RubyGems - owasp-pipeline - Versions diffs - 0.8.3 - Mend

owasp-pipeline 0.8.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

checksums.yaml +7 -0
data/CHANGES +23 -0
data/FEATURES +19 -0
data/README.md +101 -0
data/bin/pipeline +67 -0
data/lib/pipeline.rb +301 -0
data/lib/pipeline/event.rb +14 -0
data/lib/pipeline/filters.rb +41 -0
data/lib/pipeline/filters/base_filter.rb +19 -0
data/lib/pipeline/filters/jira_one_time_filter.rb +57 -0
data/lib/pipeline/filters/remove_all_filter.rb +16 -0
data/lib/pipeline/finding.rb +52 -0
data/lib/pipeline/mounters.rb +55 -0
data/lib/pipeline/mounters/base_mounter.rb +31 -0
data/lib/pipeline/mounters/docker_mounter.rb +44 -0
data/lib/pipeline/mounters/filesystem_mounter.rb +25 -0
data/lib/pipeline/mounters/git_mounter.rb +52 -0
data/lib/pipeline/mounters/iso_mounter.rb +42 -0
data/lib/pipeline/mounters/url_mounter.rb +28 -0
data/lib/pipeline/options.rb +240 -0
data/lib/pipeline/reporters.rb +50 -0
data/lib/pipeline/reporters/base_reporter.rb +21 -0
data/lib/pipeline/reporters/csv_reporter.rb +19 -0
data/lib/pipeline/reporters/jira_reporter.rb +61 -0
data/lib/pipeline/reporters/json_reporter.rb +20 -0
data/lib/pipeline/reporters/text_reporter.rb +19 -0
data/lib/pipeline/scanner.rb +28 -0
data/lib/pipeline/tasks.rb +124 -0
data/lib/pipeline/tasks/av.rb +43 -0
data/lib/pipeline/tasks/base_task.rb +64 -0
data/lib/pipeline/tasks/brakeman.rb +60 -0
data/lib/pipeline/tasks/bundle-audit.rb +93 -0
data/lib/pipeline/tasks/checkmarx.rb +62 -0
data/lib/pipeline/tasks/eslint.rb +71 -0
data/lib/pipeline/tasks/fim.rb +61 -0
data/lib/pipeline/tasks/nsp.rb +59 -0
data/lib/pipeline/tasks/owasp-dep-check.rb +120 -0
data/lib/pipeline/tasks/patterns.json +394 -0
data/lib/pipeline/tasks/retirejs.rb +106 -0
data/lib/pipeline/tasks/scanjs-eslintrc +106 -0
data/lib/pipeline/tasks/scanjs.rb +32 -0
data/lib/pipeline/tasks/sfl.rb +67 -0
data/lib/pipeline/tasks/test.rb +47 -0
data/lib/pipeline/tasks/zap.rb +84 -0
data/lib/pipeline/tracker.rb +47 -0
data/lib/pipeline/util.rb +39 -0
data/lib/pipeline/version.rb +3 -0
data/lib/zapjson.json +0 -0
metadata +205 -0

data/lib/pipeline/tasks/retirejs.rb ADDED Viewed

@@ -0,0 +1,106 @@
+require 'pipeline/tasks/base_task'
+require 'json'
+require 'pipeline/util'
+require 'jsonpath'
+require 'pathname'
+class Pipeline::RetireJS < Pipeline::BaseTask
+  Pipeline::Tasks.add self
+  include Pipeline::Util
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "RetireJS"
+    @description = "Dependency analysis for JavaScript"
+    @stage = :code
+    @labels << "code" << "javascript"
+  end
+  def run
+    rootpath = @trigger.path
+    Pipeline.debug "Retire rootpath: #{rootpath}"
+    Dir.chdir("#{rootpath}") do
+      if @tracker.options.has_key?(:npm_registry)
+        registry = "--registry #{@tracker.options[:npm_registry]}"
+      else
+        registry = nil
+      end
+      @result = `npm install --ignore-scripts #{registry}`  # Need this even though it is slow to get full dependency analysis.
+    end
+    @result = `retire -c --outputformat json --path #{rootpath} 2>&1`
+  end
+  def analyze
+    begin
+      vulnerabilities = parse_retire_json(JSON.parse(@result))
+      vulnerabilities.each do |vuln|
+        report "Package #{vuln[:package]} has known security issues", vuln[:detail], vuln[:source], vuln[:severity], fingerprint("#{vuln[:package]}#{vuln[:source]}#{vuln[:severity]}")
+      end
+    rescue Exception => e
+      Pipeline.warn e.message
+      Pipeline.warn e.backtrace
+    end
+  end
+  def parse_retire_json result
+    Pipeline.debug "Retire JSON Raw Result:  #{result}"
+    vulnerabilities = []
+    # This is very ugly, but so is the json retire.js spits out
+    # Loop through each component/version combo and pull all results for it
+    JsonPath.on(result, '$..component').uniq.each do |comp|
+      JsonPath.on(result, "$..results[?(@.component == \'#{comp}\')].version").uniq.each do |version|
+        vuln_hash = {}
+        vuln_hash[:package] = "#{comp}-#{version}"
+        version_results = JsonPath.on(result, "$..results[?(@.component == \'#{comp}\')]").select { |r| r['version'] == version }.uniq
+        # If we see the parent-->component relationship, dig through the dependency tree to try and make a dep map
+        deps = []
+        obj = version_results[0]
+        while !obj['parent'].nil?
+          deps << obj['parent']['component']
+          obj = obj['parent']
+        end
+        if deps.length > 0
+          vuln_hash[:source] = { :scanner => @name, :file => "#{deps.reverse.join('->')}->#{comp}-#{version}", :line => nil, :code => nil }
+        end
+        vuln_hash[:severity] = 'unknown'
+        # pull detail/severity
+        version_results.each do |version_result|
+          JsonPath.on(version_result, '$..vulnerabilities').uniq.each do |vuln|
+            vuln_hash[:severity] = severity(vuln[0]['severity'])
+            vuln_hash[:detail] = vuln[0]['info'].join('\n')
+          end
+        end
+        vulnerabilities << vuln_hash
+      end
+    end
+    # Loop through the separately reported 'file' findings so we can tag the source (no dep map here)
+    result.select { |r| !r['file'].nil? }.each do |file_result|
+      JsonPath.on(file_result, '$..component').uniq.each do |comp|
+        JsonPath.on(file_result, "$..results[?(@.component == \'#{comp}\')].version").uniq.each do |version|
+          source_path = Pathname.new(file_result['file']).relative_path_from Pathname.new(@trigger.path)
+          vulnerabilities.select { |v| v[:package] == "#{comp}-#{version}" }.first[:source] = { :scanner => @name, :file => source_path.to_s, :line => nil, :code => nil }
+        end
+      end
+    end
+    return vulnerabilities
+  end
+  def supported?
+    supported=runsystem(true, "retire", "--help")
+    if supported =~ /command not found/
+      Pipeline.notify "Install RetireJS"
+      return false
+    else
+      return true
+    end
+  end
+end

data/lib/pipeline/tasks/scanjs-eslintrc ADDED Viewed

@@ -0,0 +1,106 @@
+{ "ecmaFeatures" : {
+    "modules" : true
+  },
+  "env" : {
+    "browser" : true,
+    "es6" : true /** all es6 features except modules */
+  },
+  "plugins" : [
+    "scanjs-rules",
+    "no-unsafe-innerhtml"
+  ],
+  "rules" : {
+    /** useful rules from eslint **/
+    /** no-unsafe-innerhtml rule **/
+    "no-unsafe-innerhtml/no-unsafe-innerhtml" : 2,
+    /** ScanJS rules **/
+    "scanjs-rules/assign_to_hostname" : 1,
+    "scanjs-rules/assign_to_href" : 1,
+    "scanjs-rules/assign_to_location" : 1,
+    "scanjs-rules/assign_to_mozAudioChannel" : 1,
+    "scanjs-rules/assign_to_mozAudioChannelType" : 1,
+    "scanjs-rules/assign_to_onmessage" : 1,
+    "scanjs-rules/assign_to_pathname" : 1,
+    "scanjs-rules/assign_to_protocol" : 1,
+    "scanjs-rules/assign_to_search" : 1,
+    "scanjs-rules/assign_to_src" : 1,
+    "scanjs-rules/call_Function" : 1,
+    "scanjs-rules/call_addEventListener" : 1,
+    "scanjs-rules/call_addEventListener_cellbroadcastmsgchanged" : 1,
+    "scanjs-rules/call_addEventListener_deviceproximity" : 1,
+    "scanjs-rules/call_addEventListener_message" : 1,
+    "scanjs-rules/call_addEventListener_moznetworkdownload" : 1,
+    "scanjs-rules/call_addEventListener_moznetworkupload" : 1,
+    "scanjs-rules/call_connect" : 1,
+    "scanjs-rules/call_eval" : 1,
+    "scanjs-rules/call_execScript" : 1,
+    "scanjs-rules/call_generateCRMFRequest" : 1,
+    "scanjs-rules/call_getDeviceStorage_apps" : 1,
+    "scanjs-rules/call_getDeviceStorage_crashes" : 1,
+    "scanjs-rules/call_getDeviceStorage_music" : 1,
+    "scanjs-rules/call_getDeviceStorage_pictures" : 1,
+    "scanjs-rules/call_getDeviceStorage_sdcard" : 1,
+    "scanjs-rules/call_getDeviceStorage_videos" : 1,
+    "scanjs-rules/call_hide" : 1,
+    "scanjs-rules/call_mozSetMessageHandler" : 1,
+    "scanjs-rules/call_mozSetMessageHandler_activity" : 1,
+    "scanjs-rules/call_mozSetMessageHandler_wappush_received" : 1,
+    "scanjs-rules/call_open_attention" : 1,
+    "scanjs-rules/call_open_remote=true" : 1,
+    "scanjs-rules/call_parseFromString" : 1,
+    "scanjs-rules/call_setAttribute_mozapp" : 1,
+    "scanjs-rules/call_setAttribute_mozbrowser" : 1,
+    "scanjs-rules/call_setImmediate" : 1,
+    "scanjs-rules/call_setInterval" : 1,
+    "scanjs-rules/call_setMessageHandler_connect" : 1,
+    "scanjs-rules/call_setTimeout" : 1,
+    "scanjs-rules/call_write" : 1,
+    "scanjs-rules/call_writeln" : 1,
+    "scanjs-rules/identifier_indexedDB" : 1,
+    "scanjs-rules/identifier_localStorage" : 1,
+    "scanjs-rules/identifier_sessionStorage" : 1,
+    "scanjs-rules/new_Function" : 1,
+    "scanjs-rules/new_MozActivity" : 1,
+    "scanjs-rules/new_MozSpeakerManager" : 1,
+    "scanjs-rules/new_Notification" : 1,
+    "scanjs-rules/object_mozSystem" : 1,
+    "scanjs-rules/property_addIdleObserver" : 1,
+    "scanjs-rules/property_createContextualFragment" : 1,
+    "scanjs-rules/property_geolocation" : 1,
+    "scanjs-rules/property_getDataStores" : 1,
+    "scanjs-rules/property_getDeviceStorage" : 1,
+    "scanjs-rules/property_getUserMedia" : 1,
+    "scanjs-rules/property_indexedDB" : 1,
+    "scanjs-rules/property_lastKnownHomeNetwork" : 1,
+    "scanjs-rules/property_lastKnownNetwork" : 1,
+    "scanjs-rules/property_localStorage" : 1,
+    "scanjs-rules/property_mgmt" : 1,
+    "scanjs-rules/property_mozAlarms" : 1,
+    "scanjs-rules/property_mozBluetooth" : 1,
+    "scanjs-rules/property_mozCameras" : 1,
+    "scanjs-rules/property_mozCellBroadcast" : 1,
+    "scanjs-rules/property_mozContacts" : 1,
+    "scanjs-rules/property_mozDownloadManager" : 1,
+    "scanjs-rules/property_mozFMRadio" : 1,
+    "scanjs-rules/property_mozInputMethod" : 1,
+    "scanjs-rules/property_mozKeyboard" : 1,
+    "scanjs-rules/property_mozMobileConnection" : 1,
+    "scanjs-rules/property_mozMobileConnections" : 1,
+    "scanjs-rules/property_mozMobileMessage" : 1,
+    "scanjs-rules/property_mozNetworkStats" : 1,
+    "scanjs-rules/property_mozNfc" : 1,
+    "scanjs-rules/property_mozNotification" : 1,
+    "scanjs-rules/property_mozPermissionSettings" : 1,
+    "scanjs-rules/property_mozPhoneNumberService" : 1,
+    "scanjs-rules/property_mozPower" : 1,
+    "scanjs-rules/property_mozSettings" : 1,
+    "scanjs-rules/property_mozTCPSocket" : 1,
+    "scanjs-rules/property_mozTelephony" : 1,
+    "scanjs-rules/property_mozTime" : 1,
+    "scanjs-rules/property_mozVoicemail" : 1,
+    "scanjs-rules/property_mozWifiManager" : 1,
+    "scanjs-rules/property_sessionStorage" : 1
+  }
+}

data/lib/pipeline/tasks/scanjs.rb ADDED Viewed

@@ -0,0 +1,32 @@
+require 'pipeline/tasks/base_task'
+class Pipeline::ScanJS < Pipeline::BaseTask
+#  WIP
+#  Pipeline::Tasks.add self
+  def initialize(trigger, tracker)
+  	super(trigger)
+    @name = "ScanJS"
+    @description = "Source analysis for JavaScript"
+    @stage = :code
+    @labels << "code" << "javascript"
+  end
+  def run
+    Pipeline.notify "#{@name}"
+  	rootpath = @trigger.path
+	  @result=`scanner.js -t "#{rootpath}"`
+  end
+  def analyze
+    puts @result
+  end
+  def supported?
+  	# In future, verify tool is available.
+  	return true
+  end
+end

data/lib/pipeline/tasks/sfl.rb ADDED Viewed

@@ -0,0 +1,67 @@
+require 'pipeline/tasks/base_task'
+require 'json'
+require 'pipeline/util'
+require 'find'
+class Pipeline::SFL < Pipeline::BaseTask
+  Pipeline::Tasks.add self
+  include Pipeline::Util
+  def initialize(trigger, tracker)
+    super(trigger,tracker)
+    @name = "SFL"
+    @description = "Sentive Files Lookup"
+    @stage = :code
+    @labels << "code"
+    # Pipeline.debug "initialized SFL"
+    @patterns = read_patterns_file!
+  end
+  def run
+    # Pipeline.notify "#{@name}"
+    @files = Find.find(@trigger.path)
+    Pipeline.debug "Found #{@files.count} files"
+  end
+  def analyze
+    begin
+      @files.each do |file|
+        @patterns.each do |pattern|
+          case pattern['part']
+            when 'filename'
+              if pattern_matched?(File.basename(file), pattern)
+                report pattern['caption'], pattern['description'], @name + ":" + file, 'unknown', 'TBD'
+              end
+            when 'extension'
+              if pattern_matched?(File.extname(file), pattern)
+                report pattern['caption'], pattern['description'], @name + ":" + file, 'unknown', 'TBD'
+              end
+          end
+        end
+      end
+    rescue Exception => e
+      Pipeline.warn e.message
+    end
+  end
+  def supported?
+    true
+  end
+  def pattern_matched?(txt, pattrn)
+    case pattrn['type']
+      when 'match'
+        return txt == pattrn['pattern']
+      when 'regex'
+        regex = Regexp.new(pattrn['pattern'], Regexp::IGNORECASE)
+        return !regex.match(txt).nil?
+    end
+  end
+  def read_patterns_file!
+    JSON.parse(File.read("#{File.dirname(__FILE__)}/patterns.json"))
+  rescue JSON::ParserError => e
+    Pipeline.warn "Cannot parse pattern file: #{e.message}"
+  end
+end

data/lib/pipeline/tasks/test.rb ADDED Viewed

@@ -0,0 +1,47 @@
+require 'pipeline/tasks/base_task'
+require 'pipeline/util'
+class Pipeline::Test < Pipeline::BaseTask
+  Pipeline::Tasks.add self
+  include Pipeline::Util
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "Test"
+    @description = "Test"
+    @stage = :code
+    @labels << "code" << "ruby"
+  end
+  def run
+    # Pipeline.notify "#{@name}"
+    rootpath = @trigger.path
+    Pipeline.debug "Rootpath: #{rootpath}"
+    Dir.chdir("#{rootpath}") do
+      @result= runsystem(true, "grep", "-R", "secret")
+    end
+  end
+  def analyze
+    begin
+      list = @result.split(/\n/)
+      list.each do |match|
+          report "Match", match, @name, :low, "fingerprint"
+      end
+  rescue Exception => e
+      Pipeline.warn e.message
+      Pipeline.notify "Error grepping ... "
+    end
+  end
+  def supported?
+    supported=runsystem(true, "grep", "-h")
+    if supported =~ /usage/
+      Pipeline.notify "Install grep."
+      return false
+    else
+      return true
+    end
+  end
+end

data/lib/pipeline/tasks/zap.rb ADDED Viewed

@@ -0,0 +1,84 @@
+require 'pipeline/tasks/base_task'
+require 'pipeline/util'
+require 'json'
+require 'curb'
+class Pipeline::Zap < Pipeline::BaseTask
+  Pipeline::Tasks.add self
+  include Pipeline::Util
+  def initialize(trigger,tracker)
+    super(trigger,tracker)
+    @name = "ZAP"
+    @description = "App Scanning"
+    @stage = :live
+    @labels << "live"
+  end
+  def run
+    rootpath = @trigger.path
+    base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}"
+    Pipeline.debug "Running ZAP on: #{rootpath} from #{base}"
+    # TODO:  Add API Key
+    # TODO:  Find out if we need to worry about "contexts" stepping on each other.
+    # Spider
+    Curl.get("#{base}/JSON/spider/action/scan/?#{rootpath}")
+    poll_until_100("#{base}/JSON/spider/view/status")
+    # Active Scan
+    Curl.get("#{base}/JSON/ascan/action/scan/?recurse=true&inScopeOnly=true&url=#{rootpath}")
+    poll_until_100("#{base}/JSON/ascan/view/status/")
+    # Result
+    @result = Curl.get("#{base}/JSON/core/view/alerts/").body_str
+  end
+  def poll_until_100(url)
+    count = 0
+    loop do
+      sleep 5
+      status = JSON.parse(Curl.get(url).body_str)
+      count = count + 1
+      Pipeline.notify "Count ... #{count}"
+      break if status["status"] == "100" or count > 100
+    end
+  end
+  def analyze
+    begin
+      json = JSON.parse @result
+      alerts = json["alerts"]
+      count = 0
+      alerts.each do |alert|
+        count = count + 1
+        description = alert["description"]
+        detail = "Url: #{alert["url"]} Param: #{alert["param"]} \nReference: #{alert["reference"]}\n"+
+                 "Solution: #{alert["solution"]}\nCWE: #{alert["cweid"]}\tWASCID: #{alert["wascid"]}"
+        source = @name + alert["url"]
+        sev = severity alert["risk"]
+        fingerprint = @name + alert["url"] + alert["alert"] + alert["param"]
+        report description, detail, source, sev, fingerprint
+      end
+      Pipeline.debug "ZAP Identified #{count} issues."
+    rescue Exception => e
+      Pipeline.warn e.message
+      Pipeline.notify "Problem running ZAP."
+    end
+  end
+  def supported?
+    base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}"
+    supported=JSON.parse(Curl.get("#{base}/JSON/core/view/version/").body_str)
+    if supported["version"] == "2.4.3"
+      return true
+    else
+      Pipeline.notify "Install ZAP from owasp.org and ensure that the configuration to connect is correct."
+      return false
+    end
+  end
+end