Rules might be missing in the repo? about insider HOT 9 CLOSED

Hi @prabhu how are you?
Actually, inside the lexer/ folder, right into the project's root directory, there are some Go files holding all the rules.
They are divided by technology which they apply and also there is a lexer/core.go file, which holds all the rules that apply to any language being analyzed (most of the rules are about hardcoded credentials)

Glad to help more if you needed 😄

from insider.

Also, already thinking about SARIF, the tool exports a JSON version of the report, besides the main HTML report.
Our main focus is on the Brazilian community, so you'll have to translate all the data (they are all in Portuguese)

This is an example of the format (This is a sample report of the OWASP Juice Shop project):

{
 "information": {
  "size": "31 MB",
  "numberOfLines": 146485
 },
 "vulnerabilities": [
  {
   "owaspID": "",
   "cwe": "CWE-327",
   "severity": "alta",
   "recomendation": "Credenciais não devem ser armazenadas no código ou repositório Git. Existem soluções de ‘Secrets Management’ que podem ser utilizados para armazenar segredos ou utilizar recursos da Pipeline.",
   "longMessage": "Arquivo contém informação sensível escrita diretamente, como nomes de usuário, senhas, chaves , etc.",
   "class": "/lib/insecurity.js",
   "filename": "insecurity.js (14:31)",
   "method": "const privateKey = '-----BEGIN RSA PRIVATE KEY-----\\r\\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=",
   "line": 14,
   "column": 31
  }
 ]
}

from insider.

Thank you for pointing me towards the rulesets. Not sure how I missed them out :( Good point regarding the translation. Have to think a bit around that but glad you brought it up.

from insider.

Your welcome!
If you have any trouble integrating the tool, please, reach us out that we'll be glad to help you out :D

from insider.

Just tried it in a branch.

It appears the linux version is not built with the correct settings. So getting some error:

standard_init_linux.go:211: exec user process caused "no such file or directory"

Below is a good setting that I know works well. Perhaps the GOARCH makes a difference.

CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=amd64 go build $(BUILDFLAGS) -o insider

In addition, a parameter such as -report-path is required to specify the reports directory or file. Happy to file any subsequent changes as a separate issue.

from insider.

About the GOARCH, I forgot to do not specify any architecture in the Makefile since the go tool will handle for your actual hardware architecture, sorry about that 😅

About the error itself, I don't see how I can reproduce it since I don't have any AMD-based PC laying around, maybe you can help me by describing exactly what you did please?

from insider.

Hi @prabhu,

Can you give us a status on this issue? I'm curious to know how the issue went on.

Thx

from insider.

I will close because we didn't have any update from @prabhu .
Tks guys!

from insider.

Sorry I got a bit busy with few things. Please feel free to send a PR even if it is WIP.

from insider.