Release Second - Continious Integration by library analysis
Two years ago we had a web portal where you could paste your code and it will automatically grab the libraries for analysis. We quickly realized that this is not going to work. We should not ask the customer to trust us with data we don’t need. We do not need the entire source code of a project just to grab the libraries and send it to us. If this is done, it needs to be done properly, a customer premises device with a NDA(non disclosure agreement) issued by the customer and a proper source code analyze done by the customer. Luckily we now a solution for this!
What we wanted to avoid:
* knowledge of the enduser’s sourcecode
* easy to integrate into CI tools such as Jenkins
* easy to work with aswell as fast
We want something like the linux exploit suggestor for dependecies.
We are happy to anonce a new simple opensource tool to run test on Rust, NodeJS and Python applications! This takes advantage of our new API features: * /rustlibs * /nodelibs
The tool is opensource and avaliable at: https://github.com/firosolutions/cifiro
It grabs the libraries and sends it to one of the new api endpoints.
Build your own stuff:
API docummentaions:
Syntax overview:
you need to pass a list of the libraries in the format of ('name','version'):
for example i have a python script that is:
import requests
print(requests.get('https://duckduckgo.com').text)
I will ask python which version i run:
gibson$ python3.6
Python 3.6.8 (default, Apr 13 2019, 18:58:09)
[GCC 4.2.1 Compatible OpenBSD Clang 7.0.1 (tags/RELEASE_701/final)] on openbsd6
Type "help", "copyright", "credits" or "license" for more information.
>> import pkg_resources
>>> pkg_resources.get_distribution("requests").version
'2.21.0'
so now i know the programming language which is python and name of the library which is requests with the version 2.21.0 so lets query for it:
curl -X POST -H "Content-Type: application/json" -d '{"apikey":"value1", "libraries":{"requests": "2.21.0"}, "langversion":"3.6.8"}' https://api.firosolutions.com/pythonlibs
The required keys are:
apikey - This is your api key
libraries - Library and version, if there is no version you can send an empty string, in a similar syntax of: {'lib0':'0.1', 'lib1':''}
here we know that lib0 is version 0.1 and we dont know on what version lib1 is. it is important that you send the version number as a string and nothing else.
requests.post('https://api.firosolutions.com/rustlibs', json={"apikey": "value", "libraries":{"name":"version", "asd":"0"}}).text
Optional keys:
langversion
cifiro
The new tool in your arsenal
Grab it: Github.com/firosolutions/cifiro
The tool will work on NodeJS and Rust projects, it uses our API and queries the libraries for vulnerabilities.
Lets give it a spin with a opensource Rust project
$ git clone https://github.com/GhostPirateGir/mkpw.git
$ cd mkpw/ && wget https://raw.githubusercontent.com/firosolutions/cifiro/master/cifiro.py
$ python3.6 cifiro.py
checking key
checked key!
detected Rust
i found the Cargo.toml!
Checking library pancurses version 0.12
Result:
{
"author": "Rust Project Developers",
"cve": "RUSTSEC-2019-0005",
"description": "Description pancurses::mvprintw and pancurses::printw passes
a pointer from a rust &str to C, allowing hostile input to execute a fo
rmat string attack, which trivially allows writing arbitrary data to stack memor
y. More Info https://github.com/RustSec/advisory-db/issues/106 Patched Versions"
,
"link": "https://rustsec.org/advisories/RUSTSEC-2019-0005.html",
"published_date": "2019-06-15T01:00:00",
"recommendation": "Update to the latest Rust library version",
"title": "RUSTSEC-2019-0005: pancurses: Format string vulnerabilities in `pa
ncurses`",
"version": "not set"
}
Checking library rand version 0.3
Result:
nothing found
Checking library md-5 version 0.5
Result:
nothing found
Checking library base64 version 0.8
Result:
nothing found
and lets try with a nodejs one:
checking key
checked key!
NodeJS detected!
doing nodejs
i found the Packages.json!
Library: colors nothing found
Library: compression nothing found
{
"author": "Andreas Hallberg ",
"cve": "[]",
"description": "Versions of `ids-enterprise` prior to 4.18.2 are vulnerable
to Cross-Site Scripting (XSS). Script tags in the `soho-autocomplete` component
are not properly encoded and may allow attackers to execute arbitrary JavaScript
.",
"link": "['https://npmjs.com/advisories/955']",
"published_date": "2019-06-10T20:43:12",
"recommendation": "Upgrade to version 4.18.2 or later",
"title": "Cross-Site Scripting for ids-enterprise",
"version": "4.18.2"
}
Library: body-parser nothing found
{
"author": "Snyk Security Team",
"cve": "[]",
"description": "Versions of `sequelize` prior to 3.35.1 are vulnerable to SQ
L Injection. The package fails to sanitize JSON path keys in the MariaDB and MyS
QL dialects, which may allow attackers to inject SQL statements and execute arb
itrary SQL queries.",
"link": "['https://npmjs.com/advisories/1018']",
"published_date": "2019-06-24T15:07:08",
"recommendation": "Upgrade to version 5.8.11 or later.",
"title": "SQL Injection for sequelize",
"version": "5.8.11"
}
Github.com/FiroSolutions/cifiro requires python (we prefeer a 3.6 version) and the python libraries requests(pip install requests) and pkg_resources
Grab an API key and start hacking! https://watchers.firosolutions.com
