sastbox_sdk 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9b33ef5c1d3c97a2991c9dcb76b13a3c414df8f545ff3f085b3ebed0f9d7f496
+  data.tar.gz: d4c5e354f401f469062f5310cd449980b8e1394bf26931696d0a0e2cf053c9f4
+SHA512:
+  metadata.gz: 8784202c7700c39863d9bd94a7d59cac86a16d6a6ebcdba1574f148ed909520743c48c431abb8d9f3fac0eda27dc67a42aeffa3d93653940e1a04939289b3a59
+  data.tar.gz: 94c3e307ce99bd94c381db15f6c278dd816f638c4a9cdbf37962777289535b38d7b0abef9a803feb1af2a59ce18b9dc5b6b734493b9057bb46ea184c5359fc0d

data/lib/sastbox-sdk.rb

@@ -0,0 +1,26 @@
+require 'base64'
+require 'digest'
+require 'json'
+require 'open3'
+require 'optparse'
+require 'ostruct'
+require 'timeout'
+require 'tmpdir'
+require 'securerandom'
+
+require_relative 'sastbox-sdk/cwe_constants'
+require_relative 'sastbox-sdk/cwe_detector'
+require_relative 'sastbox-sdk/snippet'
+require_relative 'sastbox-sdk/reporter_sarif'
+require_relative 'sastbox-sdk/opt_parser'
+require_relative 'sastbox-sdk/printer'
+require_relative 'sastbox-sdk/runner'
+require_relative 'sastbox-sdk/severity_calculator'
+require_relative 'sastbox-sdk/scanner'
+
+
+module SastBox
+  VERSION = '2.0.0'
+  SDK_VERSION = '0.0.1'
+end
+

data/lib/sastbox-sdk/codebase.rb

@@ -0,0 +1,9 @@
+module SastBox
+  module Codebase
+
+  end
+end
+
+
+
+

data/lib/sastbox-sdk/cwe_constants.rb

@@ -0,0 +1,87 @@
+module SastBox
+  module Cwe
+    UNDEF = 0
+    IMPROPER_INPUT_VALIDATION = 20
+    PATH_TRAVERSAL = 22
+    EXTERNAL_CONTROL_FILE_NAME = 73
+    OS_COMMAND_INJECTION = 78
+    XSS = 79
+    BASIC_XSS = 80
+    SQL_INJECTION = 89
+    LDAP_INJECTION = 90
+    CODE_INJECTION = 94
+    EVAL_INJECTION = 95
+    PHP_REMOTE_FILE_INCLUSION = 98
+    RESPONSE_SPLITTING = 113
+    IMPROPER_RESTRICTION_MEMORY_BOUNDS = 119
+    USE_OF_EXTERNALLY_CONTROLLED_FORMAT_STRING = 134
+    IMPROPER_WILDCARD_NEUTRALIZATION = 155
+    INCORRECT_REGEX = 185
+    INTEGER_OVERFLOW = 190
+    EXPOSURE_SENSITIVE_INFO = 200
+    TIMING_DISCREPANCY = 208
+    ERROR_CONTAINING_SENSITIVE_INFO = 209
+    UNPROTECTED_STORAGE_OF_CREDENTIALS = 256
+    HARD_CODED_PASSWORD = 259
+    IMPROPER_ACCESS_CONTROL = 284
+    IMPROPER_AUTHORIZATION = 285
+    IMPROPER_AUTHENTICATION = 287
+    IMPROPER_CERT_VALIDATION = 295
+    CLEARTEXT_STORAGE_OF_SENSITIVE_INFORMATION = 312
+    CLEARTEXT_TRANSMISSION = 319
+    INADEQUATE_ENCRYPTION_STRENGTH = 326
+    BROKEN_CRYPTO = 327
+    INSUFFICIENT_RANDOM_VALUES = 330
+    INSUFFICIENT_ENTROPY = 331
+    WEAK_PRNG = 338
+    IMPROPER_VERIFICATION_OF_SIGNATURE = 347
+    CSRF = 352
+    TOCTOU = 367
+    DIVIDE_BY_ZERO = 369
+    INSECURE_TEMP_FILE = 377
+    SESSION_FIXATION = 384
+    ERROR_CONDITION_WITHOUT_ACTION = 390
+    RESOURCE_CONSUMPTION = 400
+    IMPROPER_RESOURCE_SHUTDOWN_OR_RELEASE = 404
+    UNRESTRICTED_UPLOAD_OF_FILE_WITH_DANGEROUS_TYPE = 434
+    UNINITIALIZED_VARIABLE = 457
+    UNSAFE_REFLECTION = 470
+    NULL_POINTER_DEREFERENCE = 476
+    OBSOLETE_FUNCTION = 477
+    DATA_LEAK_BETWEEN_SESSIONS = 488
+    ACTIVE_DEBUG_CODE = 489
+    DOWNLOAD_OF_CODE_WITHOUT_INTEGRITY_CHECK = 494
+    EXPOSURE_OF_SYSTEM_DATA = 497
+    DESERIALIZATION_OF_UNTRUSTED_DATA = 502
+    WEAK_PASSWORD_REQUIREMENT = 521
+    SENSITIVE_INFO_LOG_FILE = 532
+    USE_OF_PERSISTENT_COOKIES = 539
+    SUSPICIOUS_COMMENT = 546
+    OPEN_REDIRECT = 601
+    MULTIPLE_BINDS = 605
+    IMPROPER_RESTRICTION_OF_XML_EXTERNAL_ENTITY_REFERENCE = 611
+    SENSITIVE_INFO_IN_SOURCE_CODE_COMMENTS = 615
+    AUTHORIZATION_BYPASS_THROUGH_KEY = 639
+    XPATH_INJECTION = 643
+    XQUERY_INJECTION = 652
+    EXPOSURE_RESOURCE_WRONG_SPHERE = 668
+    USE_OF_POTENTIALLY_DANGEROUS_FUNCTION = 676
+    PROTECTION_MECHANISM_FAILURE = 693
+    IMPROPER_CHECK_OF_EXCEPT_COND = 703
+    INCORRECT_PERMISSION_ASSIGNMENT = 732
+    EXPOSED_DANGEROUS_METHOD_OR_FUNCTION = 749
+    SELECTION_OF_LESS_SECURE_ALGORITHM_DURING_NEGOTIATION = 757
+    UNSALTED_ONE_WAY_HASH = 759
+    REGEX_WITHOUT_ANCHORS = 777
+    RELIANCE_ON_UNTRUSTED_INPUTS_IN_A_SECURITY_DECISION = 807
+    INCLUSION_FUNCTIONALITY_UNTRUSTED_SPHERE = 829
+    IMPROPER_CONTROL_DYNAMIC_ATTR = 915
+    SSRF = 918
+    USING_COMPONENTS_WITH_KNOWN_VULNERABILITIES = 937
+    SENSITIVE_COOKIE_WITHOUT_HTTPONLY_FLAG = 1004
+    IMPROPER_RESTRICTION_OF_RENDERED_UI_LAYERS_OF_FRAMES = 1021
+    USE_OF_WEB_LINK_TO_UNTRUSTED_TARGET = 1022
+    SECURITY_MISCONFIGURATION = 1032
+    USE_OF_UNMAINTAINED_THIRD_PARTY_COMPONENTS = 1104
+  end
+end

data/lib/sastbox-sdk/cwe_detector.rb

@@ -0,0 +1,202 @@
+require 'set'
+
+module SastBox
+  module Cwe
+
+    def cwe_found?(issue, patterns, cwe)
+      patterns.each do |pattern|
+        @alternative_titles.each do |title|
+          if title.include? pattern
+            issue[:cwe_id] = cwe
+            return true
+          end
+        end
+      end
+      return false
+    end
+
+    def detected_sql_injection?(issue)
+      patterns = [
+        'sql injection',
+        'sqlinj',
+        'sqli',
+        'sql inj'
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::SQL_INJECTION)
+    end
+
+    def detected_xss?(issue)
+      patterns = [
+        'xss',
+        'cross-site scripting',
+        'cross site scripting',
+        'html injection'
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::XSS)
+    end
+
+    def detected_cmd_injection?(issue)
+      patterns = [
+        'command injection',
+        'command execution',
+        'cmd injection',
+        'cmd execution',
+        'cmd exec',
+        'shell injection',
+        'shell metacharacters'
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::OS_COMMAND_INJECTION)
+    end
+
+    def detected_code_injection?(issue)
+      patterns = [
+        'code injection',
+        'code execution',
+        'code exec',
+        'code inj'
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::CODE_INJECTION)
+    end
+
+    def detected_session_fixation?(issue)
+      patterns = [
+        'session fixation',
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::SESSION_FIXATION)
+    end
+
+    def detected_csrf?(issue)
+      patterns = [
+        'csrf',
+        'xsrf',
+        'cross site request forgery',
+        'session riding',
+        'cross site reference forgery',
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::CSRF)
+    end
+
+    def detected_deserialization?(issue)
+      patterns = [
+        'deserializ',
+        'unmarshaling',
+        'unpickling',
+        'php object injection'
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::DESERIALIZATION_OF_UNTRUSTED_DATA)
+    end
+
+    def detected_path_traversal?(issue)
+      patterns = [
+        'path traversal',
+        'traversal',
+        'pathtraversal'
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::PATH_TRAVERSAL)
+    end
+
+    def detected_hardcoded_password?(issue)
+      patterns = [
+        'hard-coded'
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::HARD_CODED_PASSWORD)
+    end
+
+    def detected_null_ptr_deref?(issue)
+      patterns = [
+        'null pointer deref'
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::NULL_POINTER_DEREFERENCE)
+    end
+
+    def detected_broken_crypto?(issue)
+      patterns = [
+        'weak cipher',
+        'weak crypto',
+        'insecure cipher',
+        'insecure crypto',
+        'insecure encryption',
+        'broken cipher',
+        'broken crypto',
+        'weak hash',
+        'insecure hash',
+        'broken hash',
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::BROKEN_CRYPTO)
+    end
+
+    def detected_improper_authorization?(issue)
+      patterns = [
+        'improper authorization',
+        'no authorization',
+        'broken authorization',
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::IMPROPER_AUTHORIZATION)
+    end
+
+    def detected_improper_authentication?(issue)
+      patterns = [
+        'improper authentication',
+        'no authentication',
+        'broken authentication',
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::IMPROPER_AUTHENTICATION)
+    end
+
+    def detected_improper_input_validation?(issue)
+      patterns = [
+        'input validation',
+        'data validation',
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::IMPROPER_INPUT_VALIDATION)
+    end
+
+    def detected_unrestricted_file_upload?(issue)
+      patterns = [
+        'unrestricted upload',
+        'unrestricted file upload',
+      ]
+      cwe_found?(issue, patterns, SastBox::Cwe::UNRESTRICTED_UPLOAD_OF_FILE_WITH_DANGEROUS_TYPE)
+    end
+
+    def cwe_start_heuristics(issue)
+      alternative_titles(issue)
+      issue[:cwe_id] = SastBox::Cwe::UNDEF
+      return if detected_sql_injection?(issue)
+      return if detected_xss?(issue)
+      return if detected_cmd_injection?(issue)
+      return if detected_code_injection?(issue)
+      return if detected_session_fixation?(issue)
+      return if detected_csrf?(issue)
+      return if detected_deserialization?(issue)
+      return if detected_path_traversal?(issue)
+      return if detected_hardcoded_password?(issue)
+      return if detected_null_ptr_deref?(issue)
+      return if detected_broken_crypto?(issue)
+      return if detected_improper_authorization?(issue)
+      return if detected_improper_authentication?(issue)
+      return if detected_improper_input_validation?(issue)
+      return if detected_unrestricted_file_upload?(issue)
+    end
+
+    def alternative_titles(issue)
+      @alternative_titles = Set.new
+      @alternative_titles << issue[:title].downcase
+
+      @alternative_titles << @alternative_titles.first.split('_').join(' ')
+      @alternative_titles << @alternative_titles.first.split('-').join(' ')
+      @alternative_titles << @alternative_titles.first.gsub("hard coded", "hard-coded")
+      @alternative_titles << @alternative_titles.first.gsub("hardcoded", "hard-coded")
+      @alternative_titles
+    end
+
+    def guess_cwe(issue)
+      if issue.key?(:cwe_id)
+        cwe_start_heuristics(issue) if [SastBox::Cwe::UNDEF, -1, nil].include?(issue[:cwe_id])
+      else
+        cwe_start_heuristics(issue)
+      end
+    end
+
+  end
+end

data/lib/sastbox-sdk/opt_parser.rb

@@ -0,0 +1,45 @@
+require 'optparse'
+require 'ostruct'
+
+module SastBox
+  module OptParser
+    def parse_opts(args)
+      @opts = OpenStruct.new
+      @opts.verbose     = false
+      @opts.info        = false
+      @opts.color       = true
+      @opts.diff_hashes = []
+      @opts.diff_quick  = false
+      @opts.timeout     = 200 * 60
+
+      opt_parser = OptionParser.new do |opts|
+        opts.on('-c', '--codebase=CODEBASE', 'Codebase to be scanned') do |codebase|
+          @opts.codebase = codebase
+        end
+
+        opts.on('-o', '--output=OUTPUT', 'Output path to save SARIF result') do |output|
+          @opts.output = output
+        end
+
+        opts.on("-v", '--[no-]verbose', 'Run verbosely') do |v|
+          @opts.verbose = v
+        end
+
+        opts.on('-t', '--timeout=TIMEOUT', Integer, "Control timeout (default: #{@opts.timeout/60} mins per scanner)") do |timeout|
+          @opts.timeout = timeout * 60
+        end
+
+        opts.on("-i", '--info', 'Info about the scanner') do
+          @opts.info = true
+        end
+
+        opts.on('-n', '--[no-]color', 'Enable/disable coloring') do |v|
+          @opts.color = v
+        end
+      end
+
+      opt_parser.parse!(args)
+      @opts
+    end
+  end
+end

data/lib/sastbox-sdk/printer.rb

@@ -0,0 +1,86 @@
+require 'colored'
+require 'date'
+
+module SastBox
+  module Printer
+
+    def enable_color(flag = true)
+      @color = flag
+    end
+
+    def print_title(s, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}[*] #{s}"
+      if @color
+        puts out_s.bold.blue
+      else
+        puts out_s
+      end
+      @logger.info(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_normal(s, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}#{s}"
+      puts out_s
+      @logger.info(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_success(s, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}[SUCCESS] #{s}"
+      if @color
+        puts out_s.bold.green
+      else
+        puts out_s
+      end
+      @logger.info(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_error(s, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}[ ERROR ] #{s}"
+      if @color
+        puts out_s.bold.red
+      else
+        puts out_s
+      end
+      @logger.error(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_with_label(s, label, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}[#{label}] #{s}"
+      puts out_s
+      @logger.info(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_debug(s, level = 0)
+      pad = " " * (level * 4)
+      now = DateTime.now.strftime('%d/%m/%Y %H:%M:%S.%3N')
+      out_s = "#{pad}DEBUG|#{now}| #{s}"
+      if @color
+        puts out_s.bold.yellow
+      else
+        puts out_s
+      end
+      @logger.debug(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_warning(s, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}[WARNING] #{s}"
+      if @color
+        puts out_s.bold.yellow
+      else
+        puts out_s
+      end
+      @logger.info(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def self.included(base)
+      #base.instance_variable_set(:@color, true)
+    end
+
+  end
+end