
+end