Rules might be missing in the repo?

Question

Rules might be missing in the repo?

prabhu opened this issue 5 years ago · 9 comments

prabhu commented 5 years ago

Describe the bug
I am not able to find the rules in the repo. Possibly got missed out while committing to the repo.

To Reproduce
Look around for folders with names rulesets, core etc based on source code

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

OS: [e.g. iOS]
Version [e.g. 22]
Commit [e.g 9597e0a on master]

Additional context
I am working on sast-scan and would like to integrate this project and enable automatic SARIF conversion. I would like to evaluate the tool first before the integration.

Answer 1 · 2020-01-27T13:00:22.000Z

Hi @prabhu how are you?
Actually, inside the lexer/ folder, right into the project's root directory, there are some Go files holding all the rules.
They are divided by technology which they apply and also there is a lexer/core.go file, which holds all the rules that apply to any language being analyzed (most of the rules are about hardcoded credentials)

Glad to help more if you needed 😄

Answer 2 · 2020-01-27T13:29:00.000Z

Also, already thinking about SARIF, the tool exports a JSON version of the report, besides the main HTML report.
Our main focus is on the Brazilian community, so you'll have to translate all the data (they are all in Portuguese)

This is an example of the format (This is a sample report of the OWASP Juice Shop project):

{
 "information": {
  "size": "31 MB",
  "numberOfLines": 146485
 },
 "vulnerabilities": [
  {
   "owaspID": "",
   "cwe": "CWE-327",
   "severity": "alta",
   "recomendation": "Credenciais não devem ser armazenadas no código ou repositório Git. Existem soluções de ‘Secrets Management’ que podem ser utilizados para armazenar segredos ou utilizar recursos da Pipeline.",
   "longMessage": "Arquivo contém informação sensível escrita diretamente, como nomes de usuário, senhas, chaves , etc.",
   "class": "/lib/insecurity.js",
   "filename": "insecurity.js (14:31)",
   "method": "const privateKey = '-----BEGIN RSA PRIVATE KEY-----\\r\\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=",
   "line": 14,
   "column": 31
  }
 ]
}

Answer 3 · 2020-01-28T12:13:22.000Z

Thank you for pointing me towards the rulesets. Not sure how I missed them out :( Good point regarding the translation. Have to think a bit around that but glad you brought it up.

Answer 4 · 2020-01-28T13:08:19.000Z

Your welcome!
If you have any trouble integrating the tool, please, reach us out that we'll be glad to help you out :D

Answer 5 · 2020-01-28T17:35:52.000Z

Just tried it in a branch.

It appears the linux version is not built with the correct settings. So getting some error:

standard_init_linux.go:211: exec user process caused "no such file or directory"

Below is a good setting that I know works well. Perhaps the GOARCH makes a difference.

CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=amd64 go build $(BUILDFLAGS) -o insider

In addition, a parameter such as -report-path is required to specify the reports directory or file. Happy to file any subsequent changes as a separate issue.

Answer 6 · 2020-02-10T22:50:43.000Z

About the GOARCH, I forgot to do not specify any architecture in the Makefile since the go tool will handle for your actual hardware architecture, sorry about that 😅

About the error itself, I don't see how I can reproduce it since I don't have any AMD-based PC laying around, maybe you can help me by describing exactly what you did please?

Answer 7 · 2020-03-11T14:29:13.000Z

Hi @prabhu,

Can you give us a status on this issue? I'm curious to know how the issue went on.

Thx

Answer 8 · 2020-04-23T19:51:32.000Z

I will close because we didn't have any update from @prabhu .
Tks guys!

Answer 9 · 2020-04-23T20:15:39.000Z

Sorry I got a bit busy with few things. Please feel free to send a PR even if it is WIP.