Release Second - Continious Integration by library analysis

Release Second - Continious Integration by library analysis

Two years ago we had a web portal where you could paste your code and it will automatically grab the libraries for analysis. We quickly realized that this is not going to work. We should not ask the customer to trust us with data we don’t need. We do not need the entire source code of a project just to grab the libraries and send it to us. If this is done, it needs to be done properly, a customer premises device with a NDA(non disclosure agreement) issued by the customer and a proper source code analyze done by the customer. Luckily we now a solution for this!

What we wanted to avoid:
* knowledge of the enduser’s sourcecode
* easy to integrate into CI tools such as Jenkins
* easy to work with aswell as fast

We want something like the linux exploit suggestor for dependecies.

We are happy to anonce a new simple opensource tool to run test on Rust, NodeJS and Python applications! This takes advantage of our new API features: * /rustlibs * /nodelibs

The tool is opensource and avaliable at:

It grabs the libraries and sends it to one of the new api endpoints.

Build your own stuff:

API docummentaions:

Syntax overview:
you need to pass a list of the libraries in the format of ('name','version'):
for example i have a python script that is:
import requests

I will ask python which version i run:
gibson$ python3.6               
Python 3.6.8 (default, Apr 13 2019, 18:58:09)
[GCC 4.2.1 Compatible OpenBSD Clang 7.0.1 (tags/RELEASE_701/final)] on openbsd6 
Type "help", "copyright", "credits" or "license" for more information. 
>> import pkg_resources
>>> pkg_resources.get_distribution("requests").version

so now i know the programming language which is python and name of the library which is requests with the version 2.21.0 so lets query for it:

curl -X POST -H "Content-Type: application/json" -d '{"apikey":"value1", "libraries":{"requests": "2.21.0"}, "langversion":"3.6.8"}'

The required keys are:
apikey   - This is your api key
libraries  - Library and version, if there is no version you can send an empty string, in a similar syntax of: {'lib0':'0.1', 'lib1':''}
here we know that lib0 is version 0.1 and we dont know on what version lib1 is. it is important that you send the version number as a string and nothing else.'', json={"apikey": "value", "libraries":{"name":"version", "asd":"0"}}).text

Optional keys:


The new tool in your arsenal

Grab it:

The tool will work on NodeJS and Rust projects, it uses our API and queries the libraries for vulnerabilities.

Lets give it a spin with a opensource Rust project

$ git clone
$ cd mkpw/ && wget
$  python3.6
checking key                                                                    
checked key!                                                                    
detected Rust                                                                   
i found the Cargo.toml!                                                         
Checking library pancurses version 0.12                                         
    "author": "Rust Project Developers",                                        
    "cve": "RUSTSEC-2019-0005",                                                 
    "description": "Description pancurses::mvprintw and pancurses::printw passes
 a pointer from a rust &str to C, allowing hostile input to execute a fo
rmat string attack, which trivially allows writing arbitrary data to stack memor
y. More Info Patched Versions"
    "link": "",            
    "published_date": "2019-06-15T01:00:00",                                    
    "recommendation": "Update to the latest Rust library version",              
    "title": "RUSTSEC-2019-0005: pancurses: Format string vulnerabilities in `pa
    "version": "not set"                                                        
Checking library rand version 0.3                                               
 nothing found                                                                  
Checking library md-5 version 0.5                                               
 nothing found                                                                  
Checking library base64 version 0.8                                             
 nothing found                                                                  

and lets try with a nodejs one:

checking key                          
checked key!                          
NodeJS detected!                      
doing nodejs                          
i found the Packages.json!            
Library: colors  nothing found        
Library: compression  nothing found   
    "author": "Andreas Hallberg ",                                              
    "cve": "[]",                                                                
    "description": "Versions of `ids-enterprise` prior to 4.18.2 are vulnerable 
to Cross-Site Scripting (XSS). Script tags in the `soho-autocomplete` component 
are not properly encoded and may allow attackers to execute arbitrary JavaScript
    "link": "['']",                             
    "published_date": "2019-06-10T20:43:12",                                    
    "recommendation": "Upgrade to version 4.18.2 or later",                     
    "title": "Cross-Site Scripting for ids-enterprise",                         
    "version": "4.18.2"                                                         
Library: body-parser  nothing found
    "author": "Snyk Security Team",                                             
    "cve": "[]",                                                                
    "description": "Versions of `sequelize` prior to 3.35.1 are vulnerable to SQ
L Injection. The package fails to sanitize JSON path keys in the MariaDB and MyS
QL dialects,  which may allow attackers to inject SQL statements and execute arb
itrary SQL queries.",                                                           
    "link": "['']",                            
    "published_date": "2019-06-24T15:07:08",                                    
    "recommendation": "Upgrade to version 5.8.11 or later.",                    
    "title": "SQL Injection for sequelize",                                     
    "version": "5.8.11"                                                         
}                                                                        requires python (we prefeer a 3.6 version) and the python libraries requests(pip install requests) and pkg_resources

Grab an API key and start hacking!