Giter Site home page Giter Site logo

franceme / cryptoguard Goto Github PK

View Code? Open in Web Editor NEW

This project forked from cryptoguardoss/cryptoguard

2.0 1.0 0.0 282.93 MB

Home Page: https://franceme.github.io/cryptoguard

License: GNU General Public License v3.0

Java 14.03% Makefile 0.76% Python 0.47% Dockerfile 0.01% Jupyter Notebook 3.50% C++ 10.20% C 57.28% MATLAB 0.06% Shell 0.18% Perl 7.20% Assembly 6.30% Batchfile 0.01% HTML 0.01%
java code-quality scanner security security-tools security-scanner security-audit security-vulnerability

cryptoguard's Introduction

layout
default

CryptoGuard $CVER 04.05.03$

badge Docker Badge Version Badge GitHub Release Downloads

Java Vulnerabilities (by Snyk.io): CryptoGuard Vulnerabilities Python3 Vulnerabilities (by Snyk.io): Python Vulnerabilities

A program analysis tool to find cryptographic misuse in Java and Android.

CryptoSouple.py

This python file is the wrapper created to assist with various portions of the project. You should use it for various commands including:

  • setting the environment
  • clean the project
  • building the project
  • running tests
  • building a simple command

MyBinder

This is a website hosting a Docker image that actively runs either Java or Python3 samples. The Java Notebook is only possible by utilitzing IJava. This is still under progress as the following are not active yet:

  • Android SDK tests
  • Sample Java Tests

Please run the following command to get more information on how to use it ./cryptosouple.py.

IMPORTANT NOTICE

  • Due to 'leaky tests' from the environment and persistent variables, a python test runner was made
  • Please run make tests
    • this ensures isolated environments via gradle calls

Building From Source

  • Run make, this will build CryptoGuard and move the jar to the current directory
  • Run scans to scan all of the tests included in the source
    • There is currently a sample project for each scan type within src/test
  • Run clean to clean the entire project

Prerequisites (Environment Variables)

  1. JAVA_HOME: Point to a valid Java 8 JDK Installation

    • Needed for all of the scans

  2. JAVA7_HOME: Point to a valid Java 7 JDK Installation

    • Needed for project scans and java file scans

  3. ANDROID_SDK_HOME: Point to a valid Android JDK Installation

    • Needed for Android

Note

  • Run make env to verify (and set) all of these variables by following the instructions.

Different Scanning Options

Source (Maven or Gradle Project Directory only)

  • raw command (without dependencies) java -jar cryptoguard.jar -in source -s /rootPath
  • raw command (with dependencies) java -jar cryptoguard.jar -in source -s /rootPath -d /dependencies
Note

If the project have external dependencies then first gather the dependencies under a folder that is relative to the project root (e.g., "build/dependencies").

If you have multiple subprojects with external dependencies, then you have to gather all the corresponding subproject dependencies under a path that is relative to each of the subprojects.

JAR Files

  • raw command java -jar cryptoguard.jar -in jar -s /path/to/jar/my-jar.jar

APK Files

  • raw command java -jar cryptoguard.jar -in apk -s /path/to/apk/my-apk.apk

Java Files (Currently Unstable, currently limited to Java JDK 8 by library constraint)

  • raw command java -jar cryptoguard.jar -in java -s /path/to/java/file.java
  • raw command (for files) java -jar cryptoguard.jar -in java -s /path/to/java/file1.java /path/to/java/file2.java

Java Class Files (Currently limited to Java JDK 8)

  • raw command java -jar cryptoguard.jar -in class -s /path/to/java/file.class
  • raw command (for files) java -jar cryptoguard.jar -in java -s /path/to/java/file1.class /path/to/java/file2.class

Different Scanning Options

Source/Dependencies options

  • By default, both source and dependencies are expecting a list of files
    • or for source the .in file
  • The source and dependencies can also handle a class path based string
    • ex: -s ~/tester/PBEUsage.class:~/tester/UrlFrameWorks.class:~/tester/NewTestCase1.class:~/tester/NewTestCase2.class

Output options

  • using the argument -m, you can add the identifier of the other output formats
Default

  • Argument -m D

    • example command java -jar cryptoguard.jar -in jar -s /path/to/jar/my-jar.jar -m D

  • This is a json file that represents a more simplified output

    • This will be iterated over time as more functionality is available
Legacy
  • Argument -m L
    • example command java -jar cryptoguard.jar -in jar -s /path/to/jar/my-jar.jar -m L
  • This will output a txt file used within early CryptoGuard versions
Scarf XML

  • Argument -m SX

    • example command java -jar cryptoguard.jar -in jar -s /path/to/jar/my-jar.jar -m SX

  • This will ouput an xml file using the scarf_v1.2.xsd used by SWAMP.

  • By using the argument -Sconfig properties.file, this will load the properties from within the file

    • example command java -jar cryptoguard.jar -in jar -s /path/to/jar/my-jar.jar -m SX -Sconfig properties.file

Input a single file (list of files)

  • Argument -s *.in
  • By using this argument (and you have to use the .in extension) input a single file containing all of the source input files
  • example
    • command to generate a file like this find -type f -name \*.java \>\> input.in
      • generated input.in file
./samples/testable-jar/src/main/java/tester/UrlFrameWorks.java
./samples/testable-jar/src/main/java/tester/PasswordUtils.java
./samples/testable-jar/src/main/java/tester/Crypto.java
./samples/testable-jar/src/main/java/tester/PBEUsage.java
./samples/testable-jar/src/main/java/tester/NewTestCase2.java
./samples/testable-jar/src/main/java/tester/VeryBusyClass.java
./samples/testable-jar/src/main/java/tester/SymCrypto.java
./samples/testable-jar/src/main/java/tester/NewTestCase1.java
./samples/testable-jar/src/main/java/tester/LiveVarsClass.java
./samples/testable-jar/src/main/java/tester/PassEncryptor.java}

  • command to be used with cryptoguard java -jar -s input.in

    • this is similar to java -jar -s ./samples/testable-jar/src/main/java/tester/UrlFrameWorks.java ... ./samples/testable-jar/src/main/java/tester/PassEncryptor.java

  • NOTE: This can be used with any type of input/output marshalling

Help

  • If you have any questions or suggestions, please email to [email protected].
  • Please also run make help or java -jar cryptoguard.jar -h for argument help.
  • You can also look at the auto-generated USAGE.md file.

FAQ

  • There may be silent failures if any of the environment variables below are not set.
    • This can be checked by running make env

Website

  • The generated website uses a slightly modified Jekyll Hyde template under the MIT License.
  • Technology Reports
    • Gradle Junit Test Reports are generated from Gradle
    • Cobertura Test Coverage Reports are generated from Cobertura
    • Java Documentation are generated from Java

Disclaimer

CryptoGuard is a research prototype under GNU General Public License 3.0

Copyright © 2020 CryptoGuard

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 3.0 for more details.

You should have received a copy of the GNU General Public License 3.0 along with this program. If not, see https://www.gnu.org/licenses/gpl-3.0.html.

Reference

If you find this project useful, please cite our CCS'19 CryptoGuard paper and the thesis supporting the latest enhancements from within this fork.

@phdthesis{frantz2020enhancing,
	title={Enhancing CryptoGuard's Deployability for Continuous Software Security Scanning},
	author={Frantz, Miles},
	year={2020},
	school={Virginia Tech}
}

cryptoguard's People

Contributors

cryptoguardorg avatar dependabot[bot] avatar franceme avatar kelloggm avatar lordamit avatar rigority avatar sazzad114 avatar

Stargazers

avatar avatar

Watchers

avatar

cryptoguard's Issues

Fix the NewTestCase 1 and 2

Within the Testable jar project, there were two new files added recently

  1. NewTestCase1
  2. NewTestCase2

These files are picked up (flagged as errors) from the Jar Scanning path, but not on the Java File or the Project Scanning path.

Remove Java jaxb for other xml handler

This is one of the two dependencies the project has to Java 1.7.

Jaxb needs to be replaced with another xml (un)marshaller (tbd).
After this only an internal library is tying this down to Java 1.7.

Update Name

Update Name of project from rigorityj -> CryptoGuard.

  • Update Consumers

Create MyBinder

Depends on #91

Create a Mybinder instance of this to aide future representations and live examples.
Since this is a Java notebook, this should follow from the path of IJava's example.

Tree Cleanse

Make this a single project gradle project.
The gradle test project included in the same project makes the building more complicated than it needs to be.

Enable dependencies

Enable dependencies from the command line for JAR/Java Class file(s) scan paths.
Includes full unit tests.

Retrieve the package version of the source

For the following project types, retrieve the source version information

  • source:mvn - pom.xml
  • source:gradle - gradle.properties/build.gradle
  • apk - manifest?
  • jar - manifest file
  • java file - "-1"
  • java class file - "-1"

CWE Defaulting

There have been instances where the CWE shows up as -1.
This should've been fixed as the potential look-up was removed.

This should be tested to ensure it's removed.

Create Website

Create a general website (located via docs) for a in-depth explanation about this.

Unit Test Issues

Several of the unit tests are failing when run via command line versus being run on Intellij.

...more details to follow...

JDK version not compatible 

$ docker pull frantzme/cryptoguard
$ docker run --rm -v $PWD/testapk/com.termux_117:/temp frantzme/cryptoguard java -jar /Notebook/cryptoguard.jar -in apk -s /temp/com.termux_117.apk
Warning: Nashorn engine is planned to be removed from a future JDK release
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
Warning: Nashorn engine is planned to be removed from a future JDK release
Warning: Nashorn engine is planned to be removed from a future JDK release
 INFO | 2021-12-31 02:33:15.730 | Interface.ArgumentsCheck (ArgumentsCheck.java:150) | Displaying info level logs
 INFO | 2021-12-31 02:33:16.069 | Interface.ArgumentsCheck (ArgumentsCheck.java:178) | Using the output: Default
FATAL | 2021-12-31 02:33:16.083 | Interface.ArgumentsCheck (ArgumentsCheck.java:325) | JRE Version: 11 is not compatible
==================================
Error ID: 1
Error Type: JRE Version: 11 is not compatible, please use JRE Version: 8
Error Message: 
[JRE Version: 11 is not compatible, please use JRE Version: 8]
==================================

SWAMP UnitTests

Add Unit Tests verifying SWAMP input/output works successfully.

Version/Name Properties not displayed properly

The gradle.properties file is not being loaded properly once it's shipped.

eg: running from a non-dev computer
java7 -jar CryptoGuard.jar -v
...usage: Project...

=> Should've been usage: CryptoGuard: 03.03.02

Fix Class File Scanning

The option is currently available yet marked as experimental.
The class path being populated for Soot isn't correctly working.

The class path needs to be further analyzed.

Design/Implement the std out/err

Since this is a command-line application, the standard out/standard error should be potentially implemented.
Since this was designed having all of the information piped into the results file, this functionality should be enabled via flag (argument).
The information would then be removed from the results file.

Enhance Dependencies

Ensure the dependencies are within the build.gradle and not held within the project.

Confirmation to overwrite the results file.

The consumer can choose the output for the results file.
If the file exists it is automatically overwritten without any notice to the user.

There should be an argument or a notification to the user.

Unit Tests

Add unit tests throughout the project.

Format The Code

Ensure the code is within the same code "smell", as it has been passed through several people.

Enable Java Class File Annotation Based Scanning

Scanning Java Class Files (*.class) are supported when they use a normal entry point.

public static void main(String[] args) ...

This may not be possible for Java Class Files using annotation based starts.
We need to look into the possibility of reading the Java Class Files and handling the annotation.

Some of the sample progress can be shown below.
The code listed below should not represent any progress, just experimentation using libraries and references.

The library JavaParser supports reading Java Files and parsing their structure.

Smarter Logging

Similar to #59

This involves fixing some of the more fine-grained logging.
Example picture shown below.

image

Cut V03.06.00 Release

Action

Items Included

  • Testing (makefile/IDE)
  • Push to master
  • Download/Test again
  • Release w/deployable

Downgrade Project to 1.7

Since one of the core extended libraries runs on JRE 1.7, all of the 1.8 features will be removed.

The project will then be ran/worked with on 1.7 until the core libraries can be worked around.

Update CMDLine Library

Update the cmdline library to a newer library

It appears the one currently used isn't being updated, while another picocli is currently being updated.

Fix the empty start

When running this jar via the commandline without any arguments, it should provide the help menu.

The library for parsing the arguments fails at this step and crashes.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.