RubyGems - owasp-glue - Versions diffs - 0.9.0 - Mend

owasp-glue 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

checksums.yaml +7 -0
data/CHANGES +27 -0
data/FEATURES +19 -0
data/README.md +117 -0
data/bin/glue +67 -0
data/lib/glue.rb +317 -0
data/lib/glue/event.rb +14 -0
data/lib/glue/filters.rb +41 -0
data/lib/glue/filters/base_filter.rb +19 -0
data/lib/glue/filters/jira_one_time_filter.rb +57 -0
data/lib/glue/filters/remove_all_filter.rb +16 -0
data/lib/glue/filters/zap_consdensing_filter.rb +76 -0
data/lib/glue/finding.rb +52 -0
data/lib/glue/mounters.rb +55 -0
data/lib/glue/mounters/base_mounter.rb +31 -0
data/lib/glue/mounters/docker_mounter.rb +44 -0
data/lib/glue/mounters/filesystem_mounter.rb +20 -0
data/lib/glue/mounters/git_mounter.rb +52 -0
data/lib/glue/mounters/iso_mounter.rb +42 -0
data/lib/glue/mounters/url_mounter.rb +28 -0
data/lib/glue/options.rb +269 -0
data/lib/glue/reporters.rb +50 -0
data/lib/glue/reporters/base_reporter.rb +21 -0
data/lib/glue/reporters/csv_reporter.rb +19 -0
data/lib/glue/reporters/jira_reporter.rb +59 -0
data/lib/glue/reporters/json_reporter.rb +20 -0
data/lib/glue/reporters/text_reporter.rb +19 -0
data/lib/glue/scanner.rb +28 -0
data/lib/glue/tasks.rb +124 -0
data/lib/glue/tasks/av.rb +42 -0
data/lib/glue/tasks/base_task.rb +80 -0
data/lib/glue/tasks/brakeman.rb +58 -0
data/lib/glue/tasks/bundle-audit.rb +95 -0
data/lib/glue/tasks/checkmarx.rb +60 -0
data/lib/glue/tasks/dawnscanner.rb +55 -0
data/lib/glue/tasks/eslint.rb +69 -0
data/lib/glue/tasks/fim.rb +60 -0
data/lib/glue/tasks/findsecbugs.rb +90 -0
data/lib/glue/tasks/npm.rb +58 -0
data/lib/glue/tasks/nsp.rb +65 -0
data/lib/glue/tasks/owasp-dep-check.rb +117 -0
data/lib/glue/tasks/patterns.json +394 -0
data/lib/glue/tasks/pmd.rb +63 -0
data/lib/glue/tasks/retirejs.rb +107 -0
data/lib/glue/tasks/scanjs-eslintrc +106 -0
data/lib/glue/tasks/scanjs.rb +31 -0
data/lib/glue/tasks/sfl.rb +67 -0
data/lib/glue/tasks/snyk.rb +81 -0
data/lib/glue/tasks/test.rb +47 -0
data/lib/glue/tasks/zap.rb +99 -0
data/lib/glue/tracker.rb +47 -0
data/lib/glue/util.rb +36 -0
data/lib/glue/version.rb +3 -0
metadata +294 -0

data/lib/glue/reporters/json_reporter.rb ADDED

@@ -0,0 +1,20 @@
+require 'glue/finding'
+require 'glue/reporters/base_reporter'
+require 'json'
+class Glue::JSONReporter < Glue::BaseReporter
+  Glue::Reporters.add self
+  attr_accessor :name, :format
+  def initialize()
+    @name = "JSONReporter"
+    @format = :to_json
+  end
+  def out(finding)
+    finding.to_json
+  end
+end

data/lib/glue/reporters/text_reporter.rb ADDED

@@ -0,0 +1,19 @@
+require 'glue/finding'
+require 'glue/reporters/base_reporter'
+class Glue::TextReporter < Glue::BaseReporter
+  Glue::Reporters.add self
+  attr_accessor :name, :format
+  def initialize()
+    @name = "TextReporter"
+    @format = :to_s
+  end
+  def out(finding)
+    finding.to_string << "\n"
+  end
+end

data/lib/glue/scanner.rb ADDED

@@ -0,0 +1,28 @@
+require 'glue/event'
+require 'glue/tracker'
+require 'glue/tasks'
+class Glue::Scanner
+  attr_reader :tracker
+  attr_reader :mounter
+  #Pass in path to the root of the Rails application
+  def initialize
+    @stage = :wait
+    @stages = [ :wait, :mount, :file, :code, :live, :done]
+  end
+  #Process everything in the Rails application
+  def process target, tracker
+    @stages.each do |stage|
+      Glue.notify "Running tasks in stage: #{stage}"
+      @stage = stage
+      begin
+         Glue::Tasks.run_tasks(target, stage, tracker)
+      rescue Exception => e
+        Glue.warn e.message
+        raise e
+      end
+    end
+  end
+end

data/lib/glue/tasks.rb ADDED

@@ -0,0 +1,124 @@
+require 'thread'
+#Collects up results from running different tasks.
+#
+#tasks can be added with +task.add(task_class)+
+#
+#All .rb files in tasks/ will be loaded.
+class Glue::Tasks
+  @tasks = []
+  @optional_tasks = []
+  attr_reader :tasks_run
+  #Add a task. This will call +_klass_.new+ when running tests
+  def self.add klass
+    @tasks << klass unless @tasks.include? klass
+  end
+  #Add an optional task
+  def self.add_optional klass
+    @optional_tasks << klass unless @tasks.include? klass
+  end
+  def self.tasks
+    @tasks + @optional_tasks
+  end
+  def self.optional_tasks
+    @optional_tasks
+  end
+  def self.initialize_tasks task_directory = ""
+    #Load all files in task_directory
+    Dir.glob(File.join(task_directory, "*.rb")).sort.each do |f|
+      require f
+    end
+  end
+  #No need to use this directly.
+  def initialize options = { }
+    @warnings = []
+    @tasks_run = []
+  end
+  #Add Warning to list of warnings to report.
+  def add_warning warning
+    @warnings << warning
+  end
+  #Run all the tasks on the given Tracker.
+  #Returns a new instance of tasks with the results.
+  def self.run_tasks(target, stage, tracker)
+    task_runner = self.new
+    trigger = Glue::Event.new(tracker.options[:appname])
+    trigger.path = target
+    self.tasks_to_run(tracker).each do |c|
+      task_name = get_task_name c
+      #Run or don't run task based on options
+      #Now case-insensitive specifiers:  nodesecurityproject = Glue::NodeSecurityProject
+      if tracker.options[:skip_tasks]
+        skip_tasks = tracker.options[:skip_tasks].map {|task| task.downcase}
+      end
+      if (tracker.options[:run_tasks])
+        run_tasks = tracker.options[:run_tasks].map {|task| task.downcase}
+      end
+      unless skip_tasks.include? task_name.downcase or
+        (run_tasks and not run_tasks.include? task_name.downcase)
+        task = c.new(trigger, tracker)
+        begin
+          if task.supported? and task.stage == stage
+            if task.labels.intersect? tracker.options[:labels] or          # Only run tasks with labels
+                 ( run_tasks and run_tasks.include? task_name.downcase )   # or that are explicitly requested.
+              Glue.notify "#{stage} - #{task_name} - #{task.labels}"
+              task.run
+              task.analyze
+              task.findings.each do | finding |
+                tracker.report finding
+              end
+           end
+          end
+        rescue => e
+          Glue.notify e.message
+          tracker.error e
+        end
+        task.warnings.each do |w|
+          task_runner.add_warning w
+        end
+        #Maintain list of which tasks were run
+        #mainly for reporting purposes
+        task_runner.tasks_run << task_name[5..-1]
+      end
+    end
+    task_runner
+  end
+  private
+  def self.get_task_name task_class
+    task_class.to_s.split("::").last
+  end
+  def self.tasks_to_run tracker
+    if tracker.options[:run_all_tasks] or tracker.options[:run_tasks]
+      @tasks + @optional_tasks
+    else
+      @tasks
+    end
+  end
+end
+#Load all files in tasks/ directory
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/tasks/*.rb").sort.each do |f|
+  require f.match(/(glue\/tasks\/.*)\.rb$/)[0]
+end

data/lib/glue/tasks/av.rb ADDED

@@ -0,0 +1,42 @@
+# https://gist.github.com/paulspringett/8802240
+require 'glue/tasks/base_task'
+class Glue::AV < Glue::BaseTask
+  Glue::Tasks.add self
+  def initialize(trigger, tracker)
+    super(trigger,tracker)
+    @name = "AV"
+    @description = "Test for virus/malware"
+    @stage = :file
+    @labels << "filesystem"
+  end
+  def run
+    # Update AV
+    `freshclam`
+    # Run AV
+    # TODO:  Circle back and use runsystem.
+    Glue.notify "Malware/Virus Check"
+  	rootpath = @trigger.path
+	  @result=`clamscan --no-summary -i -r "#{rootpath}"`
+  end
+  def analyze
+	  list = @result.split(/\n/)
+	  list.each do |v|
+	     # v.slice! installdir
+	     Glue.notify v
+       report "Malicious file identified.", v, @name, :medium
+    end
+  end
+  def supported?
+        # TODO verify.
+  	# In future, verify tool is available.
+  	return true
+  end
+end

data/lib/glue/tasks/base_task.rb ADDED

@@ -0,0 +1,80 @@
+require 'glue/finding'
+require 'set'
+require 'digest'
+class Glue::BaseTask
+  attr_reader :findings, :warnings, :trigger, :labels
+  attr_accessor :name
+  attr_accessor :description
+  attr_accessor :stage
+  attr_accessor :appname
+  def initialize(trigger, tracker)
+    @findings = []
+    @warnings = []
+    @labels = Set.new
+    @trigger = trigger
+    @tracker = tracker
+    @severity_filter = {
+      :low => ['low','weak'],
+      :medium => ['medium','med','average'],
+      :high => ['high','severe','critical']
+    }
+  end
+  def report description, detail, source, severity, fingerprint
+    finding = Glue::Finding.new( @trigger.appname, description, detail, source, severity, fingerprint )
+    @findings << finding
+  end
+  def warn warning
+    @warnings << warning
+  end
+  def name
+    @name
+  end
+  def description
+    @description
+  end
+  def stage
+    @stage
+  end
+  def directories_with? file, exclude_dirs = []
+    exclude_dirs = @tracker.options[:exclude_dirs] if exclude_dirs == [] and @tracker.options[:exclude_dirs]
+    results = []
+    Find.find(@trigger.path) do |path|
+      if FileTest.directory? path
+        Find.prune if exclude_dirs.include? File.basename(path) or exclude_dirs.include? File.basename(path) + '/'
+        next
+      end
+      Find.prune unless File.basename(path) == file
+      results << File.dirname(path)
+    end
+    return results
+  end
+  def run
+  end
+  def analyze
+  end
+  def supported?
+  end
+  def severity sev
+    sev = '' if sev.nil?
+    return 1 if @severity_filter[:low].include?(sev.strip.chomp.downcase)
+    return 2 if @severity_filter[:medium].include?(sev.strip.chomp.downcase)
+    return 3 if @severity_filter[:high].include?(sev.strip.chomp.downcase)
+    return 0
+  end
+end

data/lib/glue/tasks/brakeman.rb ADDED

@@ -0,0 +1,58 @@
+require 'glue/tasks/base_task'
+require 'json'
+require 'glue/util'
+require 'pathname'
+class Glue::Brakeman < Glue::BaseTask
+  Glue::Tasks.add self
+  include Glue::Util
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "Brakeman"
+    @description = "Source analysis for Ruby"
+    @stage = :code
+    @labels << "code" << "ruby" << "rails"
+  end
+  def run
+    rootpath = @trigger.path
+    @result=runsystem(true, "brakeman", "-A", "-q", "-f", "json", "#{rootpath}")
+  end
+  def analyze
+    # puts @result
+    begin
+      parsed = JSON.parse(@result)
+      parsed["warnings"].each do |warning|
+        file = relative_path(warning['file'], @trigger.path)
+        detail = "#{warning['message']}\n#{warning['link']}"
+        if ! warning['line']
+          warning['line'] = "0"
+        end
+        if ! warning['code']
+          warning['code'] = ""
+        end
+        source = { :scanner => @name, :file => file, :line => warning['line'], :code => warning['code'].lstrip }
+        report warning["warning_type"], detail, source, severity(warning["confidence"]), fingerprint("#{warning['message']}#{warning['link']}#{severity(warning["confidence"])}#{source}")
+      end
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    end
+  end
+  def supported?
+    supported=runsystem(true, "brakeman", "-v")
+    if supported =~ /command not found/
+      Glue.notify "Run: gem install brakeman"
+      return false
+    else
+      return true
+    end
+  end
+end

data/lib/glue/tasks/bundle-audit.rb ADDED

@@ -0,0 +1,95 @@
+require 'glue/tasks/base_task'
+require 'json'
+require 'glue/util'
+require 'digest'
+class Glue::BundleAudit < Glue::BaseTask
+  Glue::Tasks.add self
+  include Glue::Util
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "BundleAudit"
+    @description = "Dependency Checker analysis for Ruby"
+    @stage = :code
+    @labels << "code" << "ruby"
+    @results = {}
+  end
+  def run
+    directories_with?('Gemfile.lock').each do |dir|
+      Glue.notify "#{@name} scanning: #{dir}"
+      Dir.chdir(dir) do
+        @results[dir] = runsystem(true, "bundle-audit", "check")
+      end
+    end
+  end
+  def analyze
+    # puts @result
+    begin
+      get_warnings
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.notify "Appears not to be a project with Gemfile.lock or there was another problem ... bundle-audit skipped."
+    end
+  end
+  def supported?
+    supported=runsystem(false, "bundle-audit", "update")
+    if supported =~ /command not found/
+      Glue.notify "Run: gem install bundler-audit"
+      return false
+    else
+      return true
+    end
+  end
+  private
+  def get_warnings
+    @results.each do |dir, result|
+      detail, jem, source, sev, hash = '','',{},'',''
+      result.each_line do | line |
+        if /\S/ !~ line
+          # Signal section is over.  Reset variables and report.
+          if detail != ''
+            report "Gem #{jem} has known security issues.", detail, source, sev, fingerprint(hash)
+          end
+          detail, jem, source, sev, hash = '','', {},'',''
+        end
+        name, value = line.chomp.split(':')
+        case name
+        when 'Name'
+          jem << value
+          hash << value
+        when 'Version'
+          jem << value
+          hash << value
+        when 'Advisory'
+          source = { :scanner => @name, :file => "#{relative_path(dir, @trigger.path)}/Gemfile.lock", :line => nil, :code => nil }
+          hash << value
+        when 'Criticality'
+          sev = severity(value)
+          hash << sev
+        when 'URL'
+          detail += line.chomp.split('URL:').last
+        when 'Title'
+          detail += ",#{value}"
+        when 'Solution'
+          detail += ": #{value}"
+        when 'Insecure Source URI found'
+          report "Insecure GEM Source", "#{line.chomp} - use git or https", {:scanner => @name, :file => 'Gemfile.lock', :line => nil, :code =>  nil}, severity('high'), fingerprint("bundlerauditgemsource#{line.chomp}")
+        else
+          if line =~ /\S/ and line !~ /Unpatched versions found/
+            Glue.debug "Not sure how to handle line: #{line}"
+          end
+        end
+      end
+    end
+  end
+end