owasp-glue 0.9.0

data/lib/glue/tasks/pmd.rb

@@ -0,0 +1,63 @@
+require 'glue/tasks/base_task'
+require 'glue/util'
+require 'nokogiri'
+require 'pathname'
+
+class Glue::PMD < Glue::BaseTask
+
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "PMD"
+    @description = "PMD Source Code Analyzer"
+    @stage = :code
+    @labels << "code"
+  end
+
+  def run
+    @tracker.options[:pmd_checks] ||= "java-basic,java-sunsecure"
+    Dir.chdir @tracker.options[:pmd_path] do
+      @results = Nokogiri::XML(runsystem(true,'bin/run.sh', 'pmd', '-d', "#{@trigger.path}", '-f', 'xml', '-R', "#{@tracker.options[:pmd_checks]}")).xpath('//file')
+    end
+  end
+
+  def analyze
+    begin
+      @results.each do |result|
+        attributes = result.at_xpath('violation').attributes
+        description = result.children.children.to_s.strip
+        detail = "Ruleset: #{attributes['ruleset']}"
+        source = {:scanner => @name, :file => result.attributes['name'].to_s.split(Pathname.new(@trigger.path).cleanpath.to_s)[1][1..-1], :line => attributes['beginline'].to_s, :code => "package: #{attributes['package'].to_s}\nclass: #{attributes['class'].to_s}\nmethod: #{attributes['method'].to_s}" }
+        case attributes['priority'].value.to_i
+        when 3
+          sev = 1
+        when 2
+          sev = 2
+        when 1
+          sev = 3
+        else
+          sev = 0
+        end
+        fprint = fingerprint("#{description}#{detail}#{source}#{sev}")
+
+        report description, detail, source, sev, fprint
+      end
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    end
+  end
+
+  def supported?
+    unless @tracker.options.has_key?(:pmd_path) and File.exist?("#{@tracker.options[:pmd_path]}/bin/run.sh")
+      Glue.notify "#{@tracker.options[:pmd_path]}"
+      Glue.notify "Install PMD from: https://pmd.github.io/"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/glue/tasks/retirejs.rb

@@ -0,0 +1,107 @@
+require 'glue/tasks/base_task'
+require 'json'
+require 'glue/util'
+require 'jsonpath'
+require 'pathname'
+require 'pry'
+
+class Glue::RetireJS < Glue::BaseTask
+
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "RetireJS"
+    @description = "Dependency analysis for JavaScript"
+    @stage = :code
+    @labels << "code" << "javascript"
+    @results = []
+  end
+
+  def run
+    exclude_dirs = ['node_modules','bower_components']
+    exclude_dirs = exclude_dirs.concat(@tracker.options[:exclude_dirs]).uniq if @tracker.options[:exclude_dirs]
+    directories_with?('package.json', exclude_dirs).each do |dir|
+      Glue.notify "#{@name} scanning: #{dir}"
+      @results << runsystem(false, 'retire', '-c', '--outputformat', 'json', '--path', "#{dir}")
+    end
+  end
+
+  def analyze
+    begin
+      @results.each do |result|
+        parsed_json = JSON.parse(result)
+        vulnerabilities = parse_retire_json(parsed_json) if parsed_json
+
+        vulnerabilities.each do |vuln|
+          report "Package #{vuln[:package]} has known security issues", vuln[:detail], vuln[:source], vuln[:severity], fingerprint("#{vuln[:package]}#{vuln[:source]}#{vuln[:severity]}")
+        end
+      end
+    rescue JSON::ParserError => e
+      Glue.debug e.message
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    end
+  end
+
+  def parse_retire_json result
+    Glue.debug "Retire JSON Raw Result:  #{result}"
+    vulnerabilities = []
+    # This is very ugly, but so is the json retire.js spits out
+    # Loop through each component/version combo and pull all results for it
+    JsonPath.on(result, '$..component').uniq.each do |comp|
+      JsonPath.on(result, "$..results[?(@.component == \'#{comp}\')].version").uniq.each do |version|
+        vuln_hash = {}
+        vuln_hash[:package] = "#{comp}-#{version}"
+
+        version_results = JsonPath.on(result, "$..results[?(@.component == \'#{comp}\')]").select { |r| r['version'] == version }.uniq
+
+        # If we see the parent-->component relationship, dig through the dependency tree to try and make a dep map
+        deps = []
+        obj = version_results[0]
+        while !obj['parent'].nil?
+          deps << obj['parent']['component']
+          obj = obj['parent']
+        end
+        if deps.length > 0
+          vuln_hash[:source] = { :scanner => @name, :file => "#{deps.reverse.join('->')}->#{comp}-#{version}", :line => nil, :code => nil }
+        end
+
+        vuln_hash[:severity] = 'unknown'
+        # pull detail/severity
+        version_results.each do |version_result|
+          JsonPath.on(version_result, '$..vulnerabilities').uniq.each do |vuln|
+            vuln_hash[:severity] = severity(vuln[0]['severity'])
+            vuln_hash[:detail] = vuln[0]['info'].join('\n')
+          end
+        end
+
+        vulnerabilities << vuln_hash
+      end
+    end
+
+    # Loop through the separately reported 'file' findings so we can tag the source (no dep map here)
+    result.select { |r| !r['file'].nil? }.each do |file_result|
+      JsonPath.on(file_result, '$..component').uniq.each do |comp|
+        JsonPath.on(file_result, "$..results[?(@.component == \'#{comp}\')].version").uniq.each do |version|
+          source_path = relative_path(file_result['file'], @trigger.path)
+          vulnerabilities.select { |v| v[:package] == "#{comp}-#{version}" }.first[:source] = { :scanner => @name, :file => source_path.to_s, :line => nil, :code => nil }
+        end
+      end
+    end
+    return vulnerabilities
+  end
+
+  def supported?
+    supported=runsystem(false, "retire", "--help")
+    if supported =~ /command not found/
+      Glue.notify "Install RetireJS"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/glue/tasks/scanjs-eslintrc

@@ -0,0 +1,106 @@
+{ "ecmaFeatures" : {
+    "modules" : true
+  },
+  "env" : {
+    "browser" : true,
+    "es6" : true /** all es6 features except modules */
+  },
+  "plugins" : [
+    "scanjs-rules",
+    "no-unsafe-innerhtml"
+  ],
+  "rules" : {
+    /** useful rules from eslint **/
+
+    /** no-unsafe-innerhtml rule **/
+    "no-unsafe-innerhtml/no-unsafe-innerhtml" : 2,
+
+    /** ScanJS rules **/
+    "scanjs-rules/assign_to_hostname" : 1,
+    "scanjs-rules/assign_to_href" : 1,
+    "scanjs-rules/assign_to_location" : 1,
+    "scanjs-rules/assign_to_mozAudioChannel" : 1,
+    "scanjs-rules/assign_to_mozAudioChannelType" : 1,
+    "scanjs-rules/assign_to_onmessage" : 1,
+    "scanjs-rules/assign_to_pathname" : 1,
+    "scanjs-rules/assign_to_protocol" : 1,
+    "scanjs-rules/assign_to_search" : 1,
+    "scanjs-rules/assign_to_src" : 1,
+    "scanjs-rules/call_Function" : 1,
+    "scanjs-rules/call_addEventListener" : 1,
+    "scanjs-rules/call_addEventListener_cellbroadcastmsgchanged" : 1,
+    "scanjs-rules/call_addEventListener_deviceproximity" : 1,
+    "scanjs-rules/call_addEventListener_message" : 1,
+    "scanjs-rules/call_addEventListener_moznetworkdownload" : 1,
+    "scanjs-rules/call_addEventListener_moznetworkupload" : 1,
+    "scanjs-rules/call_connect" : 1,
+    "scanjs-rules/call_eval" : 1,
+    "scanjs-rules/call_execScript" : 1,
+    "scanjs-rules/call_generateCRMFRequest" : 1,
+    "scanjs-rules/call_getDeviceStorage_apps" : 1,
+    "scanjs-rules/call_getDeviceStorage_crashes" : 1,
+    "scanjs-rules/call_getDeviceStorage_music" : 1,
+    "scanjs-rules/call_getDeviceStorage_pictures" : 1,
+    "scanjs-rules/call_getDeviceStorage_sdcard" : 1,
+    "scanjs-rules/call_getDeviceStorage_videos" : 1,
+    "scanjs-rules/call_hide" : 1,
+    "scanjs-rules/call_mozSetMessageHandler" : 1,
+    "scanjs-rules/call_mozSetMessageHandler_activity" : 1,
+    "scanjs-rules/call_mozSetMessageHandler_wappush_received" : 1,
+    "scanjs-rules/call_open_attention" : 1,
+    "scanjs-rules/call_open_remote=true" : 1,
+    "scanjs-rules/call_parseFromString" : 1,
+    "scanjs-rules/call_setAttribute_mozapp" : 1,
+    "scanjs-rules/call_setAttribute_mozbrowser" : 1,
+    "scanjs-rules/call_setImmediate" : 1,
+    "scanjs-rules/call_setInterval" : 1,
+    "scanjs-rules/call_setMessageHandler_connect" : 1,
+    "scanjs-rules/call_setTimeout" : 1,
+    "scanjs-rules/call_write" : 1,
+    "scanjs-rules/call_writeln" : 1,
+    "scanjs-rules/identifier_indexedDB" : 1,
+    "scanjs-rules/identifier_localStorage" : 1,
+    "scanjs-rules/identifier_sessionStorage" : 1,
+    "scanjs-rules/new_Function" : 1,
+    "scanjs-rules/new_MozActivity" : 1,
+    "scanjs-rules/new_MozSpeakerManager" : 1,
+    "scanjs-rules/new_Notification" : 1,
+    "scanjs-rules/object_mozSystem" : 1,
+    "scanjs-rules/property_addIdleObserver" : 1,
+    "scanjs-rules/property_createContextualFragment" : 1,
+    "scanjs-rules/property_geolocation" : 1,
+    "scanjs-rules/property_getDataStores" : 1,
+    "scanjs-rules/property_getDeviceStorage" : 1,
+    "scanjs-rules/property_getUserMedia" : 1,
+    "scanjs-rules/property_indexedDB" : 1,
+    "scanjs-rules/property_lastKnownHomeNetwork" : 1,
+    "scanjs-rules/property_lastKnownNetwork" : 1,
+    "scanjs-rules/property_localStorage" : 1,
+    "scanjs-rules/property_mgmt" : 1,
+    "scanjs-rules/property_mozAlarms" : 1,
+    "scanjs-rules/property_mozBluetooth" : 1,
+    "scanjs-rules/property_mozCameras" : 1,
+    "scanjs-rules/property_mozCellBroadcast" : 1,
+    "scanjs-rules/property_mozContacts" : 1,
+    "scanjs-rules/property_mozDownloadManager" : 1,
+    "scanjs-rules/property_mozFMRadio" : 1,
+    "scanjs-rules/property_mozInputMethod" : 1,
+    "scanjs-rules/property_mozKeyboard" : 1,
+    "scanjs-rules/property_mozMobileConnection" : 1,
+    "scanjs-rules/property_mozMobileConnections" : 1,
+    "scanjs-rules/property_mozMobileMessage" : 1,
+    "scanjs-rules/property_mozNetworkStats" : 1,
+    "scanjs-rules/property_mozNfc" : 1,
+    "scanjs-rules/property_mozNotification" : 1,
+    "scanjs-rules/property_mozPermissionSettings" : 1,
+    "scanjs-rules/property_mozPhoneNumberService" : 1,
+    "scanjs-rules/property_mozPower" : 1,
+    "scanjs-rules/property_mozSettings" : 1,
+    "scanjs-rules/property_mozTCPSocket" : 1,
+    "scanjs-rules/property_mozTelephony" : 1,
+    "scanjs-rules/property_mozTime" : 1,
+    "scanjs-rules/property_mozVoicemail" : 1,
+    "scanjs-rules/property_mozWifiManager" : 1,
+    "scanjs-rules/property_sessionStorage" : 1
+  }
+}

data/lib/glue/tasks/scanjs.rb

@@ -0,0 +1,31 @@
+require 'glue/tasks/base_task'
+
+class Glue::ScanJS < Glue::BaseTask
+
+#  WIP
+#  Glue::Tasks.add self
+
+  def initialize(trigger, tracker)
+  	super(trigger)
+    @name = "ScanJS"
+    @description = "Source analysis for JavaScript"
+    @stage = :code
+    @labels << "code" << "javascript"
+  end
+
+  def run
+    Glue.notify "#{@name}"
+  	rootpath = @trigger.path
+	  @result=`scanner.js -t "#{rootpath}"`
+  end
+
+  def analyze
+    puts @result
+  end
+
+  def supported?
+  	# In future, verify tool is available.
+  	return true
+  end
+
+end

data/lib/glue/tasks/sfl.rb

@@ -0,0 +1,67 @@
+require 'glue/tasks/base_task'
+require 'json'
+require 'glue/util'
+require 'find'
+
+class Glue::SFL < Glue::BaseTask
+
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger,tracker)
+    @name = "SFL"
+    @description = "Sentive Files Lookup"
+    @stage = :code
+    @labels << "code"
+    # Glue.debug "initialized SFL"
+    @patterns = read_patterns_file!
+  end
+
+  def run
+    # Glue.notify "#{@name}"
+    @files = Find.find(@trigger.path)
+    Glue.debug "Found #{@files.count} files"
+  end
+
+  def analyze
+    begin
+      @files.each do |file|
+        @patterns.each do |pattern|
+          case pattern['part']
+            when 'filename'
+              if pattern_matched?(File.basename(file), pattern)
+                report pattern['caption'], pattern['description'], @name + ":" + file, 'unknown', 'TBD'
+              end
+            when 'extension'
+              if pattern_matched?(File.extname(file), pattern)
+                report pattern['caption'], pattern['description'], @name + ":" + file, 'unknown', 'TBD'
+              end
+          end
+        end
+      end
+    rescue Exception => e
+      Glue.warn e.message
+    end
+  end
+
+  def supported?
+    true
+  end
+
+  def pattern_matched?(txt, pattrn)
+    case pattrn['type']
+      when 'match'
+        return txt == pattrn['pattern']
+      when 'regex'
+        regex = Regexp.new(pattrn['pattern'], Regexp::IGNORECASE)
+        return !regex.match(txt).nil?
+    end
+  end
+
+  def read_patterns_file!
+    JSON.parse(File.read("#{File.dirname(__FILE__)}/patterns.json"))
+  rescue JSON::ParserError => e
+    Glue.warn "Cannot parse pattern file: #{e.message}"
+  end
+end

data/lib/glue/tasks/snyk.rb

@@ -0,0 +1,81 @@
+require 'glue/tasks/base_task'
+require 'glue/util'
+require 'redcarpet'
+
+class Glue::Snyk < Glue::BaseTask
+
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "Snyk"
+    @description = "Snyk.io JS dependency checker"
+    @stage = :code
+    @labels << "code" << "javascript"
+    @results = []
+  end
+
+  def run
+    exclude_dirs = ['node_modules','bower_components']
+    exclude_dirs = exclude_dirs.concat(@tracker.options[:exclude_dirs]).uniq if @tracker.options[:exclude_dirs]
+    directories_with?('package.json', exclude_dirs).each do |dir|
+      Glue.notify "#{@name} scanning: #{dir}"
+      Dir.chdir(dir) do
+        @results << JSON.parse(runsystem(true, "snyk", "test", "--json"))["vulnerabilities"]
+      end
+    end
+  end
+
+  def analyze
+    begin
+      markdown = Redcarpet::Markdown.new Redcarpet::Render::HTML.new(link_attributes: {target: "_blank"}), autolink: true, tables: true
+
+      @results.each do |dir_result|
+        # We build a single finding for each uniq result ID, adding the unique info (upgrade path and files) as a list
+        dir_result.uniq {|r| r['id']}.each do |result|
+          description = "#{result['name']}@#{result['version']} - #{result['title']}"
+
+          # Use Redcarpet to render the Markdown details to something pretty for web display
+          detail = markdown.render(result['description']).gsub('h2>','strong>').gsub('h3>', 'strong>')
+          upgrade_paths = [ "Upgrade Path:\n" ]
+          files = []
+
+          # Pull the list of files and upgrade paths from all results matching this ID
+          # This uses the same form as the retirejs task so it all looks nice together
+          dir_result.select{|r| r['id'] == result['id']}.each do |res|
+            res['upgradePath'].each_with_index do |upgrade, i|
+              upgrade_paths << "#{res['from'][i]} -> #{upgrade}"
+            end
+            files << res['from'].join('->')
+          end
+
+          source = {
+            :scanner => @name,
+            :file => files.join('<br>'),
+            :line => nil,
+            :code => upgrade_paths.uniq.join("\n"),
+          }
+          sev = severity(result['severity'])
+          fprint = fingerprint("#{description}#{detail}#{source}#{sev}")
+
+          report description, detail, source, sev, fprint
+        end
+      end
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.warn e.backtrace
+    end
+  end
+
+  def supported?
+    supported = find_executable0('snyk')
+    unless supported
+      Glue.notify "Install Snyk: 'npm install -g snyk'"
+      return false
+    else
+      return true
+    end
+  end
+
+end