owasp-pipeline 0.8.3 → 0.8.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c19bcf63e27cbc2579358e2f581943797d31b056
-  data.tar.gz: 4b1daacd45d7dcb1d5bad0643da0b9c9cf8e93ad
+  metadata.gz: bf5efee842fff5ee62a05d074fe47d057bc0dd1d
+  data.tar.gz: 417d5379d1b73b82a0a20561d5d78d50e907c020
 SHA512:
-  metadata.gz: cf4edf3934d7f2b596bc6baf3c1e85449100026b86aec1fcb690723a8f4cb2f48c2e3a974c7b79ec478384970501c1f8413ed7a4743f1e5087f922cb8571a06e
-  data.tar.gz: c7cdbd7eaf00185447d5fbb2ebf042f4c68cdfa15ef10547bd923b98d8373a736b69b3c48cc030728f05164502852e07a7eaad6a38f7660bd17e7db77c91b1f5
+  metadata.gz: 5c44a4dc6c22acacac6b6d3a4b6197da7427ed3373341b28f2c4b1d01064b9d7d3357ae59c9a4020bf7fc2bb462d913db3f353038bbed328d556f427c7d68c12
+  data.tar.gz: 4a8f15ac36f2533638c0d8fc2d695168bc6bfa3bac7e3d41429b712d6e2b2618cd8b7c068f5b9d5140eaaaab9b9694e3e7100aad1a522e5fb75eefb3780a1206

data/lib/pipeline/mounters/filesystem_mounter.rb

@@ -2,7 +2,7 @@ require 'pipeline/mounters/base_mounter'
 
 class Pipeline::FileSystemMounter < Pipeline::BaseMounter
   Pipeline::Mounters.add self
-  
+
   def initialize trigger, options
     super(trigger)
     @options = options
@@ -15,11 +15,6 @@ class Pipeline::FileSystemMounter < Pipeline::BaseMounter
   end
 
   def supports? target
-    last = target.slice(-1)
-    if last === "/" or last === "."
-      return true
-    else
-      return false
-    end
+    File.directory? target
   end
 end

data/lib/pipeline/options.rb

@@ -190,6 +190,24 @@ module Pipeline::Options
           options[:checkmarx_project] = project
         end
 
+        opts.separator ""
+        opts.separator "PMD options:"
+
+        opts.on "--pmd-path PATH", "The full path to the base PMD directory" do |dir|
+          options[:pmd_path] = dir
+        end
+
+        opts.on "--pmd-checks CHECK1,CHECK2", "The list of checks passed to PMD run.sh -R, default: 'java-basic,java-sunsecure'" do |checks|
+          options[:pmd_checks] = checks
+        end
+
+        opts.separator ""
+        opts.separator "FindSecurityBugs options:"
+
+        opts.on "--findsecbugs-path PATH", "The full path to the base FindSecurityBugs directory" do |dir|
+          options[:findsecbugs_path] = dir
+        end
+
         opts.separator ""
         opts.separator "Configuration files:"
 

data/lib/pipeline/tasks/checkmarx.rb

@@ -1,6 +1,6 @@
 require 'pipeline/tasks/base_task'
 require 'pipeline/util'
-# require 'nokogiri'
+require 'nokogiri'
 
 class Pipeline::Checkmarx < Pipeline::BaseTask
 
@@ -28,7 +28,7 @@ class Pipeline::Checkmarx < Pipeline::BaseTask
       "-ReportXML", "#{rootpath}checkmarx_results.xml",
       "-Log", "#{@tracker.options[:checkmarx_log]}"
     )
-    # @results = Nokogiri::XML(File.read("#{rootpath}checkmarx_results.xml")).xpath '//Result'
+    @results = Nokogiri::XML(File.read("#{rootpath}checkmarx_results.xml")).xpath '//Result'
   end
 
   def analyze
@@ -38,9 +38,9 @@ class Pipeline::Checkmarx < Pipeline::BaseTask
         detail = result.attributes['DeepLink'].value
         source = { :scanner => @name, :file => result.attributes['FileName'].value, :line =>  result.attributes['Line'].value.to_i, :code => result.at_xpath('Path/PathNode/Snippet/Line/Code').text }
         sev = severity(result.parent.attributes['Severity'].value)
-        print = fingerprint("#{description}#{source}#{sev}")
+        fprint = fingerprint("#{description}#{source}#{sev}")
 
-        report description, detail, source, sev, print
+        report description, detail, source, sev, fprint
       end
     rescue Exception => e
       Pipeline.warn e.message
@@ -59,4 +59,3 @@ class Pipeline::Checkmarx < Pipeline::BaseTask
   end
 
 end
-

data/lib/pipeline/tasks/dawnscanner.rb

@@ -0,0 +1,56 @@
+require 'pipeline/tasks/base_task'
+require 'pipeline/util'
+require 'tempfile'
+
+class Pipeline::DawnScanner < Pipeline::BaseTask
+
+  Pipeline::Tasks.add self
+  include Pipeline::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "DawnScanner"
+    @description = "DawnScanner ruby analyzer"
+    @stage = :code
+    @labels << "code"
+  end
+
+  def run
+    Pipeline.notify "#{@name}"
+    Dir.chdir("#{@trigger.path}") do
+      @results_file = Tempfile.new(['dawnresults', 'xml'])
+      runsystem(true, "dawn", "-F", "#{@results_file.path}", "-j", ".")
+      @results = JSON.parse(File.read("#{@results_file.path}"))['vulnerabilities']
+    end
+  end
+
+  def analyze
+    begin
+      @results.each do |result|
+        description = result['name'].gsub('\n',' ')
+        detail = "#{result['message']}\n#{result['remediation']}\n#{result['cve_link']}"
+        source = {:scanner => @name, :file => nil, :line => nil, :code => nil}
+        sev = severity(result['severity'])
+        fprint = fingerprint("#{description}#{detail}#{source}#{sev}")
+
+        report description, detail, source, sev, fprint
+      end
+    rescue Exception => e
+      Pipeline.warn e.message
+      Pipeline.warn e.backtrace
+    ensure
+      File.unlink @results_file
+    end
+  end
+
+  def supported?
+    supported=runsystem(true, "dawn", "--version")
+    if supported =~ /command not found/
+      Pipeline.notify "Install dawnscanner: 'gem install dawnscanner'"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/pipeline/tasks/findsecbugs.rb

@@ -0,0 +1,81 @@
+require 'pipeline/tasks/base_task'
+require 'pipeline/util'
+require 'nokogiri'
+require 'tempfile'
+require 'mkmf'
+
+MakeMakefile::Logging.instance_variable_set(:@logfile, File::NULL)
+
+class Pipeline::FindSecurityBugs < Pipeline::BaseTask
+
+  Pipeline::Tasks.add self
+  include Pipeline::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "FindSecurityBugs"
+    @description = "FindSecurityBugs plugin for FindBugs"
+    @stage = :code
+    @labels << "code"
+  end
+
+  def run
+    Pipeline.notify "#{@name}"
+    @results_file = Tempfile.new(['findsecbugs','xml'])
+
+    Dir.chdir("#{@trigger.path}") do
+      runsystem(true, "mvn", "compile", "-fn")
+    end
+
+    Dir.chdir("#{@tracker.options[:findsecbugs_path]}") do
+      runsystem(true, "/bin/sh", "#{@tracker.options[:findsecbugs_path]}/findsecbugs.sh", "-effort:max", "-quiet", "-xml:withMessages", "-output", "#{@results_file.path}", "#{@trigger.path}")
+      @results = Nokogiri::XML(File.read(@results_file)).xpath '//BugInstance'
+    end
+  end
+
+  def analyze
+    begin
+      @results.each do |result|
+        description = result.xpath('ShortMessage').text
+        bug_type = result.attributes['type'].value
+        detail = "Class: #{result.at_xpath('Method').attributes['classname'].value}, Method: #{result.at_xpath('Method').attributes['name'].value}\n#{result.xpath('LongMessage').text}\nhttps://find-sec-bugs.github.io/bugs.htm##{bug_type}"
+
+        file = result.at_xpath('SourceLine').attributes['sourcepath'].value
+        trigger_path = Pathname.new(@trigger.path)
+        real_path = nil
+        trigger_path.find {|path| real_path = path if path.fnmatch "*/#{file}"}
+        file = real_path.relative_path_from(trigger_path).to_s unless real_path.nil?
+
+        line = result.at_xpath('SourceLine[@primary="true"]').attributes['start'].value
+        code = "#{result.at_xpath('String').attributes['value'].value}"
+        source = {:scanner => @name, :file => file, :line => line, :code => code}
+        sev = result.attributes['priority'].value
+        fprint = fingerprint("#{description}#{detail}#{source}")
+
+        report description, detail, source, sev, fprint
+      end
+    rescue Exception => e
+      Pipeline.warn e.message
+      Pipeline.warn e.backtrace
+    ensure
+      File.unlink @results_file
+    end
+  end
+
+  def supported?
+    unless find_executable0('mvn') and File.exist?("#{@trigger.path}/pom.xml")
+      Pipeline.notify "FindSecurityBugs support requires maven and pom.xml"
+      Pipeline.notify "Please install maven somewhere in your PATH and include a valid pom.xml in the project root"
+      return false
+    end
+
+    unless @tracker.options.has_key?(:findsecbugs_path) and File.exist?("#{@tracker.options[:findsecbugs_path]}/findsecbugs.sh")
+      Pipeline.notify "#{@tracker.options[:findsecbugs_path]}"
+      Pipeline.notify "Download and unpack the latest findsecbugs-cli release: https://github.com/find-sec-bugs/find-sec-bugs/releases"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/pipeline/tasks/pmd.rb

@@ -0,0 +1,64 @@
+require 'pipeline/tasks/base_task'
+require 'pipeline/util'
+require 'nokogiri'
+require 'pathname'
+
+class Pipeline::PMD < Pipeline::BaseTask
+
+  Pipeline::Tasks.add self
+  include Pipeline::Util
+
+  def initialize(trigger, tracker)
+    super(trigger, tracker)
+    @name = "PMD"
+    @description = "PMD Source Code Analyzer"
+    @stage = :code
+    @labels << "code"
+  end
+
+  def run
+    Pipeline.notify "#{@name}"
+    @tracker.options[:pmd_checks] ||= "java-basic,java-sunsecure"
+    Dir.chdir @tracker.options[:pmd_path] do
+      @results = Nokogiri::XML(`bin/run.sh pmd -d #{@trigger.path} -f xml -R #{@tracker.options[:pmd_checks]}`).xpath('//file')
+    end
+  end
+
+  def analyze
+    begin
+      @results.each do |result|
+        attributes = result.at_xpath('violation').attributes
+        description = result.children.children.to_s.strip
+        detail = "Ruleset: #{attributes['ruleset']}"
+        source = {:scanner => @name, :file => result.attributes['name'].to_s.split(Pathname.new(@trigger.path).cleanpath.to_s)[1][1..-1], :line => attributes['beginline'].to_s, :code => "package: #{attributes['package'].to_s}\nclass: #{attributes['class'].to_s}\nmethod: #{attributes['method'].to_s}" }
+        case attributes['priority'].value.to_i
+        when 3
+          sev = 1
+        when 2
+          sev = 2
+        when 1
+          sev = 3
+        else
+          sev = 0
+        end
+        fprint = fingerprint("#{description}#{detail}#{source}#{sev}")
+
+        report description, detail, source, sev, fprint
+      end
+    rescue Exception => e
+      Pipeline.warn e.message
+      Pipeline.warn e.backtrace
+    end
+  end
+
+  def supported?
+    unless @tracker.options.has_key?(:pmd_path) and File.exist?("#{@tracker.options[:pmd_path]}/bin/run.sh")
+      Pipeline.notify "#{@tracker.options[:pmd_path]}"
+      Pipeline.notify "Install PMD from: https://pmd.github.io/"
+      return false
+    else
+      return true
+    end
+  end
+
+end

data/lib/pipeline/tasks/zap.rb

@@ -2,6 +2,7 @@ require 'pipeline/tasks/base_task'
 require 'pipeline/util'
 require 'json'
 require 'curb'
+require 'securerandom'
 
 class Pipeline::Zap < Pipeline::BaseTask
 
@@ -19,21 +20,33 @@ class Pipeline::Zap < Pipeline::BaseTask
   def run
     rootpath = @trigger.path
     base = "#{@tracker.options[:zap_host]}:#{@tracker.options[:zap_port]}"
-    Pipeline.debug "Running ZAP on: #{rootpath} from #{base}"
+    apikey = "#{@tracker.options[:zap_api_token]}"
+    context = SecureRandom.uuid
 
-    # TODO:  Add API Key
-    # TODO:  Find out if we need to worry about "contexts" stepping on each other.
+    Pipeline.debug "Running ZAP on: #{rootpath} from #{base} with #{context}"
+    
+    # Set up Context
+    Curl.get("#{base}/JSON/context/action/newContext/?&apikey=#{apikey}&contextName=#{context}")
+    Curl.get("#{base}/JSON/context/action/includeInContext/?apikey=#{apikey}&contextName=#{context}&regex=#{rootpath}.*")
 
     # Spider
-    Curl.get("#{base}/JSON/spider/action/scan/?#{rootpath}")
-    poll_until_100("#{base}/JSON/spider/view/status")
+    spider = get_scan_id( Curl.get("#{base}/JSON/spider/action/scan/?apikey=#{apikey}&url=#{rootpath}&context=#{context}") )
+    poll_until_100("#{base}/JSON/spider/view/status/?scanId=#{spider}")
 
     # Active Scan
-    Curl.get("#{base}/JSON/ascan/action/scan/?recurse=true&inScopeOnly=true&url=#{rootpath}")
-    poll_until_100("#{base}/JSON/ascan/view/status/")
+    scan = get_scan_id ( Curl.get("#{base}/JSON/ascan/action/scan/?apikey=#{apikey}&recurse=true&inScopeOnly=true&url=#{rootpath}") )
+    poll_until_100("#{base}/JSON/ascan/view/status/?scanId=#{scan}")
       
     # Result
-    @result = Curl.get("#{base}/JSON/core/view/alerts/").body_str
+    @result = Curl.get("#{base}/JSON/core/view/alerts/?baseurl=#{rootpath}").body_str
+
+    # Remove Context
+    Curl.get("#{base}/JSON/context/action/removeContext/?&apikey=#{apikey}&contextName=#{context}")
+  end
+
+  def get_scan_id(response)
+    json = JSON.parse response.body_str
+    return json["scan"]
   end
 
   def poll_until_100(url)

data/lib/pipeline/version.rb

@@ -1,3 +1,3 @@
 module Pipeline
-  Version = "0.8.3"
+  Version = "0.8.5"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: owasp-pipeline
 version: !ruby/object:Gem::Version
-  version: 0.8.3
+  version: 0.8.5
 platform: ruby
 authors:
 - Matt Konda
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-05 00:00:00.000000000 Z
+date: 2016-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: terminal-table
@@ -124,6 +124,76 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.5.7
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.6.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.6.2
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: dawnscanner
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Pipeline detects security vulnerabilities in code.
 email: matt.konda@owasp.org
 executables:
@@ -163,11 +233,14 @@ files:
 - lib/pipeline/tasks/brakeman.rb
 - lib/pipeline/tasks/bundle-audit.rb
 - lib/pipeline/tasks/checkmarx.rb
+- lib/pipeline/tasks/dawnscanner.rb
 - lib/pipeline/tasks/eslint.rb
 - lib/pipeline/tasks/fim.rb
+- lib/pipeline/tasks/findsecbugs.rb
 - lib/pipeline/tasks/nsp.rb
 - lib/pipeline/tasks/owasp-dep-check.rb
 - lib/pipeline/tasks/patterns.json
+- lib/pipeline/tasks/pmd.rb
 - lib/pipeline/tasks/retirejs.rb
 - lib/pipeline/tasks/scanjs-eslintrc
 - lib/pipeline/tasks/scanjs.rb