This repository has been archived by the owner on Nov 28, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 953
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #555 from wufeifei/develop
Released v2.0.0-alpha.2
- Loading branch information
Showing
30 changed files
with
269 additions
and
446 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
Cobra Changelog | ||
=============== | ||
|
||
Here you can see the full list of changes between each Cobra release. | ||
|
||
Version 2.0.0-alpha.2 | ||
--------------------- | ||
|
||
Released on Sep 06 2017 | ||
|
||
- 修复上传非支持的后缀提示 | ||
- 修复VirtualEnv环境下无法执行 | ||
- 修复grep/find路径位置变动 | ||
- 优化日志等级 | ||
- 优化Docker下路径错误 | ||
- 优化耗时计算 | ||
- 其它细节优化和Bug修复 | ||
|
||
Version 2.0.0-alpha.1 | ||
--------------------- | ||
|
||
Released on Sep 05 2017 | ||
|
||
内测正式版本 | ||
|
||
- 简化安装和使用成本 | ||
- 增加CLI模式 | ||
- 开源扫描规则 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
FROM ubuntu:xenial | ||
|
||
COPY . /code/ | ||
WORKDIR /code | ||
|
||
RUN apt-get update && apt-get install -y python-pip curl \ | ||
&& apt-get autoremove \ | ||
&& apt-get clean \ | ||
&& apt-get autoclean \ | ||
&& pip install -r requirements.txt \ | ||
&& cp config.template config | ||
|
||
EXPOSE 5000 | ||
CMD ["python", "cobra.py", "-H", "0.0.0.0", "-P", "5000"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,13 @@ | ||
#!/usr/bin/python | ||
|
||
#!/usr/bin/env python | ||
# -*- coding: utf-8 -*- | ||
|
||
import re | ||
import sys | ||
|
||
from cobra import main | ||
|
||
|
||
if __name__ == '__main__': | ||
sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0]) | ||
sys.exit(main()) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,7 +7,7 @@ | |
__issue_page__ = 'https://github.com/wufeifei/cobra/issues/new' | ||
__python_version__ = sys.version.split()[0] | ||
__platform__ = platform.platform() | ||
__version__ = '2.0.0-alpha' | ||
__version__ = '2.0.0-alpha.2' | ||
__author__ = 'Feei' | ||
__author_email__ = '[email protected]' | ||
__license__ = 'MIT License' | ||
|
@@ -22,10 +22,10 @@ | |
Cobra is a static code analysis system that automates the detecting vulnerabilities and security issue.""".format(version=__version__) | ||
__epilog__ = """Usage: | ||
{m} -t {td} | ||
{m} -t {td} -r cvi-190001,cvi-190002 | ||
{m} -t {td} -f json -o /tmp/report.json | ||
{m} -t {tg} -f json -o [email protected] | ||
{m} -t {tg} -f json -o http://push.to.com/api | ||
sudo {m} -H 127.0.0.1 -P 80 | ||
""".format(m='./cobra.py', td='tests/vulnerabilities', tg='https://github.com/ethicalhack3r/DVWA') | ||
python {m} -t {td} | ||
python {m} -t {td} -r cvi-190001,cvi-190002 | ||
python {m} -t {td} -f json -o /tmp/report.json | ||
python {m} -t {tg} -f json -o [email protected] | ||
python {m} -t {tg} -f json -o http://push.to.com/api | ||
sudo python {m} -H 127.0.0.1 -P 80 | ||
""".format(m='cobra.py', td='tests/vulnerabilities', tg='https://github.com/ethicalhack3r/DVWA') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,10 @@ | ||
# -*- coding: utf-8 -*- | ||
|
||
""" | ||
cobra | ||
~~~~~ | ||
CVE | ||
~~~ | ||
Implements cobra main | ||
Implements CVE Rules Parser | ||
:author: BlBana <[email protected]> | ||
:homepage: https://github.com/wufeifei/cobra | ||
|
@@ -241,9 +242,9 @@ def log_result(self): | |
for cve_child in self._scan_result[module_]: | ||
cve_id = cve_child | ||
level = self._scan_result[module_][cve_id] | ||
logger.warning('Find the module ' + module_ + ' have ' + cve_id + ',level: ' + level) | ||
logger.debug('Find the module ' + module_ + ' have ' + cve_id + ',level: ' + level) | ||
count = len(self._scan_result[module_]) | ||
logger.warning('The ' + module_ + ' module have ' + str(count) + ' CVE Vul(s)') | ||
logger.debug('The ' + module_ + ' module have ' + str(count) + ' CVE Vul(s)') | ||
|
||
def get_scan_result(self): | ||
return self._scan_result | ||
|
@@ -337,7 +338,7 @@ def store(results): | |
for module_ in results[0]: | ||
for cve_id, cve_level in results[0][module_].items(): | ||
cve_path = results[1] | ||
cve_vul = parse_math(cve_path, cve_id, cve_level, module_) | ||
cve_vul = parse_math(cve_path, cve_id, cve_level, module_, target_directory) | ||
cve_vuls.append(cve_vul) | ||
else: | ||
logger.debug('[SCAN] [STORE] Not found vulnerabilities on this rule!') | ||
|
@@ -371,11 +372,12 @@ def scan_single(target_directory, cve_path): | |
return cve.get_scan_result(), cve_path | ||
|
||
|
||
def parse_math(cve_path, cve_id, cve_level, module_): | ||
def parse_math(cve_path, cve_id, cve_level, module_, target_directory): | ||
flag = 0 | ||
file_path = 'unkown' | ||
mr = VulnerabilityResult() | ||
module_name, module_version = module_.split(':') | ||
cvi = cve_path.lower().split('cvi-')[1][:6] | ||
rule_name = '引用了存在漏洞的三方组件' | ||
if cve_level == 'LOW': | ||
cve_level = 2 | ||
|
||
|
@@ -385,13 +387,37 @@ def parse_math(cve_path, cve_id, cve_level, module_): | |
elif cve_level == 'HIGH': | ||
cve_level = 8 | ||
|
||
mr.language = cve_id | ||
for root, dirs, filenames in os.walk(target_directory): | ||
for filename in filenames: | ||
if filename == 'pom.xml' and flag != 2: | ||
file_path = os.path.join(root, filename) | ||
file_path = file_path.replace(target_directory, '') | ||
flag = 1 | ||
|
||
elif filename == 'requirements.txt' and flag != 1: | ||
file_path = os.path.join(root, filename) | ||
file_path = file_path.replace(target_directory, '') | ||
flag = 2 | ||
|
||
if flag != 0: | ||
mr.file_path = file_path | ||
|
||
else: | ||
mr.file_path = 'unkown' | ||
mr.language = '*' | ||
mr.id = cvi | ||
mr.rule_name = rule_name | ||
mr.rule_name = cve_id | ||
mr.level = cve_level | ||
mr.file_path = module_name | ||
mr.line_number = 1 | ||
mr.analysis = 'Dependencies Matched(依赖匹配)' | ||
mr.code_content = module_name + ':' + module_version | ||
mr.solution = """ | ||
三方依赖**""" + module_name + """:""" + module_version + """**存在CVE漏洞,CVE漏洞编号为: **""" + cve_id + """** | ||
## 安全风险 | ||
## 安全修复 | ||
请根据对应厂商公告,及时更新三方依赖至安全版本 | ||
""" | ||
|
||
logger.debug('[CVE {i}] {r}:Find {n}:{v} have vul {c} and level is {l}'.format(i=mr.id, r=mr.rule_name, | ||
n=mr.file_path, v=mr.line_number, | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,10 @@ | ||
# -*- coding: utf-8 -*- | ||
|
||
""" | ||
cobra | ||
~~~~~ | ||
dependencies | ||
~~~~~~~~~~~~ | ||
Implements cobra main | ||
Implements Dependencies Check | ||
:author: BlBana <[email protected]> | ||
:homepage: https://github.com/wufeifei/cobra | ||
|
Oops, something went wrong.