owasp-glue 0.9.0

data/lib/glue/tasks/checkmarx.rb

@@ -0,0 +1,60 @@
+require 'glue/tasks/base_task'
+require 'glue/util'
+require 'nokogiri'
+
+class Glue::Checkmarx < Glue::BaseTask
+
+  # Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "Checkmarx"
+    @description = "CxSAST"
+    @stage = :code
+    @labels << "code"
+  end
+
+  def run
+    rootpath = @trigger.path
+    runsystem(true, "runCxConsole.sh", "scan", "-v",
+      "-CxUser", "#{@tracker.options[:checkmarx_user]}",
+      "-CxPassword", "#{@tracker.options[:checkmarx_password]}",
+      "-CxServer", "#{@tracker.options[:checkmarx_server]}",
+      "-LocationType", "folder",
+      "-LocationPath", "#{rootpath}",
+      "-ProjectName", "#{@tracker.options[:checkmarx_project]}",
+      "-ReportXML", "#{rootpath}checkmarx_results.xml",
+      "-Log", "#{@tracker.options[:checkmarx_log]}"
+    )
+    @results = Nokogiri::XML(File.read("#{rootpath}checkmarx_results.xml")).xpath '//Result'
+  end
+
+  def analyze
+    begin
+      @results.each do |result|
+        description = result.parent.attributes['name'].value.gsub('_', ' ')
+        detail = result.attributes['DeepLink'].value
+        source = { :scanner => @name, :file => result.attributes['FileName'].value, :line =>  result.attributes['Line'].value.to_i, :code => result.at_xpath('Path/PathNode/Snippet/Line/Code').text }
+        sev = severity(result.parent.attributes['Severity'].value)
+        fprint = fingerprint("#{description}#{source}#{sev}")
+
+        report description, detail, source, sev, fprint
+      end
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    end
+  end
+
+  def supported?
+    supported=runsystem(true, "runCxConsole.sh", "--help")
+    if supported =~ /command not found/
+      Glue.notify "Install CxConsolePlugin"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/glue/tasks/dawnscanner.rb

@@ -0,0 +1,55 @@
+require 'glue/tasks/base_task'
+require 'glue/util'
+require 'tempfile'
+
+class Glue::DawnScanner < Glue::BaseTask
+
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "DawnScanner"
+    @description = "DawnScanner ruby analyzer"
+    @stage = :code
+    @labels << "code"
+  end
+
+  def run
+    Dir.chdir("#{@trigger.path}") do
+      @results_file = Tempfile.new(['dawnresults', 'xml'])
+      runsystem(true, "dawn", "-F", "#{@results_file.path}", "-j", ".")
+      @results = JSON.parse(File.read("#{@results_file.path}"))['vulnerabilities']
+    end
+  end
+
+  def analyze
+    begin
+      @results.each do |result|
+        description = result['name'].gsub('\n',' ')
+        detail = "#{result['message']}\n#{result['remediation']}\n#{result['cve_link']}"
+        source = {:scanner => @name, :file => nil, :line => nil, :code => nil}
+        sev = severity(result['severity'])
+        fprint = fingerprint("#{description}#{detail}#{source}#{sev}")
+
+        report description, detail, source, sev, fprint
+      end
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    ensure
+      File.unlink @results_file
+    end
+  end
+
+  def supported?
+    supported=runsystem(true, "dawn", "--version")
+    if supported =~ /command not found/
+      Glue.notify "Install dawnscanner: 'gem install dawnscanner'"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/glue/tasks/eslint.rb

@@ -0,0 +1,69 @@
+require 'glue/tasks/base_task'
+require 'json'
+require 'glue/util'
+
+class Glue::ESLint < Glue::BaseTask
+
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger,tracker)
+    @name = "ESLint/ScanJS"
+    @description = "Source analysis for JavaScript"
+    @stage = :code
+    @labels << "code" << "javascript"
+  end
+
+  def run
+    rootpath = @trigger.path
+    currentpath = File.expand_path File.dirname(__FILE__)
+    Glue.debug "ESLint Config Path: #{currentpath}"
+    @result = `eslint -c #{currentpath}/scanjs-eslintrc --no-color --quiet --format json #{rootpath}`
+  end
+
+  def analyze
+    # puts @result
+    begin
+      parsed = JSON.parse(@result)
+      parsed.each do |result|
+        findings = {}
+        prints = []
+        messages = []
+        result['messages'].each do |msg|
+          message = msg['message']
+          findings[message] = {} if findings[message].nil?
+          findings[message][:detail] = msg['ruleId']
+          if messages.include?(message)
+            findings[message][:source] = "#{findings[message][:source]},#{msg['line']}" unless findings[message][:source].include?(",#{msg['line']}")
+          else
+            findings[message][:source] = "#{result['filePath']} Line: #{msg['line']}"
+            messages << message
+          end
+          findings[message][:severity] = severity(msg['severity'].to_s)
+        end
+        findings.each do |key, value|
+          print = fingerprint("#{key}#{value[:detail]}#{value[:source]}#{value[:sev]}")
+          unless prints.include?(print)
+            prints << print
+            report key, value[:detail], value[:source], value[:severity], print
+          end
+        end
+      end
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    end
+  end
+
+  def supported?
+    supported=runsystem(true, "eslint", "-c", "~/.scanjs-eslintrc")
+    if supported =~ /command not found/
+      Glue.notify "Install eslint and the scanjs .eslintrc"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/glue/tasks/fim.rb

@@ -0,0 +1,60 @@
+# https://github.com/jessek/hashdeep/releases/tag/release-4.4
+
+require 'glue/tasks/base_task'
+require 'open3'
+
+class Glue::FIM < Glue::BaseTask
+
+  Glue::Tasks.add self
+
+  def initialize(trigger, tracker)
+    super(trigger,tracker)
+    @name = "FIM"
+    @description = "File integrity monitor"
+    @stage = :file
+    @result = ''
+    @labels << "filesystem"
+  end
+
+  def run
+    rootpath = @trigger.path
+    if File.exists?("/area81/tmp/#{rootpath}/filehash")
+      Glue.notify "File Hashes found, comparing to file system"
+      cmd="hashdeep -j99 -r -a -vv -k /area81/tmp/#{rootpath}/filehash #{rootpath}"
+
+      # Ugly stdout parsing
+      r=/(.*): No match/
+      Open3.popen3(cmd) do |stdin, stdout, stderr, wait_thr|
+        while line = stdout.gets
+          if line.match r
+            @result << line
+          end
+        end
+      end
+    else
+      Glue.notify "No existing baseline - generating initial hashes"
+      cmd="mkdir -p /area81/tmp/#{rootpath}; hashdeep -j99 -r #{rootpath} > /area81/tmp/#{rootpath}/filehash"
+      Open3.popen3(cmd) do |stdin, stdout, stderr, wait_thr|
+        while line = stdout.gets
+          puts "."
+          end
+      end
+      @result = ''
+    end
+  end
+
+  def analyze
+    list = @result.split(/\n/)
+    list.each do |v|
+       # v.slice! installdir
+       Glue.notify v
+       report "File changed.", v, @name, :low
+    end
+  end
+
+  def supported?
+    # In future, verify tool is available.
+    return true
+  end
+
+end

data/lib/glue/tasks/findsecbugs.rb

@@ -0,0 +1,90 @@
+require 'glue/tasks/base_task'
+require 'glue/util'
+require 'nokogiri'
+require 'tempfile'
+require 'mkmf'
+
+MakeMakefile::Logging.instance_variable_set(:@logfile, File::NULL)
+
+class Glue::FindSecurityBugs < Glue::BaseTask
+
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "FindSecurityBugs"
+    @description = "FindSecurityBugs plugin for FindBugs"
+    @stage = :code
+    @labels << "code"
+  end
+
+  def run
+    @results_file = Tempfile.new(['findsecbugs','xml'])
+
+    unless File.exist?("#{@trigger.path}/.git/config")
+      Dir.chdir(@trigger.path) do
+        runsystem(true, "git", "init")
+        runsystem(true, "git", "add", "*")
+        runsystem(true, "git", "commit", "-am", "fake commit for mvn compile")
+      end
+    end
+
+    directories_with?('pom.xml').each do |dir|
+      Dir.chdir(dir) do
+        runsystem(true, "mvn", "compile", "-fn")
+      end
+    end
+
+    Dir.chdir(@tracker.options[:findsecbugs_path]) do
+      runsystem(true, "/bin/sh", "#{@tracker.options[:findsecbugs_path]}/findsecbugs.sh", "-effort:max", "-quiet", "-xml:withMessages", "-output", "#{@results_file.path}", "#{@trigger.path}")
+      @results = Nokogiri::XML(File.read(@results_file)).xpath '//BugInstance'
+    end
+  end
+
+  def analyze
+    begin
+      @results.each do |result|
+        description = result.xpath('ShortMessage').text
+        bug_type = result.attributes['type'].value
+        detail = "Class: #{result.at_xpath('Method').attributes['classname'].value}, Method: #{result.at_xpath('Method').attributes['name'].value}\n#{result.xpath('LongMessage').text}\nhttps://find-sec-bugs.github.io/bugs.htm##{bug_type}"
+
+        file = result.at_xpath('SourceLine').attributes['sourcepath'].value
+        trigger_path = Pathname.new(@trigger.path)
+        real_path = nil
+        trigger_path.find {|path| real_path = path if path.fnmatch "*/#{file}"}
+        file = real_path.relative_path_from(trigger_path).to_s unless real_path.nil?
+
+        line = result.at_xpath('SourceLine[@primary="true"]').attributes['start'].value
+        code = "#{result.at_xpath('String').attributes['value'].value}"
+        source = {:scanner => @name, :file => file, :line => line, :code => code}
+        sev = result.attributes['priority'].value
+        fprint = fingerprint("#{description}#{detail}#{source}")
+
+        report description, detail, source, sev, fprint
+      end
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    ensure
+      File.unlink @results_file
+    end
+  end
+
+  def supported?
+    unless find_executable0('mvn') and File.exist?("#{@trigger.path}/pom.xml")
+      Glue.notify "FindSecurityBugs support requires maven and pom.xml"
+      Glue.notify "Please install maven somewhere in your PATH and include a valid pom.xml in the project root"
+      return false
+    end
+
+    unless @tracker.options.has_key?(:findsecbugs_path) and File.exist?("#{@tracker.options[:findsecbugs_path]}/findsecbugs.sh")
+      Glue.notify "#{@tracker.options[:findsecbugs_path]}"
+      Glue.notify "Download and unpack the latest findsecbugs-cli release: https://github.com/find-sec-bugs/find-sec-bugs/releases"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/glue/tasks/npm.rb

@@ -0,0 +1,58 @@
+require 'glue/tasks/base_task'
+require 'glue/util'
+require 'find'
+require 'pry'
+
+class Glue::Npm < Glue::BaseTask
+
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "NPM"
+    @description = "Node Package Manager"
+    @stage = :file
+    @labels << "file" << "javascript"
+    @results = []
+  end
+
+  def run
+    exclude_dirs = ['node_modules','bower_components']
+    exclude_dirs = exclude_dirs.concat(@tracker.options[:exclude_dirs]).uniq if @tracker.options[:exclude_dirs]
+    directories_with?('package.json', exclude_dirs).each do |dir|
+      Glue.notify "#{@name} scanning: #{dir}"
+      Dir.chdir(dir) do
+        if @tracker.options.has_key?(:npm_registry)
+          registry = "--registry #{@tracker.options[:npm_registry]}"
+        else
+          registry = nil
+        end
+        @command = "npm install -q --ignore-scripts #{registry}"
+        @results << runsystem(true, @command)
+      end
+    end
+  end
+
+  def analyze
+    begin
+      if @results.include? false
+        Glue.warn 'Error installing javascript dependencies with #{@command}'
+      end
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    end
+  end
+
+  def supported?
+    supported = find_executable0('npm')
+    unless supported
+      Glue.notify "Install npm: https://nodejs.org/en/download/"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/glue/tasks/nsp.rb

@@ -0,0 +1,65 @@
+require 'glue/tasks/base_task'
+require 'glue/util'
+
+class Glue::NodeSecurityProject < Glue::BaseTask
+
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "NodeSecurityProject"
+    @description = "Node Security Project"
+    @stage = :code
+    @labels << "code"
+    @results = []
+  end
+
+  def run
+    exclude_dirs = ['node_modules','bower_components']
+    exclude_dirs = exclude_dirs.concat(@tracker.options[:exclude_dirs]).uniq if @tracker.options[:exclude_dirs]
+    directories_with?('package.json', exclude_dirs).each do |dir|
+      Glue.notify "#{@name} scanning: #{dir}"
+      Dir.chdir(dir) do
+        res = runsystem(true, "nsp", "check", "--output", "json")
+        @results << JSON.parse(res)
+      end
+    end
+  end
+
+  def analyze
+    begin
+      @results.each do |dir_result|
+        # This block iterates through each package name found and selects the unique nsp advisories
+        # regardless of version, and builds a Glue finding hash for each unique package/advisory combo.
+        dir_result.uniq {|finding| finding['module']}.each do |package|
+          dir_result.select {|f| f['module'] == package['module']}.uniq {|m| m['advisory']}.each do |unique_finding|
+            description = "#{unique_finding['module']} - #{unique_finding['title']}"
+            detail = "Upgrade to versions: #{unique_finding['patched_versions']}\n#{unique_finding['advisory']}"
+            source = {
+              :scanner => 'NodeSecurityProject',
+              :file => "#{unique_finding['module']} - #{unique_finding['vulnerable_versions']}",
+              :line => nil,
+              :code => nil
+            }
+            report description, detail, source, 'medium', fingerprint("#{description}#{detail}#{source}")
+          end
+        end
+      end
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    end
+  end
+
+  def supported?
+    supported=runsystem(true, "nsp", "--version")
+    if supported =~ /command not found/
+      Glue.notify "Install nodesecurity: 'npm install -g nsp'"
+      return false
+    else
+      return true
+    end
+  end
+
+end