OWASP/glue

Documentation for --findings-file please

Closed this issue · 5 comments

arthurakay commented

glue/lib/glue/options.rb

Line 311 in eb8f375

opts.on "--finding-file-path PATH", "the path to the file with existing issues" do |path|

I'm using Docker to run the following command:

docker run --rm --name=Glue -v $(pwd):/tmp/triage owasp/glue --finding-file finding_ignore.json  -t retirejs -t nodesecurityproject -t sfl -f teamcity --teamcity-min-level 1 /tmp/triage

Glue appears to run, but it's either not ignoring the files I have in finding_ignore.json or I have it formatted incorrectly. To be clear, I want the findings of SFL ignored for these files, but not necessarily the other tools. Do I misunderstand how this should work?

{
    "ssl/ssl-cert-host.key": "ignore"
}

Which is a self-signed certificate for local development (not something that gets deployed to production). /ssl/ is a folder at the root of my project.

arthurakay commented

I figured it out... the file was being picked up, but needed to be in the format:

{
    "fingerprint_hash": "ignore"
}
arthurakay commented

Actually, I take that back... my scan still isn't ignore the files with the TeamCity reporter.

Here's the full output:

[12:56:40] [Step 5/5] Status: Downloaded newer image for owasp/glue:latest
[12:56:40] [Step 5/5] docker run --rm --name=Glue
[12:56:40] [Step 5/5] -v /opt/buildAgent/work/1234567890:/tmp/triage owasp/glue
[12:56:40] [Step 5/5] -t retirejs
[12:56:40] [Step 5/5] -t nodesecurityproject
[12:56:40] [Step 5/5] -t sfl
[12:56:40] [Step 5/5] -f teamcity --teamcity-min-level 1
[12:56:40] [Step 5/5] --exclude node_modules
[12:56:40] [Step 5/5] --finding-file-path glue_ignore.json
[12:56:40] [Step 5/5] --debug
[12:56:40] [Step 5/5] /tmp/triage
[12:56:40] [Step 5/5]
[12:56:41] [Step 5/5] Loading scanner...
[12:56:41] [Step 5/5] Logfile nil?
[12:56:41] [Step 5/5] calling scan
[12:56:41] [Step 5/5] Running scanner
[12:56:41] [Step 5/5] Mounting ... /tmp/triage
[12:56:41] [Step 5/5] Mounting target: /tmp/triage
[12:56:41] [Step 5/5] Checking about mounting /tmp/triage with #Glue::DockerMounter:0x00000001ca2f50
[12:56:41] [Step 5/5] In Docker mounter, target: /tmp/triage became: /triage ... wondering if it matched .docker
[12:56:41] [Step 5/5] Checking about mounting /tmp/triage with #Glue::FileSystemMounter:0x00000001ca2ac8
[12:56:41] [Step 5/5] Mounting /tmp/triage with #Glue::FileSystemMounter:0x00000001ca2ac8
[12:56:41] [Step 5/5] Mounted /tmp/triage with #Glue::FileSystemMounter:0x00000001ca2ac8
[12:56:41] [Step 5/5] Processing target.../tmp/triage
[12:56:41] [Step 5/5] Running tasks in stage: wait
[12:56:41] [Step 5/5] Running tasks in stage: mount
[12:56:41] [Step 5/5] Running tasks in stage: file
[12:56:41] [Step 5/5] Running tasks in stage: code
[12:56:42] [Step 5/5] code - NodeSecurityProject - #Set:0x00000001cec510
[12:56:42] [Step 5/5] no implicit conversion of Set into Array
[12:56:42] [Step 5/5] code - RetireJS - #Set:0x00000001d0d878
[12:56:42] [Step 5/5] no implicit conversion of Set into Array
[12:56:42] [Step 5/5] code - SFL - #Set:0x00000001d0e700
[12:56:42] [Step 5/5] SFL
[12:56:42] [Step 5/5] Found 2750 files
[12:56:42] [Step 5/5] Running tasks in stage: live
[12:56:42] [Step 5/5] Running tasks in stage: done
[12:56:42] [Step 5/5] Starting Contrast Severity Filter
[12:56:42] [Step 5/5] Minimum:
[12:56:42] [Step 5/5] No minimum found, skipping filter.
[12:56:42] [Step 5/5] Have 9 items pre ZAP filter.
[12:56:42] [Step 5/5] Have 9 items post ZAP filter.
[12:56:42] [Step 5/5] Report failed tests for each finding with severity equal or above Low
[12:56:42] [Step 5/5] SFL
[12:56:42] [SFL] 1234567890
[12:56:42] [1234567890] [Test Error Output]
Source: SFL:/tmp/triage/src/utils/PasswordExpirationCheck.spec.ts
Details:
[12:56:42] [1234567890] Severity Low
[12:56:42] [1234567890] Contains word: password
[12:56:42] [Step 5/5] Failed tests detected
... more lines like this

glue_ignore.json

{
    "1234567890": "ignore"
}
arthurakay commented

Apologies on the back-and-forth 🔥 but I DID correct my script. I'll open a PR to improve documentation on this but... here's my final script:

docker pull owasp/glue
docker run --rm --name=Glue \
	-v $(PWD):/tmp/triage owasp/glue \
	-t sfl \
	--exclude node_modules \
	--finding-file-path /tmp/triage/glue_ignore.json  \
	--debug \
	/tmp/triage

And my glue_ignore.json

{
  "ffffff3fa0d83d169dfcd84141bc8c03598a3169b7a3c8a24b73bf9535ffffff": "ignore",
  "aaaaaace84f34e6807a9614bfe3ec13bfed24343d4da91f011f45aa8f1aaaaaa": "ignore",
  "ccccccb862731c42b16d621598de09516352862c7bf2da5a68bafc4c5dadadad": "ignore"
}

It is successfully ignoring things now!

omerlh commented

Happy to hear so, and sorry that it wasn't that clear :) Looking forward to see the PR!

omerlh commented

Happy to hear so, and sorry that it wasn't that clear :) Looking forward to see the PR!