owasp-glue 0.9.0

data/lib/glue/tasks/test.rb

@@ -0,0 +1,47 @@
+require 'glue/tasks/base_task'
+require 'glue/util'
+
+class Glue::Test < Glue::BaseTask
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "Test"
+    @description = "Test"
+    @stage = :code
+    @labels << "code" << "ruby"
+  end
+
+  def run
+    # Glue.notify "#{@name}"
+    rootpath = @trigger.path
+    Glue.debug "Rootpath: #{rootpath}"
+    Dir.chdir("#{rootpath}") do
+      @result= runsystem(true, "grep", "-R", "secret")
+    end
+  end
+
+  def analyze
+    begin
+      list = @result.split(/\n/)
+      list.each do |match|
+          report "Match", match, @name, :low, "fingerprint"
+      end
+  rescue Exception => e
+      Glue.warn e.message
+      Glue.notify "Error grepping ... "
+    end
+  end
+
+  def supported?
+    supported=runsystem(true, "grep", "-h")
+    if supported =~ /usage/
+      Glue.notify "Install grep."
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/glue/tasks/zap.rb

@@ -0,0 +1,99 @@
+require 'glue/tasks/base_task'
+require 'glue/util'
+require 'json'
+require 'curb'
+require 'securerandom'
+
+class Glue::Zap < Glue::BaseTask
+
+  Glue::Tasks.add self
+  include Glue::Util
+
+  def initialize(trigger,tracker)
+    super(trigger,tracker)
+    @name = "ZAP"
+    @description = "App Scanning"
+    @stage = :live
+    @labels << "live"
+  end
+
+  def run
+    rootpath = @trigger.path
+    base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}"
+    apikey = "#{@tracker.options[:zap_api_token]}"
+    context = SecureRandom.uuid
+
+    Glue.debug "Running ZAP on: #{rootpath} from #{base} with #{context}"
+
+    # Create a new session so that the findings will be new.
+    Curl.get("#{base}/JSON/core/action/newSession/?zapapiformat=JSON&apikey=#{apikey}&name=&overwrite=")
+
+    # Set up Context
+    Curl.get("#{base}/JSON/context/action/newContext/?&apikey=#{apikey}&contextName=#{context}")
+    Curl.get("#{base}/JSON/context/action/includeInContext/?apikey=#{apikey}&contextName=#{context}&regex=#{rootpath}.*")
+
+    # Spider
+    spider = get_scan_id( Curl.get("#{base}/JSON/spider/action/scan/?apikey=#{apikey}&url=#{rootpath}&context=#{context}") )
+    poll_until_100("#{base}/JSON/spider/view/status/?scanId=#{spider}")
+
+    # Active Scan
+    scan = get_scan_id ( Curl.get("#{base}/JSON/ascan/action/scan/?apikey=#{apikey}&recurse=true&inScopeOnly=true&url=#{rootpath}") )
+    poll_until_100("#{base}/JSON/ascan/view/status/?scanId=#{scan}")
+
+    # Result
+    @result = Curl.get("#{base}/JSON/core/view/alerts/?baseurl=#{rootpath}").body_str
+
+    # Remove Context
+    Curl.get("#{base}/JSON/context/action/removeContext/?&apikey=#{apikey}&contextName=#{context}")
+  end
+
+  def get_scan_id(response)
+    json = JSON.parse response.body_str
+    return json["scan"]
+  end
+
+  def poll_until_100(url)
+    count = 0
+    loop do
+      sleep 5
+      status = JSON.parse(Curl.get(url).body_str)
+      count = count + 1
+      Glue.notify "Count ... #{count}"
+      break if status["status"] == "100" or count > 100
+    end
+  end
+
+  def analyze
+    begin
+      json = JSON.parse @result
+      alerts = json["alerts"]
+      count = 0
+      alerts.each do |alert|
+        count = count + 1
+        description = alert["description"]
+        detail = "Url: #{alert["url"]} Param: #{alert["param"]} \nReference: #{alert["reference"]}\n"+
+                 "Solution: #{alert["solution"]}\nCWE: #{alert["cweid"]}\tWASCID: #{alert["wascid"]}"
+        source = @name + alert["url"]
+        sev = severity alert["risk"]
+        fingerprint = @name + alert["url"] + alert["alert"] + alert["param"]
+        report description, detail, source, sev, fingerprint
+      end
+      Glue.debug "ZAP Identified #{count} issues."
+    rescue Exception => e
+      Glue.warn e.message
+      Glue.notify "Problem running ZAP."
+    end
+  end
+
+  def supported?
+    base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}"
+    supported=JSON.parse(Curl.get("#{base}/JSON/core/view/version/").body_str)
+    if supported["version"] =~ /2.(4|5).\d+/
+      return true
+    else
+      Glue.notify "Install ZAP from owasp.org and ensure that the configuration to connect is correct.  Supported versions = 2.4.0 and up - got #{supported['version']}"
+      return false
+    end
+  end
+
+end

data/lib/glue/tracker.rb

@@ -0,0 +1,47 @@
+require 'json'
+
+class Glue::Tracker
+  attr_reader :options
+  attr_reader :warnings
+  attr_reader :errors
+  attr_reader :findings
+
+  # Pass in the options.
+  # Let the Tracker be the one thing that gets passed around
+  # with options and collecting output.
+  def initialize options
+    @options = options
+    @warnings = []
+    @errors = []
+    @findings = []
+  end
+
+  #Process events that
+  def process event
+
+  end
+
+  def error error
+    @errors << error
+  end
+
+  def warn warning
+    @warnings << warning
+  end
+
+  def report finding
+    @findings << finding
+  end
+
+  def to_json
+    s = "{ \"findings\": [ "
+    @findings.each do |finding|
+      s << finding.to_json
+      s << ","
+    end
+    s = s.slice(0,s.length-1) # One easy way to remove the last ,
+    s << "] }"
+    s
+
+  end
+end

data/lib/glue/util.rb

@@ -0,0 +1,36 @@
+require 'open3'
+require 'pathname'
+require 'digest'
+require 'pry'
+
+module Glue::Util
+
+  def runsystem(report, *splat)
+    Open3.popen3(*splat) do |stdin, stdout, stderr, wait_thr|
+
+      Thread.new do
+        if $logfile and report
+          while line = stderr.gets do
+            $logfile.puts line
+          end
+        end
+      end
+
+      return stdout.read.chomp
+    end
+  end
+
+  def fingerprint text
+    Digest::SHA2.new(256).update(text).to_s
+  end
+
+  def strip_archive_path path, delimeter
+    path.split(delimeter).last.split('/')[1..-1].join('/')
+  end
+
+  def relative_path path, pwd
+    pathname = Pathname.new(path)
+    return path if pathname.relative?
+    pathname.relative_path_from(Pathname.new pwd)
+  end
+end

data/lib/glue/version.rb

@@ -0,0 +1,3 @@
+module Glue
+  Version = "0.9.0"
+end

metadata

@@ -0,0 +1,294 @@
+--- !ruby/object:Gem::Specification
+name: owasp-glue
+version: !ruby/object:Gem::Version
+  version: 0.9.0
+platform: ruby
+authors:
+- Matt Konda
+- Alex Lock
+- Rafa Perez
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-09-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: terminal-table
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: fastercsv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.20
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.20
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.1
+- !ruby/object:Gem::Dependency
+  name: brakeman
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.5
+- !ruby/object:Gem::Dependency
+  name: curb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.8.8
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.8.8
+- !ruby/object:Gem::Dependency
+  name: jsonpath
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.5.7
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.5.7
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.6.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.6.2
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: dawnscanner
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+- !ruby/object:Gem::Dependency
+  name: redcarpet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Glue detects security vulnerabilities in code.
+email: matt.konda@owasp.org
+executables:
+- glue
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGES
+- FEATURES
+- README.md
+- bin/glue
+- lib/glue.rb
+- lib/glue/event.rb
+- lib/glue/filters.rb
+- lib/glue/filters/base_filter.rb
+- lib/glue/filters/jira_one_time_filter.rb
+- lib/glue/filters/remove_all_filter.rb
+- lib/glue/filters/zap_consdensing_filter.rb
+- lib/glue/finding.rb
+- lib/glue/mounters.rb
+- lib/glue/mounters/base_mounter.rb
+- lib/glue/mounters/docker_mounter.rb
+- lib/glue/mounters/filesystem_mounter.rb
+- lib/glue/mounters/git_mounter.rb
+- lib/glue/mounters/iso_mounter.rb
+- lib/glue/mounters/url_mounter.rb
+- lib/glue/options.rb
+- lib/glue/reporters.rb
+- lib/glue/reporters/base_reporter.rb
+- lib/glue/reporters/csv_reporter.rb
+- lib/glue/reporters/jira_reporter.rb
+- lib/glue/reporters/json_reporter.rb
+- lib/glue/reporters/text_reporter.rb
+- lib/glue/scanner.rb
+- lib/glue/tasks.rb
+- lib/glue/tasks/av.rb
+- lib/glue/tasks/base_task.rb
+- lib/glue/tasks/brakeman.rb
+- lib/glue/tasks/bundle-audit.rb
+- lib/glue/tasks/checkmarx.rb
+- lib/glue/tasks/dawnscanner.rb
+- lib/glue/tasks/eslint.rb
+- lib/glue/tasks/fim.rb
+- lib/glue/tasks/findsecbugs.rb
+- lib/glue/tasks/npm.rb
+- lib/glue/tasks/nsp.rb
+- lib/glue/tasks/owasp-dep-check.rb
+- lib/glue/tasks/patterns.json
+- lib/glue/tasks/pmd.rb
+- lib/glue/tasks/retirejs.rb
+- lib/glue/tasks/scanjs-eslintrc
+- lib/glue/tasks/scanjs.rb
+- lib/glue/tasks/sfl.rb
+- lib/glue/tasks/snyk.rb
+- lib/glue/tasks/test.rb
+- lib/glue/tasks/zap.rb
+- lib/glue/tracker.rb
+- lib/glue/util.rb
+- lib/glue/version.rb
+homepage: http://github.com/OWASP/glue
+licenses:
+- Apache 2
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Security toolchain for software build automation.
+test_files: []