insidersec / insider Goto Github PK

Describe the bug
The installation instructions say to do this (Using Go v13+): go get github.com/insidersec/insider/cmd/insider

To Reproduce
When I do, this is what happens:

MYDIR % go version
go version go1.17.1 darwin/amd64
MYDIR % go get github.com/insidersec/insider/cmd/insider
go: downloading github.com/insidersec/insider v0.0.0-20210126135832-20af38a83d17
go get: installing executables with 'go get' in module mode is deprecated.
Use 'go install pkg@version' instead.
For more information, see https://golang.org/doc/go-get-install-deprecation
or run 'go help get' or 'go help install'.

When I instead tried: go install github.com/insidersec/insider/cmd/insider --> The following happened:

go install: version is required when current directory is not in a module
Try 'go install github.com/insidersec/insider/cmd/insider@latest' to install the latest version

Maybe there needs to be multiple sets of instructions? Like Go 13-16, do the above, 17+ do something else. Not exactly sure.

Desktop (please complete the following information):

• OS: MacOS
• Version 11.5.2
• go version go1.17.1 (For darwin/amd64)

Hi,
Please include steps to install your app on Macbook and a few examples of commands to scan .IPA files to find vulnerabilities.

Is your feature request related to a problem? Please describe.
Insider should check if it is inside the folder that is going to be analyzed before run. It should prevent errors like #19.

Describe the solution you'd like
Insider should checks the folder before run to prevent errors like #19.

Am I correct in assuming that a higher security level means more checks will be run? So I should be running with -security 100?

Is your feature request related to a problem? Please describe.
I scanned my whole repository and classes like "SomethingControllerTests" in C# were flagged with missing CSRF protection.

Describe the solution you'd like
Flag and/or configurable pattern to exclude files, for example by specifying a filename pattern *Tests.cs or similar.

Describe alternatives you've considered
In the specific case of tests, analyzers could skip files after looking for language/library specific terms such as annotations or fixtures.

Reports are not generated many times
It is observed that many times reports are not generated in the root directory despite the fact that console says vulnerabilities found. It seems the better way would be to save the report file in either case e.g. found or not found to make the flow streamline.

Add a argument option to accept custom path for reports
It would be best if we can define the custom path for reports and also the custom filename so that after scanning it will be obvious where to look for reports and from which name to find the actual report file.

I downloaded the precompiled binary for macOS, gave it execute permissions, and ran it. The command appears to be hung, the tool isn't producing the banner nor any output.

To Reproduce

1. Downloaded precompiled binary for macOS
2. chmod +x insider
3. ./insider -tech javascript -target /path/to/app

Expected behavior
The application is supposed to fire and start off with a banner, no output whatsoever.

Screenshots

Desktop (please complete the following information):

• OS: macOS Catalina 10.15.7
• Version 3.0.0.

As a note, I ran it as root to see if permissions were the issue. Not the issue. Ran it as a regular user and a superuser, no output. Also, insider is running in a separate as the application I am testing.

[When building from current master branch]
Having to translate all results from Portuguese back into English each time is a highly manual and time consuming task.

Describe the solution you'd like
The software should ideally detect the current locale and use the correct language, or else allow specifying a language to use at build or run time.

Describe alternatives you've considered
Only alternative is manually translating every message.

Is your feature request related to a problem? Please describe.
Support for Go would be nice

Describe the solution you'd like
-tech go

Describe the bug

Different errors are thrown, can't complete Android analysis. Running it in in one project I get this error

[INSIDER]: 2020/06/26 21:34:24 Starting analysis for Android target .
[INSIDER]: 2020/06/26 21:34:24 Starting Android source code analysis
[INSIDER]: 2020/06/26 21:34:24 Starting Android Manifest analysis
[INSIDER]: 2020/06/26 21:34:24 Loading manifest permission
[INSIDER]: 2020/06/26 21:34:24 198
[INSIDER]: 2020/06/26 21:34:24 Finished Android Manifest analysis
[INSIDER]: 2020/06/26 21:34:24 Starting Android Source Code Analysis
[INSIDER]: 2020/06/26 21:34:25 Removing: [] from file list from android tech
[INSIDER]: 2020/06/26 21:34:25 Removing: [] from file list from android tech
[INSIDER]: 2020/06/26 21:34:25 Found 4186 files to analyze.
[INSIDER]: 2020/06/26 21:34:25 loading core rules
[INSIDER]: 2020/06/26 21:34:25 Rules 8
[INSIDER]: 2020/06/26 21:34:25 loading android rules
[INSIDER]: 2020/06/26 21:34:25 Rules 8
[INSIDER]: 2020/06/26 21:34:25 Starting extracting hardcoded information
panic: runtime error: index out of range [1] with length 1

goroutine 1 [running]:
insider/visitor.NewInputFile(0x7ffeefbff8ff, 0x1, 0xc000478398, 0x7, 0xc0000b6000, 0x2e, 0x22e, 0x0, 0x0, 0x0, ...)
        /Users/cynthia.baran/insider/visitor/file.go:238 +0x701
insider/visitor.FindFiles.func1(0xc000478398, 0x7, 0x17dcba0, 0xc00040e820, 0x0, 0x0, 0x7, 0xc0004cacd0)
        /Users/cynthia.baran/insider/visitor/reader.go:144 +0x32b
path/filepath.walk(0xc000478398, 0x7, 0x17dcba0, 0xc00040e820, 0xc0004cae98, 0x0, 0x0)
        /usr/local/go/src/path/filepath/path.go:358 +0x425
path/filepath.walk(0x7ffeefbff8ff, 0x1, 0x17dcba0, 0xc0003e4000, 0xc0004cae98, 0x0, 0x0)
        /usr/local/go/src/path/filepath/path.go:382 +0x2ff
path/filepath.Walk(0x7ffeefbff8ff, 0x1, 0xc0004cae98, 0x1b2db60, 0xc0004caed0)
        /usr/local/go/src/path/filepath/path.go:404 +0xff
insider/visitor.FindFiles(0x7ffeefbff8ff, 0x1, 0xc00002a300, 0x162e290, 0x50, 0x49, 0x0, 0x0, 0x0)
        /Users/cynthia.baran/insider/visitor/reader.go:114 +0xbb
insider/lib.ExtractHardcodedInfo(0x7ffeefbff8ff, 0x1, 0x0, 0x0, 0x17da4c0, 0xc0000a5d40, 0xc, 0x105a)
        /Users/cynthia.baran/insider/lib/analyzer.go:309 +0x61
insider/lib.AnalyzeAndroidSource(0x7ffeefbff8ff, 0x1, 0x0, 0x0, 0xc0000a5d40, 0x15dfe1f, 0x2, 0x0, 0x0)
        /Users/cynthia.baran/insider/lib/android.go:44 +0x25c
insider/supervisors.RunAndroidSourceCodeAnalysis(0x15e01ad, 0x3, 0x7ffeefbff907, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /Users/cynthia.baran/insider/supervisors/android.go:32 +0x2d1
main.main()
        /Users/cynthia.baran/insider/main.go:89 +0x10b2

Tried running it with a different project and I get this output

[INSIDER]: 2020/06/26 21:38:36 Starting analysis for Android target .
[INSIDER]: 2020/06/26 21:38:36 Starting Android source code analysis
[INSIDER]: 2020/06/26 21:38:36 Starting Android Manifest analysis
[INSIDER]: 2020/06/26 21:38:36 Loading manifest permission
[INSIDER]: 2020/06/26 21:38:36 198
[INSIDER]: 2020/06/26 21:38:37 Error: strconv.ParseBool: parsing "@bool/enable_system_alarm_service_default": invalid syntax
[INSIDER]: 2020/06/26 21:38:37 Finished analysis for Android app #.
[INSIDER]: 2020/06/26 21:38:37 strconv.ParseBool: parsing "@bool/enable_system_alarm_service_default": invalid syntax

Really don't know what's going on... Can anyone help?

To Reproduce
Run any android analysis

Expected behavior
Generate the reports

Desktop

• OS: Catalina
• Version 2.0.2

Describe the bug
I've run version 2.0.5 of Insider from the precompiled binaries on my MacOS Mojave 10.14.6. The project should have at least one known vulnerability I was trying the tool with, but the report returned 0.

To Reproduce
Steps to reproduce the behavior:

1. Was in folder /Users/me/Downloads/insider_2.0.5_darwin_x86_64/
2. Run ./insider -force --tech android --target /Users/me/Documents/company/androidlibrary
3. The logs were successful:

 Starting analysis for Android target /Users/me/Documents/company/androidlibrary
 Starting Android source code analysis
 Starting Android Manifest analysis
 Loading manifest permission
 198
 Finished Android Manifest analysis
 Starting Android Source Code Analysis
 Removing: [] from file list from android tech
 Removing: [] from file list from android tech
 Found 927 files to analyze.
 loading core rules
 Rules 8
 loading android rules
 Rules 8
 Starting extracting hardcoded information
 Finished hardcoded information extraction
 Starting main source code analysis
 Finished main source code analysis
 Scanned 166616 lines
 Finished Android source Code analysis
 Report Done
 Json Report /Users/me/Downloads/insider_2.0.5_darwin_x86_64/report.json
 Json Report 63.1 kB bytes written successfully
 Html Report /Users/me/Downloads/insider_2.0.5_darwin_x86_64/report.html
 Html Report 134.7 kB bytes written successfully
 Found 0 warnings
 -----------------------------------------------
 Score Security 100/100
 Vulnerability	Number
 High		  0 
 Medium		  0 
 Low		  0 
 Total		  0 
 -----------------------------------------------------------------------------------------------------------------------
 You are using the Insider open source version. If you like the product and want more features,
 visit http://insidersec.io and get to know our enterprise version.
 If you are a developer, then you can contribute to the improvement of the software while using an open source version
 -----------------------------------------------------------------------------------------------------------------------
 Finished analysis for Android app #/Users/me/Documents/company/androidlibrary

Expected behavior
I have an insecure use of java.util.Random on a Kotlin object and it wasn't found.

Desktop (please complete the following information):

• OS: MacOS
• Version: Mojave 10.14.6.
• Commit 2.0.5...master

Additional context
I don't know if this is relevant but: The report came back with a list of files, but not all the project .kt and .java files were listed. The one that has the known vulnerability was not listed, for example.

Describe the bug
An error is thrown when trying to run a Javascript analysis.

[INSIDER]: 2020/06/26 21:46:07 Starting analysis for JavaScript/TypeScript app #
[INSIDER]: 2020/06/26 21:46:07 Starting JavaScript source code analysis
[INSIDER]: 2020/06/26 21:46:08 Found package.json file at package.json
[INSIDER]: 2020/06/26 21:46:10 Removing: [package.json package-lock.json] from file list from javascript tech
[INSIDER]: 2020/06/26 21:46:10 Removing: [target_001] from file list from javascript tech
[INSIDER]: 2020/06/26 21:46:10 Found 5901 files to analyze.
[INSIDER]: 2020/06/26 21:46:10 loading core rules
[INSIDER]: 2020/06/26 21:46:10 Rules 8
[INSIDER]: 2020/06/26 21:46:10 Rules 9
[INSIDER]: 2020/06/26 21:46:10 Starting extracting hardcoded information
[INSIDER]: 2020/06/26 21:46:10 Finished hardcoded information extraction
[INSIDER]: 2020/06/26 21:46:10 Staring main code analysis
panic: runtime error: index out of range [1] with length 1

goroutine 1 [running]:
insider/visitor.NewInputFile(0x7ffeefbff907, 0x1, 0xc00054f890, 0xa, 0xc0004be380, 0x143, 0x343, 0x0, 0x0, 0x0, ...)
        /Users/cynthia.baran/insider/visitor/file.go:238 +0x701
insider/lib.AnalyzeNonAppSource(0x7ffeefbff907, 0x1, 0x0, 0x0, 0x15e564d, 0xa, 0xc000b53a48, 0x15dfe1f, 0x2, 0x1d53300, ...)
        /Users/cynthia.baran/insider/lib/analyzer.go:195 +0xc53
insider/supervisors.RunJSSourceCodeAnalysis(0x15e01ad, 0x3, 0x7ffeefbff90f, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /Users/cynthia.baran/insider/supervisors/javascript.go:29 +0x1d8
main.main()
        /Users/cynthia.baran/insider/main.go:99 +0xef9

To Reproduce
Running any Javascript analysis. I tried running it with two different projects.

**Desktop **

• OS: Catalina
• Version 2.0.2

Describe the bug
No vulnerabilities were found when scanning the iGoat-Swift codebase

To Reproduce
Steps to reproduce the behavior:

1. mkdir vulnerable-ios
2. cd vulnerable-ios
3. git clone https://github.com/OWASP/iGoat-Swift/tree/master/iGoat-Swift/iGoat-Swift
4. cd ../scanner
5. ./insider -tech ios -target ../vulnerable-ios/iGoat-Swift

Expected behavior
I was expecting to see at least a few vulnerabilities reported.

Screenshots
This is what the tool reported:

[INSIDER]: 2020/10/21 17:41:00 Starting analysis for iOS app #
[INSIDER]: 2020/10/21 17:41:00 Starting iOS Source code analysis
[INSIDER]: 2020/10/21 17:41:00 Extracting libraries
[INSIDER]: 2020/10/21 17:41:00 Removing: [ ] from file list from ios tech
[INSIDER]: 2020/10/21 17:41:00 Removing: [pods] from file list from ios tech
[INSIDER]: 2020/10/21 17:41:00 Found 0 files to analyze.
[INSIDER]: 2020/10/21 17:41:00 loading core rules
[INSIDER]: 2020/10/21 17:41:00 Rules 8
[INSIDER]: 2020/10/21 17:41:00 loading IOS rules
[INSIDER]: 2020/10/21 17:41:00 Rules 25
[INSIDER]: 2020/10/21 17:41:00 Rules 25
[INSIDER]: 2020/10/21 17:41:00 Starting extracting hardcoded information
[INSIDER]: 2020/10/21 17:41:28 Finished hardcoded information extraction
[INSIDER]: 2020/10/21 17:41:28 Scanned 0 lines
[INSIDER]: 2020/10/21 17:41:28 Finished code analysis
[INSIDER]: 2020/10/21 17:41:28 Json Report /Users/runner/work/1/s/report-20201021174128.json
[INSIDER]: 2020/10/21 17:41:28 Json Report 31.6 kB bytes written successfully
[INSIDER]: 2020/10/21 17:41:28 Html Report /Users/runner/work/1/s/report-20201021174128.html
[INSIDER]: 2020/10/21 17:41:28 Html Report 82.1 kB bytes written successfully
[INSIDER]: 2020/10/21 17:41:29 Found 0 warnings
[INSIDER]: 2020/10/21 17:41:29 -----------------------------------------------
[INSIDER]: 2020/10/21 17:41:29 Score Security 100/100
[INSIDER]: 2020/10/21 17:41:29 Vulnerability	Number
[INSIDER]: 2020/10/21 17:41:29 High		  0 
[INSIDER]: 2020/10/21 17:41:29 Medium		  0 
[INSIDER]: 2020/10/21 17:41:29 Low		  0 
[INSIDER]: 2020/10/21 17:41:29 Total		  0 
[INSIDER]: 2020/10/21 17:41:29 -----------------------------------------------------------------------------------------------------------------------
[INSIDER]: 2020/10/21 17:41:29 You are using the Insider open source version. If you like the product and want more features,
[INSIDER]: 2020/10/21 17:41:29 visit http://insidersec.io and get to know our enterprise version.
[INSIDER]: 2020/10/21 17:41:29 If you are a developer, then you can contribute to the improvement of the software while using an open source version
[INSIDER]: 2020/10/21 17:41:29 -----------------------------------------------------------------------------------------------------------------------
[INSIDER]: 2020/10/21 17:41:29 Finished analysis for iOS app #

Desktop (please complete the following information):

• OS: Windows and macOS
• Version 10 / 10-15

Additional context
Add any other context about the problem here.

Hi,

In some cases I would like to ignore the DRA, I would like an option like:

./insider --tech javascript --target myfolder --no-dra

Thx

Hey! I have some difficulties in using -exclude flag.
When i go like insider --tech javascript --target . -exclude node_modules it works great but however i try to exclude for example results form CSS files anywhere in the projects how to make it work?

-exclude *.css not work

-exclude /.css doesn't work either

Lots of tools generate .json results files. Can you add some metadata to your .json results files that includes data like:

• Toolname
• Tool version
• Scan start time
• Scan complete time
• Maybe GUID for the scan results themselves, in case the same code is scanned again.

Any other overall metadata you think might be useful.

When using the insider --tech java ...
==> I got an error that Java is not a supported tech.

Describe alternatives you've considered
I tried to use --tech android but I am not sure that this is really relevant..

I noticed you changed how your software was licensed between a couple of versions. Version 1.0.0 was released under LGPL-3.0, version 2.0.0 was released under no license (automatic copyright), and version 2.0.5 was released under GPL-3.0.

I'm assuming that this wasn't intentional as this has some nasty legal implications that render this project basically unusable until they are resolved. I guess the options would be to...

1. Revert to the LGPL-3.0 license along with any code not made under that license (2.0.0 - 2.0.4)
2. Change to GPL-3.0 and provide the written approvals from each contributor, removing code from any contributor that denies permission (approvals would ideally be accessible from the repository as outlined here)
3. Revert to the LGPL-3.0 license and provide the written approvals from each contributor who made contributions since 1.0.1 to license under LGPL-3.0 as explained above.

The root of the issue is that the developers who contributed to version 1.0.0 - 1.0.1 have not given permission to have the license for their code removed as it was in version 2.0.0 - 2.0.4, and developers who contributed to 2.0.0 - 2.0.4 have not given permission to license their code under GPL-3.0 as in 2.0.5. There's no way to prove that proper permission was granted by contributors since version 2.0.0. This may seem nit-picky, but the issue can result in DMCA takedowns which threaten the usability of the software. People using code from version 2.0.0 - 2.0.5 of this project may also be subject to legal consequences.

There's probably a loophole somewhere in the fact that your README hasn't been updated which you might be able to use as "proof" that the licence change was unintentional. However, I'm not qualified to give legal advice, so I suggest you speak to a lawyer before moving forward.

TL;DR call a lawyer.

Is your feature request related to a problem? Please describe.
Right now when insidersec detects a problem or finds some DRA in code there is no way to flag it as a false positive. It would be nice to have some way to tell insidersec to ignore such line/lines of code

Describe the solution you'd like
I think something like // insidersec:ignore for js and the equivalent comment in other languages would be easy for lines and putting that on the top of the file would just ignore the whole file.

Describe alternatives you've considered
One alternative to the file level ignore is the --exclusion flag thats been brought up in the issues

Additional context
None

Is your feature request related to a problem? Please describe.
Hello guys!
Would be great Insider ignore the node_modules folder for Node.js projects.

Describe the solution you'd like
Maybe create a CLI param like -skip=node_modules

Describe alternatives you've considered
I removed the node_modules folder before run Insider but it's not the best approach.

I am scanning iOS code but not getting any result because scanning doesn't start. Below is the output:

sudo ./insider --tech ios --target /home/test/Downloads/project-folder
[insider] 2021/07/12 18:44:09 Starting analysis
[insider] 2021/07/12 18:44:09 Analysing IOS libraries
[insider] 2021/07/12 18:44:10 Analysing IOS plist files
[insider] 2021/07/12 18:44:11 Not found plist files at /home/test/Downloads/project-folder
[insider] 2021/07/12 18:44:11 Starting source code analysis
[insider] 2021/07/12 18:44:11 Analysing files on directory /home/test/Downloads/project-folder

The reports are in Spanish:

   "recomendation": "Existem soluções de ‘Secrets Management’ que podem ser utilizados para armazenar segredos.",
   "longMessage": "Credenciais não devem ser armazenadas no código, um atacante poderia descompilar a aplicação e obter a credencial.",

it would be very nice, if I could enable reports in English

Hi,

I have tried below command.

./insider --tech java --target cloud-test-app/

its showing few vulnerabilities are there.

Score Security 26/100
Vulnerabilities 7
DRA 6
None 0
Low 0
Medium 0
High 7
Critical 0
Total 7

You are using the Insider open source version. If you like the product and want more features,
visit http://insidersec.io and get to know our enterprise version.
If you are a developer, then you can contribute to the improvement of the software while using an open source version

But no reports are getting generated

Describe the bug
When running insider in docker, the report gets generated in /opt/insider. This is a problem because the report is hard to access once the container has stopped. The image is basically mixing binaries and data. The report should written to a separate directory, for instance /var/insider so one may bind that to another volume, or sent to stdout.

To Reproduce
Steps to reproduce the behavior:

1. docker run --name container -v /path:/target insidersec/insider -tech csharp -target /target
2. docker comit container image
3. docker run -ti --entrypoint=sh image
4. ls -l /opt/insider

total 7032
-rwxr-xr-x    1 root     root       7012352 Jan 26 14:26 insider
-rw-r--r--    1 root     root         12505 May 26 09:03 report.html
-rw-r--r--    1 root     root          7443 May 26 09:03 report.json
-rw-r--r--    1 root     root        160403 May 26 09:03 style.css

Expected behavior
report placed somewhere else or output to stdout

Desktop (please complete the following information):

• OS: Windows
• Version docker latest

docker run insidersec/insider -version
Version: dev
Git commit:
Build date:
OS/Arch: linux/amd64

Describe the solution you'd like
Insider could generate a SonarQube-compatible report, which should have this format. To achieve this, we will need to assign an unique ID for each rule.

Describe alternatives you've considered
Let every rule id have the prefix "insider", and the suffix composed of an abbreviation of the language and an integer, for example, INSIDER-JS1.

Additional context
Other SAST tools, such as GoSec, already have this feature. The id of GoSec rules follows the pattern G101

Describe the bug

When running on a react project, svg files with a path and constants with "authorize" (?) in the name are marked as "High"

Expected behavior

SVG's are not credentials

Screenshots

Describe the bug
I am not able to find the rules in the repo. Possibly got missed out while committing to the repo.

To Reproduce
Look around for folders with names rulesets, core etc based on source code

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Version [e.g. 22]
• Commit [e.g 9597e0a on master]

Additional context
I am working on sast-scan and would like to integrate this project and enable automatic SARIF conversion. I would like to evaluate the tool first before the integration.

Describe the bug
In the report (HTML or JSON), the severity is blank. So the vulnerabilities for a given severity are hard to find.

To Reproduce
Steps to reproduce the behavior:

1. Scan a project (Tested with Java)
2. Read the report.html, in the severity field for each vulnerability.

Expected behavior
Severity should be filled.

Screenshots

Desktop (please complete the following information):

• OS: Linux
• Version 3.0.0 (Release insider_3.0.0_linux_x86_64.tar.gz)

Hey everyone,

Since v2.0.0 I haven't been able to get an report from an iOS project scan. It worked normally before that. Maybe something changed in how an analysis should be performed? Anyone else having this issue?

Describe the bug
When trying to perform an analysis of an iOS project, Insider exits without writing any report file.

To Reproduce
Run Insider v2.0.0 on macOS on an iOS project

./insider-macos-amd64 -tech ios -target ~/ios-project

Expected behavior
Insider would have generated the reports. It does work for analysis of other technologies.

Desktop

• OS: macOS Catalina
• Version: 2.0.0
• Commit: aca156b on master

Hi,

I have downloaded the Insider software for windows from this link - https://github.com/insidersec/insider/releases

Upon unzip, if I double click the "Insider.exe" No action is happening. It is just showing the cmd prompt and disappearing immediately. Have tried with Admin credentials as well but getting same issue.

Request you to help me to install in Windows 10.

Thanks,
Sunil M

Hello insider team. I am using insider from sometime now. I have recently shifted to M1 MAC and therefore running an ARM based version of Kali as a virtual machine and I am unable to run insider on Kali as it is not supported yet.
If I am missing an already existing compatible version please point me to it if not please consider my request. Thank you.

When analising a project with many subfolders containing code, after insidersec starts main code analysis newInputFile seems to have trouble with an unhandled exception, crashing the program and leaving basically no information to help with debugging

To Reproduce
Not sure how to help with reproductibility, since I don't know which file causes the problem, or if subfolders are the problem, and I can not share any part of the project I'm working on

Expected behavior
I expected the program to keep running, and preferably to warn me that one or more files caused a problem and couldn't be analised

Screenshots
log from when analizing the C# part:

Log from when analizing the javascript part:

Desktop (please complete the following information):

• OS: Windows 10 Enterprise
• Release: 2.0.5

Where is the outputs folder? Someone should specify it in the README.md and help menu too if possible.

Hello Contributors! We first wish to thank everyone for the contributions so far, we are planning on changing our actual license LGPL-3.0 to MIT. We want to know if any of the actual contributors has anything against the license change. We are planning on making the change by 1-september-2020.

@danilodeveloper @GouveaHeitor @omatron @Horaddrim @hermescanutodesouza @msAlcantara @bieeldeveloper @coderamos

Describe the bug
Self-explanatory title

insider/ (master) >>> ./insider -tech javascript -target invalid-target -no-banner
[INSIDER]: 2020/07/07 10:08:05 Starting analysis for JavaScript/TypeScript app #
[INSIDER]: 2020/07/07 10:08:05 Starting JavaScript source code analysis
[INSIDER]: 2020/07/07 10:08:05 Package.json not found but the process goes on
[INSIDER]: 2020/07/07 10:08:05 lstat invalid-target: no such file or directory
[INSIDER]: 2020/07/07 10:08:05 Finished JavaScript/TypeScript analysis
[INSIDER]: 2020/07/07 10:08:05 lstat invalid-target: no such file or directory
insider/ (master) >>> echo $?
0
insider/ (master) >>>

To Reproduce
Just pass some folder that not exists

Expected behavior
Exit with status != 0

I'm thinking something adjacent to .njsscan files that lets you put all the params into an e.g. YAML file in the root directory, so you don't have to create a unique macro/alias for scanning each project.

Is your feature request related to a problem? Please describe.
The current "java" tech seems to only support reading from pom.xml to determine the source files scan. Also it's not clear whether it will scan both java and kotlin source files.

Describe the solution you'd like
The ability to detect a gradle project in the target directory and scan the source files based on that. Or even just to search the directory tree for any java/kotlin files and scan those (accepting that xml and other files could also contain URLs/emails/vulnerabilities).

Describe alternatives you've considered
None at this stage

Additional context
N/A