owasp-glue 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (54) hide show
  1. checksums.yaml +7 -0
  2. data/CHANGES +27 -0
  3. data/FEATURES +19 -0
  4. data/README.md +117 -0
  5. data/bin/glue +67 -0
  6. data/lib/glue.rb +317 -0
  7. data/lib/glue/event.rb +14 -0
  8. data/lib/glue/filters.rb +41 -0
  9. data/lib/glue/filters/base_filter.rb +19 -0
  10. data/lib/glue/filters/jira_one_time_filter.rb +57 -0
  11. data/lib/glue/filters/remove_all_filter.rb +16 -0
  12. data/lib/glue/filters/zap_consdensing_filter.rb +76 -0
  13. data/lib/glue/finding.rb +52 -0
  14. data/lib/glue/mounters.rb +55 -0
  15. data/lib/glue/mounters/base_mounter.rb +31 -0
  16. data/lib/glue/mounters/docker_mounter.rb +44 -0
  17. data/lib/glue/mounters/filesystem_mounter.rb +20 -0
  18. data/lib/glue/mounters/git_mounter.rb +52 -0
  19. data/lib/glue/mounters/iso_mounter.rb +42 -0
  20. data/lib/glue/mounters/url_mounter.rb +28 -0
  21. data/lib/glue/options.rb +269 -0
  22. data/lib/glue/reporters.rb +50 -0
  23. data/lib/glue/reporters/base_reporter.rb +21 -0
  24. data/lib/glue/reporters/csv_reporter.rb +19 -0
  25. data/lib/glue/reporters/jira_reporter.rb +59 -0
  26. data/lib/glue/reporters/json_reporter.rb +20 -0
  27. data/lib/glue/reporters/text_reporter.rb +19 -0
  28. data/lib/glue/scanner.rb +28 -0
  29. data/lib/glue/tasks.rb +124 -0
  30. data/lib/glue/tasks/av.rb +42 -0
  31. data/lib/glue/tasks/base_task.rb +80 -0
  32. data/lib/glue/tasks/brakeman.rb +58 -0
  33. data/lib/glue/tasks/bundle-audit.rb +95 -0
  34. data/lib/glue/tasks/checkmarx.rb +60 -0
  35. data/lib/glue/tasks/dawnscanner.rb +55 -0
  36. data/lib/glue/tasks/eslint.rb +69 -0
  37. data/lib/glue/tasks/fim.rb +60 -0
  38. data/lib/glue/tasks/findsecbugs.rb +90 -0
  39. data/lib/glue/tasks/npm.rb +58 -0
  40. data/lib/glue/tasks/nsp.rb +65 -0
  41. data/lib/glue/tasks/owasp-dep-check.rb +117 -0
  42. data/lib/glue/tasks/patterns.json +394 -0
  43. data/lib/glue/tasks/pmd.rb +63 -0
  44. data/lib/glue/tasks/retirejs.rb +107 -0
  45. data/lib/glue/tasks/scanjs-eslintrc +106 -0
  46. data/lib/glue/tasks/scanjs.rb +31 -0
  47. data/lib/glue/tasks/sfl.rb +67 -0
  48. data/lib/glue/tasks/snyk.rb +81 -0
  49. data/lib/glue/tasks/test.rb +47 -0
  50. data/lib/glue/tasks/zap.rb +99 -0
  51. data/lib/glue/tracker.rb +47 -0
  52. data/lib/glue/util.rb +36 -0
  53. data/lib/glue/version.rb +3 -0
  54. metadata +294 -0
@@ -0,0 +1,47 @@
1
+ require 'glue/tasks/base_task'
2
+ require 'glue/util'
3
+
4
+ class Glue::Test < Glue::BaseTask
5
+ Glue::Tasks.add self
6
+ include Glue::Util
7
+
8
+ def initialize(trigger, tracker)
9
+ super(trigger, tracker)
10
+ @name = "Test"
11
+ @description = "Test"
12
+ @stage = :code
13
+ @labels << "code" << "ruby"
14
+ end
15
+
16
+ def run
17
+ # Glue.notify "#{@name}"
18
+ rootpath = @trigger.path
19
+ Glue.debug "Rootpath: #{rootpath}"
20
+ Dir.chdir("#{rootpath}") do
21
+ @result= runsystem(true, "grep", "-R", "secret")
22
+ end
23
+ end
24
+
25
+ def analyze
26
+ begin
27
+ list = @result.split(/\n/)
28
+ list.each do |match|
29
+ report "Match", match, @name, :low, "fingerprint"
30
+ end
31
+ rescue Exception => e
32
+ Glue.warn e.message
33
+ Glue.notify "Error grepping ... "
34
+ end
35
+ end
36
+
37
+ def supported?
38
+ supported=runsystem(true, "grep", "-h")
39
+ if supported =~ /usage/
40
+ Glue.notify "Install grep."
41
+ return false
42
+ else
43
+ return true
44
+ end
45
+ end
46
+
47
+ end
@@ -0,0 +1,99 @@
1
+ require 'glue/tasks/base_task'
2
+ require 'glue/util'
3
+ require 'json'
4
+ require 'curb'
5
+ require 'securerandom'
6
+
7
+ class Glue::Zap < Glue::BaseTask
8
+
9
+ Glue::Tasks.add self
10
+ include Glue::Util
11
+
12
+ def initialize(trigger,tracker)
13
+ super(trigger,tracker)
14
+ @name = "ZAP"
15
+ @description = "App Scanning"
16
+ @stage = :live
17
+ @labels << "live"
18
+ end
19
+
20
+ def run
21
+ rootpath = @trigger.path
22
+ base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}"
23
+ apikey = "#{@tracker.options[:zap_api_token]}"
24
+ context = SecureRandom.uuid
25
+
26
+ Glue.debug "Running ZAP on: #{rootpath} from #{base} with #{context}"
27
+
28
+ # Create a new session so that the findings will be new.
29
+ Curl.get("#{base}/JSON/core/action/newSession/?zapapiformat=JSON&apikey=#{apikey}&name=&overwrite=")
30
+
31
+ # Set up Context
32
+ Curl.get("#{base}/JSON/context/action/newContext/?&apikey=#{apikey}&contextName=#{context}")
33
+ Curl.get("#{base}/JSON/context/action/includeInContext/?apikey=#{apikey}&contextName=#{context}&regex=#{rootpath}.*")
34
+
35
+ # Spider
36
+ spider = get_scan_id( Curl.get("#{base}/JSON/spider/action/scan/?apikey=#{apikey}&url=#{rootpath}&context=#{context}") )
37
+ poll_until_100("#{base}/JSON/spider/view/status/?scanId=#{spider}")
38
+
39
+ # Active Scan
40
+ scan = get_scan_id ( Curl.get("#{base}/JSON/ascan/action/scan/?apikey=#{apikey}&recurse=true&inScopeOnly=true&url=#{rootpath}") )
41
+ poll_until_100("#{base}/JSON/ascan/view/status/?scanId=#{scan}")
42
+
43
+ # Result
44
+ @result = Curl.get("#{base}/JSON/core/view/alerts/?baseurl=#{rootpath}").body_str
45
+
46
+ # Remove Context
47
+ Curl.get("#{base}/JSON/context/action/removeContext/?&apikey=#{apikey}&contextName=#{context}")
48
+ end
49
+
50
+ def get_scan_id(response)
51
+ json = JSON.parse response.body_str
52
+ return json["scan"]
53
+ end
54
+
55
+ def poll_until_100(url)
56
+ count = 0
57
+ loop do
58
+ sleep 5
59
+ status = JSON.parse(Curl.get(url).body_str)
60
+ count = count + 1
61
+ Glue.notify "Count ... #{count}"
62
+ break if status["status"] == "100" or count > 100
63
+ end
64
+ end
65
+
66
+ def analyze
67
+ begin
68
+ json = JSON.parse @result
69
+ alerts = json["alerts"]
70
+ count = 0
71
+ alerts.each do |alert|
72
+ count = count + 1
73
+ description = alert["description"]
74
+ detail = "Url: #{alert["url"]} Param: #{alert["param"]} \nReference: #{alert["reference"]}\n"+
75
+ "Solution: #{alert["solution"]}\nCWE: #{alert["cweid"]}\tWASCID: #{alert["wascid"]}"
76
+ source = @name + alert["url"]
77
+ sev = severity alert["risk"]
78
+ fingerprint = @name + alert["url"] + alert["alert"] + alert["param"]
79
+ report description, detail, source, sev, fingerprint
80
+ end
81
+ Glue.debug "ZAP Identified #{count} issues."
82
+ rescue Exception => e
83
+ Glue.warn e.message
84
+ Glue.notify "Problem running ZAP."
85
+ end
86
+ end
87
+
88
+ def supported?
89
+ base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}"
90
+ supported=JSON.parse(Curl.get("#{base}/JSON/core/view/version/").body_str)
91
+ if supported["version"] =~ /2.(4|5).\d+/
92
+ return true
93
+ else
94
+ Glue.notify "Install ZAP from owasp.org and ensure that the configuration to connect is correct. Supported versions = 2.4.0 and up - got #{supported['version']}"
95
+ return false
96
+ end
97
+ end
98
+
99
+ end
@@ -0,0 +1,47 @@
1
+ require 'json'
2
+
3
+ class Glue::Tracker
4
+ attr_reader :options
5
+ attr_reader :warnings
6
+ attr_reader :errors
7
+ attr_reader :findings
8
+
9
+ # Pass in the options.
10
+ # Let the Tracker be the one thing that gets passed around
11
+ # with options and collecting output.
12
+ def initialize options
13
+ @options = options
14
+ @warnings = []
15
+ @errors = []
16
+ @findings = []
17
+ end
18
+
19
+ #Process events that
20
+ def process event
21
+
22
+ end
23
+
24
+ def error error
25
+ @errors << error
26
+ end
27
+
28
+ def warn warning
29
+ @warnings << warning
30
+ end
31
+
32
+ def report finding
33
+ @findings << finding
34
+ end
35
+
36
+ def to_json
37
+ s = "{ \"findings\": [ "
38
+ @findings.each do |finding|
39
+ s << finding.to_json
40
+ s << ","
41
+ end
42
+ s = s.slice(0,s.length-1) # One easy way to remove the last ,
43
+ s << "] }"
44
+ s
45
+
46
+ end
47
+ end
@@ -0,0 +1,36 @@
1
+ require 'open3'
2
+ require 'pathname'
3
+ require 'digest'
4
+ require 'pry'
5
+
6
+ module Glue::Util
7
+
8
+ def runsystem(report, *splat)
9
+ Open3.popen3(*splat) do |stdin, stdout, stderr, wait_thr|
10
+
11
+ Thread.new do
12
+ if $logfile and report
13
+ while line = stderr.gets do
14
+ $logfile.puts line
15
+ end
16
+ end
17
+ end
18
+
19
+ return stdout.read.chomp
20
+ end
21
+ end
22
+
23
+ def fingerprint text
24
+ Digest::SHA2.new(256).update(text).to_s
25
+ end
26
+
27
+ def strip_archive_path path, delimeter
28
+ path.split(delimeter).last.split('/')[1..-1].join('/')
29
+ end
30
+
31
+ def relative_path path, pwd
32
+ pathname = Pathname.new(path)
33
+ return path if pathname.relative?
34
+ pathname.relative_path_from(Pathname.new pwd)
35
+ end
36
+ end
@@ -0,0 +1,3 @@
1
+ module Glue
2
+ Version = "0.9.0"
3
+ end
metadata ADDED
@@ -0,0 +1,294 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: owasp-glue
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.9.0
5
+ platform: ruby
6
+ authors:
7
+ - Matt Konda
8
+ - Alex Lock
9
+ - Rafa Perez
10
+ autorequire:
11
+ bindir: bin
12
+ cert_chain: []
13
+ date: 2016-09-15 00:00:00.000000000 Z
14
+ dependencies:
15
+ - !ruby/object:Gem::Dependency
16
+ name: terminal-table
17
+ requirement: !ruby/object:Gem::Requirement
18
+ requirements:
19
+ - - ">="
20
+ - !ruby/object:Gem::Version
21
+ version: '1.4'
22
+ type: :runtime
23
+ prerelease: false
24
+ version_requirements: !ruby/object:Gem::Requirement
25
+ requirements:
26
+ - - ">="
27
+ - !ruby/object:Gem::Version
28
+ version: '1.4'
29
+ - !ruby/object:Gem::Dependency
30
+ name: fastercsv
31
+ requirement: !ruby/object:Gem::Requirement
32
+ requirements:
33
+ - - ">="
34
+ - !ruby/object:Gem::Version
35
+ version: '1.5'
36
+ type: :runtime
37
+ prerelease: false
38
+ version_requirements: !ruby/object:Gem::Requirement
39
+ requirements:
40
+ - - ">="
41
+ - !ruby/object:Gem::Version
42
+ version: '1.5'
43
+ - !ruby/object:Gem::Dependency
44
+ name: highline
45
+ requirement: !ruby/object:Gem::Requirement
46
+ requirements:
47
+ - - ">="
48
+ - !ruby/object:Gem::Version
49
+ version: 1.6.20
50
+ type: :runtime
51
+ prerelease: false
52
+ version_requirements: !ruby/object:Gem::Requirement
53
+ requirements:
54
+ - - ">="
55
+ - !ruby/object:Gem::Version
56
+ version: 1.6.20
57
+ - !ruby/object:Gem::Dependency
58
+ name: multi_json
59
+ requirement: !ruby/object:Gem::Requirement
60
+ requirements:
61
+ - - ">="
62
+ - !ruby/object:Gem::Version
63
+ version: '1.2'
64
+ type: :runtime
65
+ prerelease: false
66
+ version_requirements: !ruby/object:Gem::Requirement
67
+ requirements:
68
+ - - ">="
69
+ - !ruby/object:Gem::Version
70
+ version: '1.2'
71
+ - !ruby/object:Gem::Dependency
72
+ name: bundler-audit
73
+ requirement: !ruby/object:Gem::Requirement
74
+ requirements:
75
+ - - ">="
76
+ - !ruby/object:Gem::Version
77
+ version: 0.3.1
78
+ type: :runtime
79
+ prerelease: false
80
+ version_requirements: !ruby/object:Gem::Requirement
81
+ requirements:
82
+ - - ">="
83
+ - !ruby/object:Gem::Version
84
+ version: 0.3.1
85
+ - !ruby/object:Gem::Dependency
86
+ name: brakeman
87
+ requirement: !ruby/object:Gem::Requirement
88
+ requirements:
89
+ - - ">="
90
+ - !ruby/object:Gem::Version
91
+ version: 3.0.5
92
+ type: :runtime
93
+ prerelease: false
94
+ version_requirements: !ruby/object:Gem::Requirement
95
+ requirements:
96
+ - - ">="
97
+ - !ruby/object:Gem::Version
98
+ version: 3.0.5
99
+ - !ruby/object:Gem::Dependency
100
+ name: curb
101
+ requirement: !ruby/object:Gem::Requirement
102
+ requirements:
103
+ - - ">="
104
+ - !ruby/object:Gem::Version
105
+ version: 0.8.8
106
+ type: :runtime
107
+ prerelease: false
108
+ version_requirements: !ruby/object:Gem::Requirement
109
+ requirements:
110
+ - - ">="
111
+ - !ruby/object:Gem::Version
112
+ version: 0.8.8
113
+ - !ruby/object:Gem::Dependency
114
+ name: jsonpath
115
+ requirement: !ruby/object:Gem::Requirement
116
+ requirements:
117
+ - - ">="
118
+ - !ruby/object:Gem::Version
119
+ version: 0.5.7
120
+ type: :runtime
121
+ prerelease: false
122
+ version_requirements: !ruby/object:Gem::Requirement
123
+ requirements:
124
+ - - ">="
125
+ - !ruby/object:Gem::Version
126
+ version: 0.5.7
127
+ - !ruby/object:Gem::Dependency
128
+ name: nokogiri
129
+ requirement: !ruby/object:Gem::Requirement
130
+ requirements:
131
+ - - ">="
132
+ - !ruby/object:Gem::Version
133
+ version: 1.6.6.2
134
+ type: :runtime
135
+ prerelease: false
136
+ version_requirements: !ruby/object:Gem::Requirement
137
+ requirements:
138
+ - - ">="
139
+ - !ruby/object:Gem::Version
140
+ version: 1.6.6.2
141
+ - !ruby/object:Gem::Dependency
142
+ name: rake
143
+ requirement: !ruby/object:Gem::Requirement
144
+ requirements:
145
+ - - ">="
146
+ - !ruby/object:Gem::Version
147
+ version: '0'
148
+ type: :runtime
149
+ prerelease: false
150
+ version_requirements: !ruby/object:Gem::Requirement
151
+ requirements:
152
+ - - ">="
153
+ - !ruby/object:Gem::Version
154
+ version: '0'
155
+ - !ruby/object:Gem::Dependency
156
+ name: dawnscanner
157
+ requirement: !ruby/object:Gem::Requirement
158
+ requirements:
159
+ - - ">="
160
+ - !ruby/object:Gem::Version
161
+ version: 1.6.0
162
+ type: :runtime
163
+ prerelease: false
164
+ version_requirements: !ruby/object:Gem::Requirement
165
+ requirements:
166
+ - - ">="
167
+ - !ruby/object:Gem::Version
168
+ version: 1.6.0
169
+ - !ruby/object:Gem::Dependency
170
+ name: redcarpet
171
+ requirement: !ruby/object:Gem::Requirement
172
+ requirements:
173
+ - - ">="
174
+ - !ruby/object:Gem::Version
175
+ version: '0'
176
+ type: :runtime
177
+ prerelease: false
178
+ version_requirements: !ruby/object:Gem::Requirement
179
+ requirements:
180
+ - - ">="
181
+ - !ruby/object:Gem::Version
182
+ version: '0'
183
+ - !ruby/object:Gem::Dependency
184
+ name: pry
185
+ requirement: !ruby/object:Gem::Requirement
186
+ requirements:
187
+ - - ">="
188
+ - !ruby/object:Gem::Version
189
+ version: '0'
190
+ type: :development
191
+ prerelease: false
192
+ version_requirements: !ruby/object:Gem::Requirement
193
+ requirements:
194
+ - - ">="
195
+ - !ruby/object:Gem::Version
196
+ version: '0'
197
+ - !ruby/object:Gem::Dependency
198
+ name: pry-byebug
199
+ requirement: !ruby/object:Gem::Requirement
200
+ requirements:
201
+ - - ">="
202
+ - !ruby/object:Gem::Version
203
+ version: '0'
204
+ type: :development
205
+ prerelease: false
206
+ version_requirements: !ruby/object:Gem::Requirement
207
+ requirements:
208
+ - - ">="
209
+ - !ruby/object:Gem::Version
210
+ version: '0'
211
+ description: Glue detects security vulnerabilities in code.
212
+ email: matt.konda@owasp.org
213
+ executables:
214
+ - glue
215
+ extensions: []
216
+ extra_rdoc_files: []
217
+ files:
218
+ - CHANGES
219
+ - FEATURES
220
+ - README.md
221
+ - bin/glue
222
+ - lib/glue.rb
223
+ - lib/glue/event.rb
224
+ - lib/glue/filters.rb
225
+ - lib/glue/filters/base_filter.rb
226
+ - lib/glue/filters/jira_one_time_filter.rb
227
+ - lib/glue/filters/remove_all_filter.rb
228
+ - lib/glue/filters/zap_consdensing_filter.rb
229
+ - lib/glue/finding.rb
230
+ - lib/glue/mounters.rb
231
+ - lib/glue/mounters/base_mounter.rb
232
+ - lib/glue/mounters/docker_mounter.rb
233
+ - lib/glue/mounters/filesystem_mounter.rb
234
+ - lib/glue/mounters/git_mounter.rb
235
+ - lib/glue/mounters/iso_mounter.rb
236
+ - lib/glue/mounters/url_mounter.rb
237
+ - lib/glue/options.rb
238
+ - lib/glue/reporters.rb
239
+ - lib/glue/reporters/base_reporter.rb
240
+ - lib/glue/reporters/csv_reporter.rb
241
+ - lib/glue/reporters/jira_reporter.rb
242
+ - lib/glue/reporters/json_reporter.rb
243
+ - lib/glue/reporters/text_reporter.rb
244
+ - lib/glue/scanner.rb
245
+ - lib/glue/tasks.rb
246
+ - lib/glue/tasks/av.rb
247
+ - lib/glue/tasks/base_task.rb
248
+ - lib/glue/tasks/brakeman.rb
249
+ - lib/glue/tasks/bundle-audit.rb
250
+ - lib/glue/tasks/checkmarx.rb
251
+ - lib/glue/tasks/dawnscanner.rb
252
+ - lib/glue/tasks/eslint.rb
253
+ - lib/glue/tasks/fim.rb
254
+ - lib/glue/tasks/findsecbugs.rb
255
+ - lib/glue/tasks/npm.rb
256
+ - lib/glue/tasks/nsp.rb
257
+ - lib/glue/tasks/owasp-dep-check.rb
258
+ - lib/glue/tasks/patterns.json
259
+ - lib/glue/tasks/pmd.rb
260
+ - lib/glue/tasks/retirejs.rb
261
+ - lib/glue/tasks/scanjs-eslintrc
262
+ - lib/glue/tasks/scanjs.rb
263
+ - lib/glue/tasks/sfl.rb
264
+ - lib/glue/tasks/snyk.rb
265
+ - lib/glue/tasks/test.rb
266
+ - lib/glue/tasks/zap.rb
267
+ - lib/glue/tracker.rb
268
+ - lib/glue/util.rb
269
+ - lib/glue/version.rb
270
+ homepage: http://github.com/OWASP/glue
271
+ licenses:
272
+ - Apache 2
273
+ metadata: {}
274
+ post_install_message:
275
+ rdoc_options: []
276
+ require_paths:
277
+ - lib
278
+ required_ruby_version: !ruby/object:Gem::Requirement
279
+ requirements:
280
+ - - ">="
281
+ - !ruby/object:Gem::Version
282
+ version: '0'
283
+ required_rubygems_version: !ruby/object:Gem::Requirement
284
+ requirements:
285
+ - - ">="
286
+ - !ruby/object:Gem::Version
287
+ version: '0'
288
+ requirements: []
289
+ rubyforge_project:
290
+ rubygems_version: 2.5.1
291
+ signing_key:
292
+ specification_version: 4
293
+ summary: Security toolchain for software build automation.
294
+ test_files: []