Code Auditing System Swallow Development Review

News 2023-08-26 04:36:46 views: null

For Party A’s security construction, SDL is an inseparable topic, which includes code audit work. I used the editor’s built-in search at the beginning, then used the fortify tool, and then felt that fortify’s scanning was too slow. Audit efficiency, and then I thought about integrating fortify into my own business system

In recent years, the security industry has developed rapidly, and there are more component security products that were rare before, such as semgrep that can customize scanning rules, and GitHub and codeQL products. There are more and more tools. If you still use the previous single tool to open The efficiency of the mode is not too high. So I just want to make a code aggregation audit system

Project address: https://github.com/StarCrossPortal/swallow

Overall development ideas

When I need to audit a certain project, I only need to store the code address in it, and then the system will automatically download the code, call various code audit tools to scan, and store the results in the system.

Here is part of the content, the first part is the realization of the underlying code scanning, the design of the database, and the display of the upper UI

underlying implementation

The definition I gave swallow before development is an efficiency system, so he just calls the results of other tools, and then aggregates and displays them. Then I need to consider using those tools.

Here I have four requirements, namely taint tracking, security rule retrieval, component dependency vulnerability, and WebShell detection

taint tracking

First of all, let’s talk about taint tracking. He needs to know where my program parameters are received, and then where the parameters are executed. There are not many products that meet the needs. The well-known ones are fortify and checkmax. Here I choose to call the fortify code audit system.


rule retrieval

Some business-related vulnerabilities may require writing corresponding inspection rules, so you need to choose a code scanner that is easier to customize the rules. There are two choices: semgrep and CodeQL. I personally think that semgrep is easier to use, so I chose it


component vulnerability

Component vulnerability mainly solves the problem that project A depends on project B, and project B has a vulnerability. There are many such tools on the market now, and I chose Murphy.

WebShell

The webshell scan is mainly to solve the situation that there may be Trojan horses in a large number of code files, using the hippo webshell detection tool

With these four tools, I can basically conduct a relatively comprehensive inspection of the code, but I still need to sort out the overall interaction logic and data format of the data. In order to simplify this process, I directly use the layout system of the Dragonfly platform. In this way, I basically don't need to write too much data interaction code, just visualize the drag and drop, and then pay attention to the situation of each node.

The data can directly use the database components in the Dragonfly Security Workbench, which satisfies the addition, deletion, modification and query of data

Database Design

I adopted the most trouble-free method for database design. First, I need a table to store the Git warehouse address, so I created a new git_addtable. In addition, the system needs some configuration, so I created a new project_conftable, as shown in the figure below

Now I need to consider the problem of storing the data of the results of the four tools, so I created four new data tables at first, but later found that five tables are more suitable, as shown in the figure below

Because of Murphy's code scanning, his results need to be slightly different. His structure is a two-dimensional array, which is not conducive to database retrieval, so I divided Murphy's table structure into two, so there are two table structures

Front-end UI

The front-end UI originally wanted to use the UI framework of element, but this project is only developed by me, and the project itself is relatively simple, so it is more convenient to set the template directly.

So it was developed using bootstrap5 combined with thinkPHP6

The effect diagram is as follows

add warehouse

I won't talk about the installation process, just record how to use it and the effect.

First, you need to find the Add button in the warehouse list, put the Git warehouse address in it, and then it will be automatically added to the list

As shown in the figure above, multiple warehouses can be added at one time, with one warehouse address per line.

View dependency vulnerabilities

View WebShell

View dependent components

Author: Tang Qingsong

Date: 2023-04-03

Guess you like

Origin blog.csdn.net/u013431141/article/details/129925386
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com