For some tools that generate relative urls such as gitleaks, pmd the code auto-prefixes workspace for each result to make the location absolute. As per SARIF specification, it should be possible to specify uriBaseId and retain relative urls.

https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012377 - section 3.4.14

This should also improve performance by a few seconds since we dont have to do things like this.

https://github.com/AppThreat/sast-scan/blob/master/lib/convert.py#L261
https://github.com/AppThreat/sast-scan/blob/master/lib/xml_parser.py#L50

It appears like only certain tools (bandit, gosec) respect the #nosec comment to filter out false positives. Find Security Bugs seems to be using @SuppressFBWarnings annotation. It will be nice to at least document the annotation and comments required to filter the check.

I seem to be unable to run it.

sast:
stage: test
image:
name: appthreat/sast-scan
script:
- scan --src ${TF_ROOT} --type Terraform --out_dir ${CI_PROJECT_DIR}/reports
artifacts:
paths:
- $CI_PROJECT_DIR/reports/

Windows is not short of choice for terminals.

• cmd
• powershell
• powershell core
• WSL 1
• WSL 2
• Git Bash

Let's test sast-scan on each of the model and document the level of support.

TL;DR

sast-scan passes a full path to nodejsscan for the output, and nodejsscan can't handle it. nodejsscan run outside of sast-scan handles the same parameters fine. Does the Docker image have a different version of nodejsscan?

Problem

I'm using sast-scan in GitLab CICD to scan a node project. I've tried a few different parameters, but no matter what I specify for out_dir I get a "No such file or directory" error. Here's what I have in my .gitlab-ci.yml file:

sast:
  stage: test
  image: 
    name: appthreat/sast-scan
  script:
    - scan --src src --type nodejs --out_dir .
  artifacts:
    paths:
      - nodejsscan-report.json

And here's the output:

$ scan --src src --type nodejs --out_dir .
  ___            _____ _                    _
 / _ \          |_   _| |                  | |
/ /_\ \_ __  _ __ | | | |__  _ __ ___  __ _| |_
|  _  | '_ \| '_ \| | | '_ \| '__/ _ \/ _` | __|
| | | | |_) | |_) | | | | | | | |  __/ (_| | |_
\_| |_/ .__/| .__/\_/ |_| |_|_|  \___|\__,_|\__|
      | |   | |
      |_|   |_|
INFO [2020-04-10 12:53:54,342] Scanning src using scan plugins ['nodejs']
INFO [2020-04-10 12:53:54,342] ================================================================================
INFO [2020-04-10 12:53:54,343] ⚡︎ Executing "nodejsscan --output ./nodejsscan-report.json -d src"
ERROR [2020-04-10 12:53:54,610] Received exception: [Errno 2] No such file or directory: './nodejsscan-report.json'

What I've Tried

I've tried different directories, and get the same results. As soon as it's a path to a directory, nodesjsscan shows that error.

I've tried not specifying --out_dir, but then sast-scan constructs a full path src/reports/nodejsscan-report.json that it passes to nodejsscan and I get the same error.

I tried bypassing sast-scan entirely and calling nodejsscan directly so I could specify the parameters directly:

sast:
  stage: test
  image: 
    name: opensecurity/nodejsscan:cli
    entrypoint:
      - "/usr/bin/env"
      - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  script:
    - python /usr/src/app/cli.py -d src -o sast-report.json
  artifacts:
    paths:
      - sast-report.json

That works. Note that there's no path in the output parameter.

I tried running nodejsscan locally with the parameters that sast-scan passes:

$ nodejsscan --output ./nodejsscan-report.json -d src

That works.

Where I'm Confused

The sast-scan image on docker hub was built 3 days ago. The version of nodejsscan on PyPI is 3.7, same as I'm running locally, released Jan 18, 2020. I'm looking at the code where the error seems to be thrown, and that hasn't changed in over a year.

Currently, takes over a minute. Perhaps we need to look at alpine after all.

Aggregated report can be easily imported into products such as BigQuery

This property is helpful to differentiate multiple invocations of the tools with the same parameter.

For eg: whether invoked as a pre-commit hook or for scanning a feature branch or a nightly security scan

https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012377 - section 3.17

Well it's time to make it official. Firstly, a blog post to explain my thoughts:

https://blog.shiftleft.io/appthreat-is-joining-the-shiftleft-family-b9d95052aa50

There will be no change to the projects. No change of license nothing ... so no need to fork or panic. Like I say in the blog, we are just getting started ...

SARIF is great for portability and viewing the reports directly on Azure Pipelines and VS code. However, most devs are stuck with amateur CI products such as GitHub actions, Google CloudBuild to name a few :)

To help such devs, I think we need a html view that doesn't suck. There is a free web component from Microsoft. It's kinda nice but needs some more work to make it usable - like rendering the metadata about the run, tool and codebase for a start.

Currently, the metrics attribute can have any data depending on the result from the tool.

Eg:
https://github.com/AppThreat/sast-scan/blob/master/lib/convert.py#L63

This is creating issues while importing the aggregate data onto a database such as BigQuery for visualization with datastudio.

It currently only includes the filename and is missing the full or relative path. This makes the rendered sarif file less friendly since the user can not select the filename to navigate to the correct location.

Let's benchmark this project using OWASP/Benchmark

As you might know that Find Sec Bugs has a great detection rate of 39% as of last test.

https://github.com/OWASP/Benchmark/blob/master/scorecard/benchmark_comparison.png

Now that SAST scanning is sufficiently mature and stable, it's time to look at open-source dependency scanning.

Our sast-scan container images already bundles a number of dependency scanning tools such as dependency-check, retire.js, ossaudit and so on. They operate differently and produce reports in their formats.

Some challenges that need to be solved:

• Dependency-check (and the likes of trivy) is downloading all the CVE/NVD data each time for each run. Because of the added complexity with our container-based execution, effort is required to cache such data and mount the volume to the docker image and so on. Over a http proxy this would incur additional penalty. I am going to look at the pros and cons of splitting our container image into a separate sast-scan and oss-scan image
• Tools such as retire.js, ossaudit and so on use the oss sonatype backend which requires a separate API key to make it usable. Currently, we are not requesting and injecting this api key. I want to spend time figuring out a way to do an efficient oss scan that neither involves downloading all the data nor requires a proprietary database such as sonatype!
• Investigate and identify a common format to represent dependency vulnerabilities. Strong contender is grafeas

From within a Ruby project

docker run --rm --tmpfs /tmp -e "WORKSPACE=${PWD}" -v $PWD:/app appthreat/sast-scan scan --src /app --out_dir /app/reports --type ruby

Leads to the following error

INFO [2020-01-12 16:53:28,438] ♒︎ Executing "railroader --skip-files .git,.svn,.mvn,.idea,dist,bin,obj,backup,docs,tests,test,tmp,reports -o /app/reports/ruby-report.json -q /app"
/usr/local/share/gems/gems/sexp_processor-4.13.0/lib/sexp.rb:222:in `line': setting s(:args).line nil (ArgumentError)
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp.rb:43:in `deep_clone'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp.rb:32:in `block in deep_clone'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp.rb:30:in `each'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp.rb:30:in `deep_clone'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/processors/alias_processor.rb:50:in `process_safely'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/processor.rb:93:in `process_initializer'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/scanner.rb:185:in `process_initializer'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/scanner.rb:179:in `block in process_initializers'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/scanner.rb:302:in `block in track_progress'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/scanner.rb:299:in `each'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/scanner.rb:299:in `track_progress'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/scanner.rb:177:in `process_initializers'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/scanner.rb:47:in `process'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader.rb:354:in `scan'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader.rb:77:in `run'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/commandline.rb:133:in `run_railroader'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/commandline.rb:118:in `regular_report'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/commandline.rb:142:in `run_report'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/commandline.rb:35:in `run'
	from /usr/local/share/gems/gems/railroader-4.3.8/lib/railroader/commandline.rb:20:in `start'
	from /usr/local/share/gems/gems/railroader-4.3.8/bin/railroader:8:in `<top (required)>'
	from /usr/local/bin/railroader:23:in `load'
	from /usr/local/bin/railroader:23:in `<main>'

Referenced issue: david-a-wheeler/railroader#7

As per sarif specification versionControlProvenance property can be used to store the repo details. This data is useful while working with multiple repos in an aggregated manner.

https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012377

INFO [2020-01-13 18:17:30,174] Scanning /app using scan plugins ['python']
INFO [2020-01-13 18:17:30,175] ⚡︎ Executing "cdxgen -o /app/reports/bom-report.xml /app"

when I run docker run --rm --tmpfs /tmp -v xxx:/app appthreat/sast-scan scan --src /app --type python --out_dir /app/reports, docker pull very fast, but the process stop at this scene for a very long time, and the network is ok.

Need sample Jenkins pipeline with some screenshots and guidance.

Need sample AWS codebuild/codepipeline yaml with screenshots.

I see the Dockerfile is installing staticcheck tool, however I dont see it running on the golang type:

Is it because the SARIF converter is not yet ready for staticcheck?

Thanks

Hello,

I am getting the error "Unable to find repo details from the local repository" but there is in fact a file .sastscanrc in /app.

I can see that a file findsecbugs-report.xml was generated but there is just one finding.

1. Why there is hust one finding? it seems the scanners stopped prematurely.
2. Also, how can I get findsecbugs-report.xml exported to a SARIF?

docker run --rm -e "WORKSPACE=%cd%" -v "C:\maven\apache-maven-3.6.3\bin" -v "C:\source_code\app":/app appthreat/sast-scan scan --src /app --type java

/ _ \ |_ | | | |
/ /\ _ __ _ __ | | | |__ _ __ ___ __ | |
| _ | '_ | '_ | | | '_ | '/ _ / ` | __|
| | | | |) | |) | | | | | | | | __/ (| | |_
_| |_/ ./| ./_/ || ||_| _|_,|_|
| | | |
|| |_|

INFO [2020-04-01 13:26:44,486] Scanning /app using scan plugins ['credscan', 'java']
INFO [2020-04-01 13:26:44,494] ================================================================================
INFO [2020-04-01 13:26:44,496] ⚡︎ Executing "gitleaks --depth=2 --repo-path=/app --redact --timeout=2m --report=/app/reports/credscan-report.json --report-format=json"
INFO[2020-04-01T13:26:44Z] no leaks found, skipping writing report
INFO[2020-04-01T13:26:44Z] No leaks detected. 0 commits audited in 353 milliseconds 67 microseconds
INFO [2020-04-01 13:26:44,896] ================================================================================
INFO [2020-04-01 13:26:44,897] ⚡︎ Executing "java -jar /opt/spotbugs/lib/spotbugs.jar -textui -include /usr/local/src/spotbugs/include.xml -exclude /usr/local/src/spotbugs/exclude.xml -noClassOk -auxclasspathFromFile /tmp/tmpl891l6xd -sourcepath /app -quiet -medium -xml:withMessages -effort:max -nested:false -output /app/reports/findsecbugs-report.xml /app"WARNING [2020-04-01 13:27:02,662] Unable to find repo details from the local repository. Consider adding a local .sastscanrc file with the url details.
WARNING [2020-04-01 13:27:02,680] Project type is not supported: java

Thanks,

Need sample Gitlab-CI pipeline with some screenshots and guidance.

Certain CI such as Google CloudBuild lack a way to specify continue on error for build steps. Build break logic should therefore be configurable.

Dear Google,

If you are reading this ticket please invest and improve CloudBuild since it's currently looking inferior to even GitHub actions.

It appears like Visual Studio 2019 with SARIF viewer extension is not working quite well.

• Visual Studio is expecting the version attribute to be at the top! When we do to_json(sarif schema) the attributes are getting sorted alphabetically so the runs attribute is on the top and version is at the bottom. We need to find a workaround for this
• Our url encode is encoding and converting the backslash () to %5C thus confusing the extension

Attached is an example.

findsecbugs-report.sarif.txt

Commercial folks are able to scan pull requests and add the results directly as a comment. Let's implement this feature entirely in actions without involving any server!

Instead of bloating the container, we can perhaps start with a new action for this feature.