scabox_sdk 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a8c80dcf7f5f6a7347e69ce67fed3e010384b30eae97bf1dc4be4c3c10e799bf
+  data.tar.gz: 506708f0c1f04c91f4d629cfbfc7bdc5cf08581cec840bcd8ef9e32e2067728f
+SHA512:
+  metadata.gz: e8452b4ea6ee804868721b994219fc51910359ef9c91c98579ab62737c2278e4d74ac5d09f6d48041c777a0dce8e8696cad65d5695d81e621d17b49b8c1cd085
+  data.tar.gz: 53e2726f1f657d862c417fcc460937854cb3d5dee97483240730ade740a04f2e73c2ed5ac4a6a6ce32ed8226b3e43d467167271204b9f37ae65ebf755183400f

data/README.md

@@ -0,0 +1,4 @@
+## SCABox SDK
+
+SDK to construct SCA scanners
+

data/lib/scabox_sdk.rb

@@ -0,0 +1,10 @@
+require_relative 'scabox_sdk/printer'
+require_relative 'scabox_sdk/runner'
+require_relative 'scabox_sdk/scanner'
+require_relative 'scabox_sdk/codebase'
+require_relative 'scabox_sdk/container'
+
+module ScaBox
+  VERSION = '1.0.0'
+end
+

data/lib/scabox_sdk/codebase.rb

@@ -0,0 +1,68 @@
+require 'optparse'
+require 'ostruct'
+require_relative 'scanner'
+
+
+module ScaBox
+  class CodebaseScanner < Scanner
+    def initialize(params)
+      super(params)
+    end
+
+    def run
+      parse_opts(ARGV)
+      check_info_flag
+
+      if @opts.codebase.nil?
+        print_error("No codebase passed")
+        exit 1
+      end
+      check_output_flag
+      start_scan
+    end
+
+    def parse_opts(args)
+      @opts = OpenStruct.new
+      @opts.codebase    = nil
+      @opts.output      = nil
+      @opts.format      = :json
+      @opts.verbose     = false
+      @opts.info        = false
+      @opts.color       = true
+
+      opt_parser = OptionParser.new do |opts|
+        opts.on('-c', '--codebase=CODEBASE', 'Codebase to be scanned') do |codebase|
+          @opts.codebase = codebase
+        end
+
+        opts.on('-f', '--format=FORMAT', 'Format to save result (json or txt)') do |f|
+          @opts.format = f.to_sym
+        end
+
+        opts.on('-o', '--output=OUTPUT', 'File to save result') do |output|
+          @opts.output = output
+        end
+
+        opts.on("-v", '--[no-]verbose', 'Run verbosely') do |v|
+          @opts.verbose = v
+        end
+
+        opts.on("-i", '--info', 'Info about the scanner') do
+          @opts.info = true
+        end
+
+        opts.on('', '--[no-]color', 'Enable/disable coloring') do |v|
+          @opts.color = v
+          enable_color(@opts.color)
+        end
+
+      end
+
+      opt_parser.parse!(args)
+      print_debug(@opts.inspect) if @opts.verbose
+      @opts
+    end
+
+  end
+end
+

data/lib/scabox_sdk/container.rb

@@ -0,0 +1,73 @@
+require 'optparse'
+require 'ostruct'
+require_relative 'scanner'
+
+
+module ScaBox
+  class ContainerScanner < Scanner
+    def initialize(params)
+      super(params)
+    end
+
+    def run
+      parse_opts(ARGV)
+      check_info_flag
+
+      if @opts.image_name.nil? and @opts.image_file.nil?
+        print_error("No image passed")
+        exit 1
+      end
+
+      check_output_flag
+      start_scan
+    end
+
+    def parse_opts(args)
+      @opts = OpenStruct.new
+      @opts.image_name  = nil
+      @opts.image_file  = nil
+      @opts.output      = nil
+      @opts.format      = :json
+      @opts.verbose     = false
+      @opts.info        = false
+      @opts.color       = true
+
+      opt_parser = OptionParser.new do |opts|
+        opts.on('-n', '--image-name=IMAGE_NAME', 'Name of image to be scanned') do |image_name|
+          @opts.image_name = image_name
+        end
+
+        opts.on('-p', '--image-file=IMAGE_PATH', 'Path of image to be scanned') do |image_file|
+          @opts.image_file = image_file
+        end
+
+        opts.on('-f', '--format=FORMAT', 'Format to save result (json or txt)') do |f|
+          @opts.format = f.to_sym
+        end
+
+        opts.on('-o', '--output=OUTPUT', 'File to save result') do |output|
+          @opts.output = output
+        end
+
+        opts.on("-v", '--[no-]verbose', 'Run verbosely') do |v|
+          @opts.verbose = v
+        end
+
+        opts.on("-i", '--info', 'Info about the scanner') do
+          @opts.info = true
+        end
+
+        opts.on('', '--[no-]color', 'Enable/disable coloring') do |v|
+          @opts.color = v
+          enable_color(@opts.color)
+        end
+      end
+
+      opt_parser.parse!(args)
+      print_debug(@opts.inspect) if @opts.verbose
+      @opts
+    end
+
+  end
+end
+

data/lib/scabox_sdk/printer.rb

@@ -0,0 +1,75 @@
+require 'colored'
+require 'date'
+
+module ScaBox
+  module Printer
+
+    def coloring(flag = true)
+      @color = flag
+    end
+
+    def print_title(s, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}[*] #{s}"
+      if @color
+        puts out_s.bold.blue
+      else
+        puts out_s
+      end
+      @logger.info(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_normal(s, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}#{s}"
+      puts out_s
+      @logger.info(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_success(s, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}[SUCCESS] #{s}"
+      if @color
+        puts out_s.bold.green
+      else
+        puts out_s
+      end
+      @logger.info(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_error(s, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}[ ERROR ] #{s}"
+      if @color
+        puts out_s.bold.red
+      else
+        puts out_s
+      end
+      @logger.error(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_with_label(s, label, level = 0)
+      pad = " " * (level * 4)
+      out_s = "#{pad}[#{label}] #{s}"
+      puts out_s
+      @logger.info(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def print_debug(s, level = 0)
+      pad = " " * (level * 4)
+      now = DateTime.now.strftime('%d/%m/%Y %H:%M:%S.%3N')
+      out_s = "#{pad}DEBUG|#{now}| #{s}"
+      if @color
+        puts out_s.bold.yellow
+      else
+        puts out_s
+      end
+      @logger.debug(out_s) if instance_variable_defined?("@logger")
+    end
+
+    def self.included(base)
+      #base.instance_variable_set(:@color, true)
+    end
+
+  end
+end

data/lib/scabox_sdk/runner.rb

@@ -0,0 +1,74 @@
+require 'open3'
+require 'timeout'
+
+module ScaBox
+  module Runner
+
+    # TODO: find a better way to do this
+    def command?(name)
+      `which #{name}`
+      $?.success?
+    end
+
+    def run_cmd(cmd)
+      print_debug(cmd) if @opts.verbose
+      if command?(cmd[0])
+        run_cmd_with_timeout(cmd)
+      else
+        print_error("Command not found: #{cmd[0]}")
+        exit 1
+      end
+    end
+
+=begin
+    def run_cmd(cmd)
+      if command?(cmd[0])
+        @framework.print_debug("Command: #{cmd.join(' ')}") if @framework.verbosity > 1
+        #run_cmd_orig(cmd)
+        run_cmd_with_timeout(cmd)
+      else
+        @framework.print_error("Command: '#{cmd[0]}' not found") if @framework.verbosity > 1
+        @errors += 1
+      end
+    end
+=end
+
+    def run_cmd_with_timeout(cmd)
+      out_reader = ''
+      err_reader = ''
+      Open3.popen3(*cmd) do |stdin, stdout, stderr, wait_thr|
+        # https://stackoverflow.com/questions/8952043/how-to-fix-hanging-popen3-in-ruby
+        stdin.close_write
+        output, pid = [], wait_thr.pid
+        begin
+          Timeout.timeout(@timeout) do
+            begin
+              err_reader = Thread.new { stderr.read }
+            rescue IOError
+            end
+
+            out_reader = stdout.read
+
+            #output = [stdout.read, stderr.read]
+            Process.wait(pid)
+          end
+        rescue Errno::ECHILD
+        rescue Timeout::Error
+          print_error('Timed out - Skipping...')
+          Process.kill('HUP', pid)
+          exit 1
+        end
+        [out_reader, wait_thr.value]
+      end
+    end
+
+
+
+
+  end
+end
+
+
+
+
+

data/lib/scabox_sdk/scanner.rb

@@ -0,0 +1,171 @@
+require 'digest'
+require 'json'
+require 'tmpdir'
+require 'securerandom'
+require_relative 'printer'
+require_relative 'runner'
+
+
+module ScaBox
+  class Scanner
+    include ScaBox::Printer
+    include ScaBox::Runner
+
+    DEFAULT_SOLUTION = 'Update to the latest stable version or apply patches.'
+
+    attr_reader :name, :description, :support, :issues, :timeout
+
+    def initialize(params)
+      @name = params[:name]
+      @description = params[:description]
+      @support = params[:support]
+      @issues = []
+      @timeout = 200 * 60
+      enable_color(true)
+    end
+
+    def check_info_flag
+      if @opts.info
+        puts info
+        exit 0
+      end
+    end
+
+    def check_output_flag
+      if @opts.output.nil?
+        print_error("Output -o not passed")
+        exit 1
+      end
+    end
+
+    def start_scan
+      starting_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+      print_title("Running #{name}...")
+
+      cmd = prepare_command
+      @cmd_output, status = run_cmd(cmd)
+      normalize_result
+      save_results
+
+      ending_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+      elapsed_time = Time.at(ending_time - starting_time).utc.strftime('%H:%M:%S')
+      print_normal("Time elapsed: #{elapsed_time}")
+    end
+
+    def enable_color(enabled=true)
+      @color = enabled
+    end
+
+    def info(as_json=true)
+      data = {name: @name, description: @description, support: @support}
+      if as_json
+        data = JSON.pretty_generate(data)
+      end
+      data
+    end
+
+    def add_issue(issue)
+      issue[:plugin]           = name
+      issue[:cve]              = [] if issue[:cve].nil?
+      issue[:cve]              = [issue[:cve]] if issue[:cve].kind_of?(String)
+      issue[:references]       = [] if issue[:references].nil?
+      issue[:title]            = build_title(issue) if issue[:title].nil?
+      issue[:discovery_method] = '' if issue[:discovery_method].nil?
+      issue[:description]      = issue[:title] if issue[:description].nil?
+      issue[:severity]         = "undefined" if issue[:severity].nil?
+      issue[:references]       = [issue[:references]] if issue[:references].kind_of?(String)
+      issue[:solution]         = DEFAULT_SOLUTION if issue[:solution].nil?
+
+      hash_data = [
+        issue[:path],
+        issue[:component],
+        issue[:version],
+        issue[:title],
+        issue[:description],
+        issue[:cve].sort.join(":")
+      ]
+
+      issue[:hash] = Digest::SHA256.hexdigest(hash_data.join(':'))
+      @issues << issue
+    end
+
+
+    def build_title(issue)
+      title = "Vulnerability"
+      if issue[:cve].length > 0
+        title = issue[:cve].sort.join(',')
+      end
+      title
+    end
+
+    def save_results
+      print_normal("Issues found: #{@issues.length}")
+      unless @issues.empty?
+        if @opts.format == :json
+          output = JSON.pretty_generate(@issues)
+        else
+          output = txt_output
+        end
+        File.open(@opts.output, 'wb') {|file| file.write(output) }
+        print_normal("Output saved: #{@opts.output}")
+      end
+    end
+
+    def txt_output
+      sep = "=" * 100
+      output = ''
+      @issues.each do |i|
+        #pp i
+        #puts "\n\n"
+
+        output << "Hash:               #{i[:hash]}\n"
+        output << "Plugin:             #{i[:plugin]}\n"
+        output << "Path:               #{i[:path]}\n"
+        output << "Component:          #{i[:component]}\n"
+        output << "Version:            #{i[:version]}\n"
+        output << "Discovery Method    #{i[:discovery_method]}\n"
+        output << "Title:              #{i[:title]}\n"
+        output << "Description:        #{i[:description].gsub("\n", "")}\n"
+        output << "Solution:           #{i[:solution].gsub("\n", "")}\n"
+        output << "Severity:           #{i[:severity]}\n"
+        output << "CVE:                #{i[:cve].join(', ')}\n"
+        output << "References:\n#{i[:references].join("\n")}\n"
+        output << "#{sep}\n\n"
+      end
+      output
+    end
+
+    def filename_for_plugin(suffix='.json')
+      time_s = Time.now.strftime("%Y%m%d%H%M%S")
+      filename = "#{name}_#{time_s}#{suffix}"
+      filename
+    end
+
+    def parse_json_from_str(s)
+      content = nil
+      unless s.nil?
+        begin
+          content = JSON.parse(s)
+        rescue JSON::ParserError
+        end
+      end
+      content
+    end
+
+    def parse_json_from_file(filename)
+      content = nil
+      if File.exist?(filename)
+        content = parse_json_from_str(File.read(filename))
+      end
+      content
+    end
+
+    def gen_random_tmp_filename(suffix = '')
+      File.join(Dir.tmpdir, "#{SecureRandom.urlsafe_base64}#{suffix}")
+    end
+
+    def gen_random_tmp_filename_json
+      gen_random_tmp_filename('.json')
+    end
+  end
+end

metadata

@@ -0,0 +1,77 @@
+--- !ruby/object:Gem::Specification
+name: scabox_sdk
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- rd
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2020-09-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: colored
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+description: SDK to construct SCA scanners
+email: rd@convisoappsec.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/scabox_sdk.rb
+- lib/scabox_sdk/codebase.rb
+- lib/scabox_sdk/container.rb
+- lib/scabox_sdk/printer.rb
+- lib/scabox_sdk/runner.rb
+- lib/scabox_sdk/scanner.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.4'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.3
+signing_key:
+specification_version: 4
+summary: SCABox SDK
+test_files: []