RubyGems - owasp-glue - Versions diffs - 0.9.0 - Mend

owasp-glue 0.9.0

Files changed (54) hide show

checksums.yaml +7 -0
data/CHANGES +27 -0
data/FEATURES +19 -0
data/README.md +117 -0
data/bin/glue +67 -0
data/lib/glue.rb +317 -0
data/lib/glue/event.rb +14 -0
data/lib/glue/filters.rb +41 -0
data/lib/glue/filters/base_filter.rb +19 -0
data/lib/glue/filters/jira_one_time_filter.rb +57 -0
data/lib/glue/filters/remove_all_filter.rb +16 -0
data/lib/glue/filters/zap_consdensing_filter.rb +76 -0
data/lib/glue/finding.rb +52 -0
data/lib/glue/mounters.rb +55 -0
data/lib/glue/mounters/base_mounter.rb +31 -0
data/lib/glue/mounters/docker_mounter.rb +44 -0
data/lib/glue/mounters/filesystem_mounter.rb +20 -0
data/lib/glue/mounters/git_mounter.rb +52 -0
data/lib/glue/mounters/iso_mounter.rb +42 -0
data/lib/glue/mounters/url_mounter.rb +28 -0
data/lib/glue/options.rb +269 -0
data/lib/glue/reporters.rb +50 -0
data/lib/glue/reporters/base_reporter.rb +21 -0
data/lib/glue/reporters/csv_reporter.rb +19 -0
data/lib/glue/reporters/jira_reporter.rb +59 -0
data/lib/glue/reporters/json_reporter.rb +20 -0
data/lib/glue/reporters/text_reporter.rb +19 -0
data/lib/glue/scanner.rb +28 -0
data/lib/glue/tasks.rb +124 -0
data/lib/glue/tasks/av.rb +42 -0
data/lib/glue/tasks/base_task.rb +80 -0
data/lib/glue/tasks/brakeman.rb +58 -0
data/lib/glue/tasks/bundle-audit.rb +95 -0
data/lib/glue/tasks/checkmarx.rb +60 -0
data/lib/glue/tasks/dawnscanner.rb +55 -0
data/lib/glue/tasks/eslint.rb +69 -0
data/lib/glue/tasks/fim.rb +60 -0
data/lib/glue/tasks/findsecbugs.rb +90 -0
data/lib/glue/tasks/npm.rb +58 -0
data/lib/glue/tasks/nsp.rb +65 -0
data/lib/glue/tasks/owasp-dep-check.rb +117 -0
data/lib/glue/tasks/patterns.json +394 -0
data/lib/glue/tasks/pmd.rb +63 -0
data/lib/glue/tasks/retirejs.rb +107 -0
data/lib/glue/tasks/scanjs-eslintrc +106 -0
data/lib/glue/tasks/scanjs.rb +31 -0
data/lib/glue/tasks/sfl.rb +67 -0
data/lib/glue/tasks/snyk.rb +81 -0
data/lib/glue/tasks/test.rb +47 -0
data/lib/glue/tasks/zap.rb +99 -0
data/lib/glue/tracker.rb +47 -0
data/lib/glue/util.rb +36 -0
data/lib/glue/version.rb +3 -0
metadata +294 -0

data/lib/glue/reporters/json_reporter.rb ADDED

@@ -0,0 +1,20 @@
+require 'glue/finding'
+require 'glue/reporters/base_reporter'
+require 'json'
+class Glue::JSONReporter < Glue::BaseReporter
+  Glue::Reporters.add self
+  attr_accessor :name, :format
+  def initialize()
+    @name = "JSONReporter"
+    @format = :to_json
+  end
+  def out(finding)
+    finding.to_json
+  end
+end

data/lib/glue/reporters/text_reporter.rb ADDED

@@ -0,0 +1,19 @@
+require 'glue/finding'
+require 'glue/reporters/base_reporter'
+class Glue::TextReporter < Glue::BaseReporter
+  Glue::Reporters.add self
+  attr_accessor :name, :format
+  def initialize()
+    @name = "TextReporter"
+    @format = :to_s
+  end
+  def out(finding)
+    finding.to_string << "\n"
+  end
+end

data/lib/glue/scanner.rb ADDED

@@ -0,0 +1,28 @@
+require 'glue/event'
+require 'glue/tracker'
+require 'glue/tasks'
+class Glue::Scanner
+  attr_reader :tracker
+  attr_reader :mounter
+  #Pass in path to the root of the Rails application
+  def initialize
+    @stage = :wait
+    @stages = [ :wait, :mount, :file, :code, :live, :done]
+  end
+  #Process everything in the Rails application
+  def process target, tracker
+    @stages.each do |stage|
+      Glue.notify "Running tasks in stage: #{stage}"
+      @stage = stage
+      begin
+         Glue::Tasks.run_tasks(target, stage, tracker)
+      rescue Exception => e
+        Glue.warn e.message
+        raise e
+      end
+    end
+  end
+end

data/lib/glue/tasks.rb ADDED

@@ -0,0 +1,124 @@
+require 'thread'
+#Collects up results from running different tasks.
+#
+#tasks can be added with +task.add(task_class)+
+#
+#All .rb files in tasks/ will be loaded.
+class Glue::Tasks
+  @tasks = []
+  @optional_tasks = []
+  attr_reader :tasks_run
+  #Add a task. This will call +_klass_.new+ when running tests
+  def self.add klass
+    @tasks << klass unless @tasks.include? klass
+  end
+  #Add an optional task
+  def self.add_optional klass
+    @optional_tasks << klass unless @tasks.include? klass
+  end
+  def self.tasks
+    @tasks + @optional_tasks
+  end
+  def self.optional_tasks
+    @optional_tasks
+  end
+  def self.initialize_tasks task_directory = ""
+    #Load all files in task_directory
+    Dir.glob(File.join(task_directory, "*.rb")).sort.each do |f|
+      require f
+    end
+  end
+  #No need to use this directly.
+  def initialize options = { }
+    @warnings = []
+    @tasks_run = []
+  end
+  #Add Warning to list of warnings to report.
+  def add_warning warning
+    @warnings << warning
+  end
+  #Run all the tasks on the given Tracker.
+  #Returns a new instance of tasks with the results.
+  def self.run_tasks(target, stage, tracker)
+    task_runner = self.new
+    trigger = Glue::Event.new(tracker.options[:appname])
+    trigger.path = target
+    self.tasks_to_run(tracker).each do |c|
+      task_name = get_task_name c
+      #Run or don't run task based on options
+      #Now case-insensitive specifiers:  nodesecurityproject = Glue::NodeSecurityProject
+      if tracker.options[:skip_tasks]
+        skip_tasks = tracker.options[:skip_tasks].map {|task| task.downcase}
+      end
+      if (tracker.options[:run_tasks])
+        run_tasks = tracker.options[:run_tasks].map {|task| task.downcase}
+      end
+      unless skip_tasks.include? task_name.downcase or
+        (run_tasks and not run_tasks.include? task_name.downcase)
+        task = c.new(trigger, tracker)
+        begin
+          if task.supported? and task.stage == stage
+            if task.labels.intersect? tracker.options[:labels] or          # Only run tasks with labels
+                 ( run_tasks and run_tasks.include? task_name.downcase )   # or that are explicitly requested.
+              Glue.notify "#{stage} - #{task_name} - #{task.labels}"
+              task.run
+              task.analyze
+              task.findings.each do | finding |
+                tracker.report finding
+              end
+           end
+          end
+        rescue => e
+          Glue.notify e.message
+          tracker.error e
+        end
+        task.warnings.each do |w|
+          task_runner.add_warning w
+        end
+        #Maintain list of which tasks were run
+        #mainly for reporting purposes
+        task_runner.tasks_run << task_name[5..-1]
+      end
+    end
+    task_runner
+  end
+  private
+  def self.get_task_name task_class
+    task_class.to_s.split("::").last
+  end
+  def self.tasks_to_run tracker
+    if tracker.options[:run_all_tasks] or tracker.options[:run_tasks]
+      @tasks + @optional_tasks
+    else
+      @tasks
+    end
+  end
+end
+#Load all files in tasks/ directory
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/tasks/*.rb").sort.each do |f|
+  require f.match(/(glue\/tasks\/.*)\.rb$/)[0]
+end

data/lib/glue/tasks/av.rb ADDED

@@ -0,0 +1,42 @@
+# https://gist.github.com/paulspringett/8802240
+require 'glue/tasks/base_task'
+class Glue::AV < Glue::BaseTask
+  Glue::Tasks.add self
+  def initialize(trigger, tracker)
+    super(trigger,tracker)
+    @name = "AV"
+    @description = "Test for virus/malware"
+    @stage = :file
+    @labels << "filesystem"
+  end
+  def run
+    # Update AV
+    `freshclam`
+    # Run AV
+    # TODO:  Circle back and use runsystem.
+    Glue.notify "Malware/Virus Check"
+  	rootpath = @trigger.path
+	  @result=`clamscan --no-summary -i -r "#{rootpath}"`
+  end
+  def analyze
+	  list = @result.split(/\n/)
+	  list.each do |v|
+	     # v.slice! installdir
+	     Glue.notify v
+       report "Malicious file identified.", v, @name, :medium
+    end
+  end
+  def supported?
+        # TODO verify.
+  	# In future, verify tool is available.
+  	return true
+  end
+end

data/lib/glue/tasks/base_task.rb ADDED

@@ -0,0 +1,80 @@
+require 'glue/finding'
+require 'set'
+require 'digest'
+class Glue::BaseTask
+  attr_reader :findings, :warnings, :trigger, :labels
+  attr_accessor :name
+  attr_accessor :description
+  attr_accessor :stage
+  attr_accessor :appname
+  def initialize(trigger, tracker)
+    @findings = []
+    @warnings = []
+    @labels = Set.new
+    @trigger = trigger
+    @tracker = tracker
+    @severity_filter = {
+      :low => ['low','weak'],
+      :medium => ['medium','med','average'],
+      :high => ['high','severe','critical']
+    }
+  end
+  def report description, detail, source, severity, fingerprint
+    finding = Glue::Finding.new( @trigger.appname, description, detail, source, severity, fingerprint )
+    @findings << finding
+  end
+  def warn warning
+    @warnings << warning
+  end
+  def name
+    @name
+  end
+  def description
+    @description
+  end
+  def stage
+    @stage
+  end
+  def directories_with? file, exclude_dirs = []
+    exclude_dirs = @tracker.options[:exclude_dirs] if exclude_dirs == [] and @tracker.options[:exclude_dirs]
+    results = []
+    Find.find(@trigger.path) do |path|
+      if FileTest.directory? path
+        Find.prune if exclude_dirs.include? File.basename(path) or exclude_dirs.include? File.basename(path) + '/'
+        next
+      end
+      Find.prune unless File.basename(path) == file
+      results << File.dirname(path)
+    end
+    return results
+  end
+  def run
+  end
+  def analyze
+  end
+  def supported?
+  end
+  def severity sev
+    sev = '' if sev.nil?
+    return 1 if @severity_filter[:low].include?(sev.strip.chomp.downcase)
+    return 2 if @severity_filter[:medium].include?(sev.strip.chomp.downcase)
+    return 3 if @severity_filter[:high].include?(sev.strip.chomp.downcase)
+    return 0
+  end
+end

data/lib/glue/tasks/brakeman.rb ADDED

@@ -0,0 +1,58 @@
+require 'glue/tasks/base_task'
+require 'json'
+require 'glue/util'
+require 'pathname'
+class Glue::Brakeman < Glue::BaseTask
+  Glue::Tasks.add self
+  include Glue::Util
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "Brakeman"
+    @description = "Source analysis for Ruby"
+    @stage = :code
+    @labels << "code" << "ruby" << "rails"
+  end
+  def run
+    rootpath = @trigger.path
+    @result=runsystem(true, "brakeman", "-A", "-q", "-f", "json", "#{rootpath}")
+  end
+  def analyze
+    # puts @result
+    begin
+      parsed = JSON.parse(@result)
+      parsed["warnings"].each do |warning|
+        file = relative_path(warning['file'], @trigger.path)
+        detail = "#{warning['message']}\n#{warning['link']}"
+        if ! warning['line']
+          warning['line'] = "0"
+        end
+        if ! warning['code']
+          warning['code'] = ""
+        end
+        source = { :scanner => @name, :file => file, :line => warning['line'], :code => warning['code'].lstrip }
+        report warning["warning_type"], detail, source, severity(warning["confidence"]), fingerprint("#{warning['message']}#{warning['link']}#{severity(warning["confidence"])}#{source}")
+      end
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    end
+  end
+  def supported?
+    supported=runsystem(true, "brakeman", "-v")
+    if supported =~ /command not found/
+      Glue.notify "Run: gem install brakeman"
+      return false
+    else
+      return true
+    end
+  end
+end

data/lib/glue/tasks/bundle-audit.rb ADDED

@@ -0,0 +1,95 @@
+require 'glue/tasks/base_task'
+require 'json'
+require 'glue/util'
+require 'digest'
+class Glue::BundleAudit < Glue::BaseTask
+  Glue::Tasks.add self
+  include Glue::Util
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "BundleAudit"
+    @description = "Dependency Checker analysis for Ruby"
+    @stage = :code
+    @labels << "code" << "ruby"
+    @results = {}
+  end
+  def run
+    directories_with?('Gemfile.lock').each do |dir|
+      Glue.notify "#{@name} scanning: #{dir}"
+      Dir.chdir(dir) do
+        @results[dir] = runsystem(true, "bundle-audit", "check")
+      end
+    end
+  end
+  def analyze
+    # puts @result
+    begin
+      get_warnings
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.notify "Appears not to be a project with Gemfile.lock or there was another problem ... bundle-audit skipped."
+    end
+  end
+  def supported?
+    supported=runsystem(false, "bundle-audit", "update")
+    if supported =~ /command not found/
+      Glue.notify "Run: gem install bundler-audit"
+      return false
+    else
+      return true
+    end
+  end
+  private
+  def get_warnings
+    @results.each do |dir, result|
+      detail, jem, source, sev, hash = '','',{},'',''
+      result.each_line do | line |
+        if /\S/ !~ line
+          # Signal section is over.  Reset variables and report.
+          if detail != ''
+            report "Gem #{jem} has known security issues.", detail, source, sev, fingerprint(hash)
+          end
+          detail, jem, source, sev, hash = '','', {},'',''
+        end
+        name, value = line.chomp.split(':')
+        case name
+        when 'Name'
+          jem << value
+          hash << value
+        when 'Version'
+          jem << value
+          hash << value
+        when 'Advisory'
+          source = { :scanner => @name, :file => "#{relative_path(dir, @trigger.path)}/Gemfile.lock", :line => nil, :code => nil }
+          hash << value
+        when 'Criticality'
+          sev = severity(value)
+          hash << sev
+        when 'URL'
+          detail += line.chomp.split('URL:').last
+        when 'Title'
+          detail += ",#{value}"
+        when 'Solution'
+          detail += ": #{value}"
+        when 'Insecure Source URI found'
+          report "Insecure GEM Source", "#{line.chomp} - use git or https", {:scanner => @name, :file => 'Gemfile.lock', :line => nil, :code =>  nil}, severity('high'), fingerprint("bundlerauditgemsource#{line.chomp}")
+        else
+          if line =~ /\S/ and line !~ /Unpatched versions found/
+            Glue.debug "Not sure how to handle line: #{line}"
+          end
+        end
+      end
+    end
+  end
+end