Comments (9)
Hi @prabhu how are you?
Actually, inside the lexer/
folder, right into the project's root directory, there are some Go files holding all the rules.
They are divided by technology which they apply and also there is a lexer/core.go
file, which holds all the rules that apply to any language being analyzed (most of the rules are about hardcoded credentials)
Glad to help more if you needed 😄
from insider.
Also, already thinking about SARIF, the tool exports a JSON version of the report, besides the main HTML report.
Our main focus is on the Brazilian community, so you'll have to translate all the data (they are all in Portuguese)
This is an example of the format (This is a sample report of the OWASP Juice Shop project):
{
"information": {
"size": "31 MB",
"numberOfLines": 146485
},
"vulnerabilities": [
{
"owaspID": "",
"cwe": "CWE-327",
"severity": "alta",
"recomendation": "Credenciais não devem ser armazenadas no código ou repositório Git. Existem soluções de ‘Secrets Management’ que podem ser utilizados para armazenar segredos ou utilizar recursos da Pipeline.",
"longMessage": "Arquivo contém informação sensível escrita diretamente, como nomes de usuário, senhas, chaves , etc.",
"class": "/lib/insecurity.js",
"filename": "insecurity.js (14:31)",
"method": "const privateKey = '-----BEGIN RSA PRIVATE KEY-----\\r\\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=",
"line": 14,
"column": 31
}
]
}
from insider.
Thank you for pointing me towards the rulesets. Not sure how I missed them out :( Good point regarding the translation. Have to think a bit around that but glad you brought it up.
from insider.
Your welcome!
If you have any trouble integrating the tool, please, reach us out that we'll be glad to help you out :D
from insider.
Just tried it in a branch.
It appears the linux version is not built with the correct settings. So getting some error:
standard_init_linux.go:211: exec user process caused "no such file or directory"
Below is a good setting that I know works well. Perhaps the GOARCH makes a difference.
CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=amd64 go build $(BUILDFLAGS) -o insider
In addition, a parameter such as -report-path
is required to specify the reports directory or file. Happy to file any subsequent changes as a separate issue.
from insider.
About the GOARCH
, I forgot to do not specify any architecture in the Makefile
since the go
tool will handle for your actual hardware architecture, sorry about that 😅
About the error itself, I don't see how I can reproduce it since I don't have any AMD-based PC laying around, maybe you can help me by describing exactly what you did please?
from insider.
Hi @prabhu,
Can you give us a status on this issue? I'm curious to know how the issue went on.
Thx
from insider.
I will close because we didn't have any update from @prabhu .
Tks guys!
from insider.
Sorry I got a bit busy with few things. Please feel free to send a PR even if it is WIP.
from insider.
Related Issues (20)
- 0 vulnerabilities reported for iGoat-Swift HOT 7
- 0 vulnerabilities found in Android library project HOT 4
- NewInputFile throws an unhandled exception, with both javascript and C# HOT 2
- Skip files based on pattern HOT 2
- More information about -exclude HOT 2
- Insider 3.0.0 Hung on macOS when running analysis on JS application HOT 1
- html report is not getting generated HOT 5
- How To Install It On Macbook HOT 1
- README is unclear about how the -security switch works HOT 3
- Add a per-directory config file
- docker version report is stored in the image HOT 2
- Add tool/scan metadata to .json results file
- iOS Code Scan issue
- Option to define custom reports Path and Name
- Severity is blank in the report HOT 1
- SVG path in React component is detected and constants as hard coded credentials HOT 1
- Install from Source Instructions Need Update HOT 1
- Ability to scan from gradle project
- Unable to install Insider CLI software in Windows 10
- insider for ARM based computers HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from insider.