search

OWASP / glue

Application Security Automation
Other
522 stars 112 forks source link

Documentation for --findings-file please #169

Closed arthurakay closed 5 years ago

arthurakay commented 5 years ago

https://github.com/OWASP/glue/blob/eb8f375f6e8403bafa42e2f73266394c8570ffb2/lib/glue/options.rb#L311

I'm using Docker to run the following command:

docker run --rm --name=Glue -v $(pwd):/tmp/triage owasp/glue --finding-file finding_ignore.json  -t retirejs -t nodesecurityproject -t sfl -f teamcity --teamcity-min-level 1 /tmp/triage

Glue appears to run, but it's either not ignoring the files I have in finding_ignore.json or I have it formatted incorrectly. To be clear, I want the findings of SFL ignored for these files, but not necessarily the other tools. Do I misunderstand how this should work?

{
    "ssl/ssl-cert-host.key": "ignore"
}

Which is a self-signed certificate for local development (not something that gets deployed to production). /ssl/ is a folder at the root of my project.

arthurakay commented 5 years ago

I figured it out... the file was being picked up, but needed to be in the format:

{
    "fingerprint_hash": "ignore"
}
arthurakay commented 5 years ago

Actually, I take that back... my scan still isn't ignore the files with the TeamCity reporter.

Here's the full output:

[12:56:40] [Step 5/5] Status: Downloaded newer image for owasp/glue:latest [12:56:40] [Step 5/5] docker run --rm --name=Glue \ [12:56:40] [Step 5/5] -v /opt/buildAgent/work/1234567890:/tmp/triage owasp/glue \ [12:56:40] [Step 5/5] -t retirejs \ [12:56:40] [Step 5/5] -t nodesecurityproject \ [12:56:40] [Step 5/5] -t sfl \ [12:56:40] [Step 5/5] -f teamcity --teamcity-min-level 1 \ [12:56:40] [Step 5/5] --exclude node_modules \ [12:56:40] [Step 5/5] --finding-file-path glue_ignore.json \ [12:56:40] [Step 5/5] --debug \ [12:56:40] [Step 5/5] /tmp/triage \ [12:56:40] [Step 5/5] [12:56:41] [Step 5/5] Loading scanner... [12:56:41] [Step 5/5] Logfile nil? [12:56:41] [Step 5/5] calling scan [12:56:41] [Step 5/5] Running scanner [12:56:41] [Step 5/5] Mounting ... /tmp/triage [12:56:41] [Step 5/5] Mounting target: /tmp/triage [12:56:41] [Step 5/5] Checking about mounting /tmp/triage with # [12:56:41] [Step 5/5] In Docker mounter, target: /tmp/triage became: /triage ... wondering if it matched .docker [12:56:41] [Step 5/5] Checking about mounting /tmp/triage with # [12:56:41] [Step 5/5] Mounting /tmp/triage with # [12:56:41] [Step 5/5] Mounted /tmp/triage with # [12:56:41] [Step 5/5] Processing target.../tmp/triage [12:56:41] [Step 5/5] Running tasks in stage: wait [12:56:41] [Step 5/5] Running tasks in stage: mount [12:56:41] [Step 5/5] Running tasks in stage: file [12:56:41] [Step 5/5] Running tasks in stage: code [12:56:42] [Step 5/5] code - NodeSecurityProject - # [12:56:42] [Step 5/5] no implicit conversion of Set into Array [12:56:42] [Step 5/5] code - RetireJS - # [12:56:42] [Step 5/5] no implicit conversion of Set into Array [12:56:42] [Step 5/5] code - SFL - # [12:56:42] [Step 5/5] SFL [12:56:42] [Step 5/5] Found 2750 files [12:56:42] [Step 5/5] Running tasks in stage: live [12:56:42] [Step 5/5] Running tasks in stage: done [12:56:42] [Step 5/5] Starting Contrast Severity Filter [12:56:42] [Step 5/5] Minimum: [12:56:42] [Step 5/5] No minimum found, skipping filter. [12:56:42] [Step 5/5] Have 9 items pre ZAP filter. [12:56:42] [Step 5/5] Have 9 items post ZAP filter. [12:56:42] [Step 5/5] Report failed tests for each finding with severity equal or above Low [12:56:42] [Step 5/5] SFL [12:56:42] [SFL] 1234567890 [12:56:42] [1234567890] [Test Error Output] Source: SFL:/tmp/triage/src/utils/PasswordExpirationCheck.spec.ts Details: [12:56:42] [1234567890] Severity Low [12:56:42] [1234567890] Contains word: password [12:56:42] [Step 5/5] Failed tests detected ... more lines like this

glue_ignore.json

{
    "1234567890": "ignore"
}
arthurakay commented 5 years ago

Apologies on the back-and-forth 🔥 but I DID correct my script. I'll open a PR to improve documentation on this but... here's my final script:

docker pull owasp/glue
docker run --rm --name=Glue \
    -v $(PWD):/tmp/triage owasp/glue \
    -t sfl \
    --exclude node_modules \
    --finding-file-path /tmp/triage/glue_ignore.json  \
    --debug \
    /tmp/triage

And my glue_ignore.json

{
  "ffffff3fa0d83d169dfcd84141bc8c03598a3169b7a3c8a24b73bf9535ffffff": "ignore",
  "aaaaaace84f34e6807a9614bfe3ec13bfed24343d4da91f011f45aa8f1aaaaaa": "ignore",
  "ccccccb862731c42b16d621598de09516352862c7bf2da5a68bafc4c5dadadad": "ignore"
}

It is successfully ignoring things now!

omerlh commented 5 years ago

Happy to hear so, and sorry that it wasn't that clear :) Looking forward to see the PR!

omerlh commented 5 years ago

Happy to hear so, and sorry that it wasn't that clear :) Looking forward to see the PR!