Comments (6)
Nfsaavedra
commented on September 18, 2024
1
Hi @barek2k2!
First of all, I'm not sure the program you provided is a valid Ansible program, I think it should be:
---
- name: create an app with full permission
file:
path: /app
owner: foo
group: foo
mode: "0775"
since a script is either a playbook or a tasks/vars file. If it is a tasks/vars file, I think it needs to be in a YAML list, but correct me if I'm wrong. If I am, then we need to fix it in GLITCH since right now it only supports files in this format.
The next thing is that GLITCH only detects a Full permission to the filesystem smell for 0777. We can argue that 0775 is also dangerous, but allowing all permissions for the group of the file is definitely not as dangerous as for every user. Maybe we should have a configuration to change that.
For this script, GLITCH has the expected behavior:
---
- name: create an app with full permission
file:
path: /app
owner: foo
group: foo
mode: "0777"
from glitch.
barek2k2
commented on September 18, 2024
Thank you for the clarification. I initially used a sample YAML file, but your corrected version for Ansible works perfectly. Could you please provide me a comprehensive sample YAML file that includes all the code smells? It would be very helpful for fully understanding the rules, such as what to write in the YAML file, which key names to use, etc. I really appreciate your kind help.
from glitch.
Nfsaavedra
commented on September 18, 2024
No problem! You can find a list of YAML files for each code smell here:
https://github.com/sr-lab/GLITCH/tree/d60f2be9c33a7f3ee13a67717907061f62c399ea/glitch/tests/security/ansible/files
https://github.com/sr-lab/GLITCH/tree/d60f2be9c33a7f3ee13a67717907061f62c399ea/glitch/tests/design/ansible/files
We use these for testing. Similarly, there are samples for the other technologies supported.
Additionally, this work is the result of academic work and there is a paper that describes the rules in GLITCH. At the moment, the paper does not have the rules for all the supported code smells, but it has for some. You can check the Table 3 of the paper, it is a bit formal, but it's good to get an idea of the rules.
https://arxiv.org/pdf/2205.14371.pdf
from glitch.
Nfsaavedra
commented on September 18, 2024
You can also check the default configuration of GLITCH:
https://github.com/sr-lab/GLITCH/blob/main/glitch/configs/default.ini
It gives you an idea of the keywords used.
from glitch.
barek2k2
commented on September 18, 2024
Awesome! it really helps. I have read your paper, idea is promising! I am also a PhD student and I think I am gonna cite your paper in my upcoming papers :-) Thanks again.
from glitch.
Nfsaavedra
commented on September 18, 2024
Thanks! And that's good to know :D If you have any more questions feel free! Also, if you have any ideas on which you would like to collaborate, send me an e-mail!
from glitch.
Related Issues (20)
- have an automated test for the oracles
- simplify CLI options HOT 1
- add black to CI
- migrate from unittest to pytest
- migrate vscode extension to use python template
- condition statement and conditions should have different representations
- support node management
- add setuptools to requirements HOT 1
- refactor Ansible parser to use the ansible package
- change the name of ConditionStatement to ConditionalStatement
- change attributes of UnitBlock to be more object-oriented
- tests are creating a Dockerfile that is not deleted
- add automated unit tests for parsers
- hierarchy of configuration files
- Add docstrings and check docstrings in CI
- I am unable to install this in my Mac having Python3 installed HOT 4
- export intermediate representation to LaTeX diagram
- refactor the Docker parser
- Intermediate Representation Malfunction in Docker and Terraform
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from glitch.